Menu
▾
▴
Re: [WebERP-developers] Differentiating between cookie path
|
From: Phil D. <ph...@lo...> - 2015-06-27 04:06:00
|
Hi Alistair, It is not a good plan to have the SessionCookie accessible to all and sundry as it contains private stuff... so setting the path to a place where people could download it is a big "NO NO" Also, this solution doesn't really give us anything better than what we had. In config.php we have //The path to which session files should be stored in the server - useful for some multi-host web servers //this can be left commented out //$SessionSavePath = '/tmp'; All that is needed is to uncomment this and set it to some private place that the web-server user can read and write but is not visible to the outside world. Phil Phil Daintree Logic Works Ltd - +64 (0)275 567890 http://www.logicworks.co.nz On 27/06/15 12:40, Alastair Knowles wrote: > Included bellow are 2 different options. > The first is for if you wish to replace $SessionSavePath with my new > $SessionCookiePath process (as I have now just dubbed it). The second is > if you'd like to keep both the older $SessionSavePath and the newer > $SessionCookiePath processes. Because $SessionCookiePath achieves the > same end result as $SessionSavePath, I'm of the opinion that it would be > a good idea to remove $SessionSavePath to reduce feature duplication. > > If either of you have a fairly strong preference of one over the other, > I can prepare a change.log and submit the diff through to > sub...@we.... On the other hand, if it makes it easier for you > to play with, I can send both of them through to sub...@we... > and you can pick which one you want to push to the svn codebase. > > Also note that you'll need to delete your current cookies for changes to > take effect. > > ##### Both $SessionCookiePath and $SessionSavePath ##### > > Index: includes/session.inc > =================================================================== > --- includes/session.inc (revision 7325) > +++ includes/session.inc (working copy) > @@ -25,6 +25,10 @@ > session_save_path($SessionSavePath); > } > > +if (!isset($SessionCookiePath)){ > + $SessionCookiePath=$RootPath; > +} > + > if (!isset($SysAdminEmail)) { > $SysAdminEmail=''; > } > @@ -35,6 +39,8 @@ > set_time_limit($MaximumExecutionTime); > ini_set('max_execution_time',$MaximumExecutionTime); > } > + > +session_set_cookie_params( 0, $SessionCookiePath ); > session_write_close(); //in case a previous session is not closed > session_start(); > > ########### Only $SessionCookiePath ########### > > Index: includes/session.inc > =================================================================== > --- includes/session.inc (revision 7325) > +++ includes/session.inc (working copy) > @@ -21,8 +21,8 @@ > $DBType=$dbType; > } > > -if (isset($SessionSavePath)){ > - session_save_path($SessionSavePath); > +if (!isset($SessionCookiePath)){ > + $SessionCookiePath=$RootPath; > } > > if (!isset($SysAdminEmail)) { > @@ -35,6 +35,8 @@ > set_time_limit($MaximumExecutionTime); > ini_set('max_execution_time',$MaximumExecutionTime); > } > + > +session_set_cookie_params( 0, $SessionCookiePath ); > session_write_close(); //in case a previous session is not closed > session_start(); > > My Regards, > Alastair Knowles > > On 27/06/15 06:45, phil wrote: >> Hi Alistair >> If there are just a few lines to your solution which requires no >> manual editing, then perhaps you would send me the duffs so I could >> study. As Tim points out it is quite easy to use the config.php >> sessionssavepath to explicitly set where the server should save the >> session to. Some documentation as you say might be all we really need >> >> Alastair <kn...@gm...> wrote: >> >> Hi Tim, >> >> I've just looked into this a little deeper and it appears you're >> referring to $SessionSavePath. After a while of fiddling around with >> this variable and manually creating folders for each isolated install, >> I was able to get this to work. Unfortunately this process isn't well >> documented and requires manual configuration on the server for this to >> work (not horrible, I'd prefer to keep manual config to a minimum). >> >> Perhaps, this could be simplified by setting the "Path" value in the >> session cookies instead. This removes the need to create folders and >> specify locations in the config file, and it can be easily automated too. >> >> On a side note, the session.inc script should probably be setting the >> session cookie name with session_name() as PHPSESSID is very generic >> and doesn't help with debugging at all. >> >> My Regards, >> Alastair Knowles. > > ------------------------------------------------------------------------------ > Monitor 25 network devices or servers for free with OpManager! > OpManager is web-based network management software that monitors > network devices and physical & virtual servers, alerts via email & sms > for fault. Monitor 25 devices for free with no restriction. Download now > http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
