Menu
▾
▴
Re: [WebERP-developers] Differentiating between cookie path
|
From: Alastair K. <kn...@gm...> - 2015-06-27 06:56:24
|
Hi Phil, The session cookie path isn't actually a location on the server that the data is saved, nor is it a location on the client to save session information, it is instead an extra piece of information that tells the server which URL subdirectory the session belongs to. Thus the session information is still stored in the default session store on the server, but also has the same piece of information so that it knows it belongs to this session rather than the other. So in actuality, it is no less secure than the current solution (or even the default without the SessionSavePath variable set) and still has the added benefit that it is automatically configured and doesn't need a folder to be created, nor does it need any additional values set in the config file. My regards, Alastair Knowles. On 27/06/15 14:04, Phil Daintree wrote: > Hi Alistair, > > It is not a good plan to have the SessionCookie accessible to all and > sundry as it contains private stuff... so setting the path to a place > where people could download it is a big "NO NO" > > Also, this solution doesn't really give us anything better than what we had. > > In config.php we have > > //The path to which session files should be stored in the server - > useful for some multi-host web servers > //this can be left commented out > //$SessionSavePath = '/tmp'; > > All that is needed is to uncomment this and set it to some private place > that the web-server user can read and write but is not visible to the > outside world. > > > Phil > > Phil Daintree > Logic Works Ltd - +64 (0)275 567890 > http://www.logicworks.co.nz > > On 27/06/15 12:40, Alastair Knowles wrote: >> Included bellow are 2 different options. >> The first is for if you wish to replace $SessionSavePath with my new >> $SessionCookiePath process (as I have now just dubbed it). The second is >> if you'd like to keep both the older $SessionSavePath and the newer >> $SessionCookiePath processes. Because $SessionCookiePath achieves the >> same end result as $SessionSavePath, I'm of the opinion that it would be >> a good idea to remove $SessionSavePath to reduce feature duplication. >> >> If either of you have a fairly strong preference of one over the other, >> I can prepare a change.log and submit the diff through to >> sub...@we.... On the other hand, if it makes it easier for you >> to play with, I can send both of them through to sub...@we... >> and you can pick which one you want to push to the svn codebase. >> >> Also note that you'll need to delete your current cookies for changes to >> take effect. >> >> ##### Both $SessionCookiePath and $SessionSavePath ##### >> >> Index: includes/session.inc >> =================================================================== >> --- includes/session.inc (revision 7325) >> +++ includes/session.inc (working copy) >> @@ -25,6 +25,10 @@ >> session_save_path($SessionSavePath); >> } >> >> +if (!isset($SessionCookiePath)){ >> + $SessionCookiePath=$RootPath; >> +} >> + >> if (!isset($SysAdminEmail)) { >> $SysAdminEmail=''; >> } >> @@ -35,6 +39,8 @@ >> set_time_limit($MaximumExecutionTime); >> ini_set('max_execution_time',$MaximumExecutionTime); >> } >> + >> +session_set_cookie_params( 0, $SessionCookiePath ); >> session_write_close(); //in case a previous session is not closed >> session_start(); >> >> ########### Only $SessionCookiePath ########### >> >> Index: includes/session.inc >> =================================================================== >> --- includes/session.inc (revision 7325) >> +++ includes/session.inc (working copy) >> @@ -21,8 +21,8 @@ >> $DBType=$dbType; >> } >> >> -if (isset($SessionSavePath)){ >> - session_save_path($SessionSavePath); >> +if (!isset($SessionCookiePath)){ >> + $SessionCookiePath=$RootPath; >> } >> >> if (!isset($SysAdminEmail)) { >> @@ -35,6 +35,8 @@ >> set_time_limit($MaximumExecutionTime); >> ini_set('max_execution_time',$MaximumExecutionTime); >> } >> + >> +session_set_cookie_params( 0, $SessionCookiePath ); >> session_write_close(); //in case a previous session is not closed >> session_start(); >> >> My Regards, >> Alastair Knowles >> >> On 27/06/15 06:45, phil wrote: >>> Hi Alistair >>> If there are just a few lines to your solution which requires no >>> manual editing, then perhaps you would send me the duffs so I could >>> study. As Tim points out it is quite easy to use the config.php >>> sessionssavepath to explicitly set where the server should save the >>> session to. Some documentation as you say might be all we really need >>> >>> Alastair <kn...@gm...> wrote: >>> >>> Hi Tim, >>> >>> I've just looked into this a little deeper and it appears you're >>> referring to $SessionSavePath. After a while of fiddling around with >>> this variable and manually creating folders for each isolated install, >>> I was able to get this to work. Unfortunately this process isn't well >>> documented and requires manual configuration on the server for this to >>> work (not horrible, I'd prefer to keep manual config to a minimum). >>> >>> Perhaps, this could be simplified by setting the "Path" value in the >>> session cookies instead. This removes the need to create folders and >>> specify locations in the config file, and it can be easily automated too. >>> >>> On a side note, the session.inc script should probably be setting the >>> session cookie name with session_name() as PHPSESSID is very generic >>> and doesn't help with debugging at all. >>> >>> My Regards, >>> Alastair Knowles. >> ------------------------------------------------------------------------------ >> Monitor 25 network devices or servers for free with OpManager! >> OpManager is web-based network management software that monitors >> network devices and physical & virtual servers, alerts via email & sms >> for fault. Monitor 25 devices for free with no restriction. Download now >> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> > > ------------------------------------------------------------------------------ > Monitor 25 network devices or servers for free with OpManager! > OpManager is web-based network management software that monitors > network devices and physical & virtual servers, alerts via email & sms > for fault. Monitor 25 devices for free with no restriction. Download now > http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
