Menu
▾
▴
Re: [WebERP-developers] Differentiating between cookie path
|
From: Phil D. <ph...@lo...> - 2015-06-27 10:47:00
|
Ah OK. Phil Phil Daintree Logic Works Ltd - +64 (0)275 567890 http://www.logicworks.co.nz On 27/06/15 18:57, Alastair Knowles wrote: > Hi Phil, > > The session cookie path isn't actually a location on the server that the > data is saved, nor is it a location on the client to save session > information, it is instead an extra piece of information that tells the > server which URL subdirectory the session belongs to. Thus the session > information is still stored in the default session store on the server, > but also has the same piece of information so that it knows it belongs > to this session rather than the other. So in actuality, it is no less > secure than the current solution (or even the default without the > SessionSavePath variable set) and still has the added benefit that it is > automatically configured and doesn't need a folder to be created, nor > does it need any additional values set in the config file. > > My regards, > Alastair Knowles. > > On 27/06/15 14:04, Phil Daintree wrote: >> Hi Alistair, >> >> It is not a good plan to have the SessionCookie accessible to all and >> sundry as it contains private stuff... so setting the path to a place >> where people could download it is a big "NO NO" >> >> Also, this solution doesn't really give us anything better than what we had. >> >> In config.php we have >> >> //The path to which session files should be stored in the server - >> useful for some multi-host web servers >> //this can be left commented out >> //$SessionSavePath = '/tmp'; >> >> All that is needed is to uncomment this and set it to some private place >> that the web-server user can read and write but is not visible to the >> outside world. >> >> >> Phil >> >> Phil Daintree >> Logic Works Ltd - +64 (0)275 567890 >> http://www.logicworks.co.nz >> >> On 27/06/15 12:40, Alastair Knowles wrote: >>> Included bellow are 2 different options. >>> The first is for if you wish to replace $SessionSavePath with my new >>> $SessionCookiePath process (as I have now just dubbed it). The second is >>> if you'd like to keep both the older $SessionSavePath and the newer >>> $SessionCookiePath processes. Because $SessionCookiePath achieves the >>> same end result as $SessionSavePath, I'm of the opinion that it would be >>> a good idea to remove $SessionSavePath to reduce feature duplication. >>> >>> If either of you have a fairly strong preference of one over the other, >>> I can prepare a change.log and submit the diff through to >>> sub...@we.... On the other hand, if it makes it easier for you >>> to play with, I can send both of them through to sub...@we... >>> and you can pick which one you want to push to the svn codebase. >>> >>> Also note that you'll need to delete your current cookies for changes to >>> take effect. >>> >>> ##### Both $SessionCookiePath and $SessionSavePath ##### >>> >>> Index: includes/session.inc >>> =================================================================== >>> --- includes/session.inc (revision 7325) >>> +++ includes/session.inc (working copy) >>> @@ -25,6 +25,10 @@ >>> session_save_path($SessionSavePath); >>> } >>> >>> +if (!isset($SessionCookiePath)){ >>> + $SessionCookiePath=$RootPath; >>> +} >>> + >>> if (!isset($SysAdminEmail)) { >>> $SysAdminEmail=''; >>> } >>> @@ -35,6 +39,8 @@ >>> set_time_limit($MaximumExecutionTime); >>> ini_set('max_execution_time',$MaximumExecutionTime); >>> } >>> + >>> +session_set_cookie_params( 0, $SessionCookiePath ); >>> session_write_close(); //in case a previous session is not closed >>> session_start(); >>> >>> ########### Only $SessionCookiePath ########### >>> >>> Index: includes/session.inc >>> =================================================================== >>> --- includes/session.inc (revision 7325) >>> +++ includes/session.inc (working copy) >>> @@ -21,8 +21,8 @@ >>> $DBType=$dbType; >>> } >>> >>> -if (isset($SessionSavePath)){ >>> - session_save_path($SessionSavePath); >>> +if (!isset($SessionCookiePath)){ >>> + $SessionCookiePath=$RootPath; >>> } >>> >>> if (!isset($SysAdminEmail)) { >>> @@ -35,6 +35,8 @@ >>> set_time_limit($MaximumExecutionTime); >>> ini_set('max_execution_time',$MaximumExecutionTime); >>> } >>> + >>> +session_set_cookie_params( 0, $SessionCookiePath ); >>> session_write_close(); //in case a previous session is not closed >>> session_start(); >>> >>> My Regards, >>> Alastair Knowles >>> >>> On 27/06/15 06:45, phil wrote: >>>> Hi Alistair >>>> If there are just a few lines to your solution which requires no >>>> manual editing, then perhaps you would send me the duffs so I could >>>> study. As Tim points out it is quite easy to use the config.php >>>> sessionssavepath to explicitly set where the server should save the >>>> session to. Some documentation as you say might be all we really need >>>> >>>> Alastair <kn...@gm...> wrote: >>>> >>>> Hi Tim, >>>> >>>> I've just looked into this a little deeper and it appears you're >>>> referring to $SessionSavePath. After a while of fiddling around with >>>> this variable and manually creating folders for each isolated install, >>>> I was able to get this to work. Unfortunately this process isn't well >>>> documented and requires manual configuration on the server for this to >>>> work (not horrible, I'd prefer to keep manual config to a minimum). >>>> >>>> Perhaps, this could be simplified by setting the "Path" value in the >>>> session cookies instead. This removes the need to create folders and >>>> specify locations in the config file, and it can be easily automated too. >>>> >>>> On a side note, the session.inc script should probably be setting the >>>> session cookie name with session_name() as PHPSESSID is very generic >>>> and doesn't help with debugging at all. >>>> >>>> My Regards, >>>> Alastair Knowles. >>> ------------------------------------------------------------------------------ >>> Monitor 25 network devices or servers for free with OpManager! >>> OpManager is web-based network management software that monitors >>> network devices and physical & virtual servers, alerts via email & sms >>> for fault. Monitor 25 devices for free with no restriction. Download now >>> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>> >> ------------------------------------------------------------------------------ >> Monitor 25 network devices or servers for free with OpManager! >> OpManager is web-based network management software that monitors >> network devices and physical & virtual servers, alerts via email & sms >> for fault. Monitor 25 devices for free with no restriction. Download now >> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > ------------------------------------------------------------------------------ > Monitor 25 network devices or servers for free with OpManager! > OpManager is web-based network management software that monitors > network devices and physical & virtual servers, alerts via email & sms > for fault. Monitor 25 devices for free with no restriction. Download now > http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
