Menu
▾
▴
Re: [WebERP-developers] Differentiating between cookie path
|
From: Alastair <kn...@gm...> - 2015-06-28 00:51:58
|
Any thoughts as to which variant may be prefered? On June 27, 2015 8:45:25 PM GMT+10:00, Phil Daintree <ph...@lo...> wrote: >Ah OK. > >Phil > >Phil Daintree >Logic Works Ltd - +64 (0)275 567890 >http://www.logicworks.co.nz > >On 27/06/15 18:57, Alastair Knowles wrote: >> Hi Phil, >> >> The session cookie path isn't actually a location on the server that >the >> data is saved, nor is it a location on the client to save session >> information, it is instead an extra piece of information that tells >the >> server which URL subdirectory the session belongs to. Thus the >session >> information is still stored in the default session store on the >server, >> but also has the same piece of information so that it knows it >belongs >> to this session rather than the other. So in actuality, it is no less >> secure than the current solution (or even the default without the >> SessionSavePath variable set) and still has the added benefit that it >is >> automatically configured and doesn't need a folder to be created, nor >> does it need any additional values set in the config file. >> >> My regards, >> Alastair Knowles. >> >> On 27/06/15 14:04, Phil Daintree wrote: >>> Hi Alistair, >>> >>> It is not a good plan to have the SessionCookie accessible to all >and >>> sundry as it contains private stuff... so setting the path to a >place >>> where people could download it is a big "NO NO" >>> >>> Also, this solution doesn't really give us anything better than what >we had. >>> >>> In config.php we have >>> >>> //The path to which session files should be stored in the server - >>> useful for some multi-host web servers >>> //this can be left commented out >>> //$SessionSavePath = '/tmp'; >>> >>> All that is needed is to uncomment this and set it to some private >place >>> that the web-server user can read and write but is not visible to >the >>> outside world. >>> >>> >>> Phil >>> >>> Phil Daintree >>> Logic Works Ltd - +64 (0)275 567890 >>> http://www.logicworks.co.nz >>> >>> On 27/06/15 12:40, Alastair Knowles wrote: >>>> Included bellow are 2 different options. >>>> The first is for if you wish to replace $SessionSavePath with my >new >>>> $SessionCookiePath process (as I have now just dubbed it). The >second is >>>> if you'd like to keep both the older $SessionSavePath and the newer >>>> $SessionCookiePath processes. Because $SessionCookiePath achieves >the >>>> same end result as $SessionSavePath, I'm of the opinion that it >would be >>>> a good idea to remove $SessionSavePath to reduce feature >duplication. >>>> >>>> If either of you have a fairly strong preference of one over the >other, >>>> I can prepare a change.log and submit the diff through to >>>> sub...@we.... On the other hand, if it makes it easier >for you >>>> to play with, I can send both of them through to >sub...@we... >>>> and you can pick which one you want to push to the svn codebase. >>>> >>>> Also note that you'll need to delete your current cookies for >changes to >>>> take effect. >>>> >>>> ##### Both $SessionCookiePath and $SessionSavePath ##### >>>> >>>> Index: includes/session.inc >>>> =================================================================== >>>> --- includes/session.inc (revision 7325) >>>> +++ includes/session.inc (working copy) >>>> @@ -25,6 +25,10 @@ >>>> session_save_path($SessionSavePath); >>>> } >>>> >>>> +if (!isset($SessionCookiePath)){ >>>> + $SessionCookiePath=$RootPath; >>>> +} >>>> + >>>> if (!isset($SysAdminEmail)) { >>>> $SysAdminEmail=''; >>>> } >>>> @@ -35,6 +39,8 @@ >>>> set_time_limit($MaximumExecutionTime); >>>> ini_set('max_execution_time',$MaximumExecutionTime); >>>> } >>>> + >>>> +session_set_cookie_params( 0, $SessionCookiePath ); >>>> session_write_close(); //in case a previous session is not >closed >>>> session_start(); >>>> >>>> ########### Only $SessionCookiePath ########### >>>> >>>> Index: includes/session.inc >>>> =================================================================== >>>> --- includes/session.inc (revision 7325) >>>> +++ includes/session.inc (working copy) >>>> @@ -21,8 +21,8 @@ >>>> $DBType=$dbType; >>>> } >>>> >>>> -if (isset($SessionSavePath)){ >>>> - session_save_path($SessionSavePath); >>>> +if (!isset($SessionCookiePath)){ >>>> + $SessionCookiePath=$RootPath; >>>> } >>>> >>>> if (!isset($SysAdminEmail)) { >>>> @@ -35,6 +35,8 @@ >>>> set_time_limit($MaximumExecutionTime); >>>> ini_set('max_execution_time',$MaximumExecutionTime); >>>> } >>>> + >>>> +session_set_cookie_params( 0, $SessionCookiePath ); >>>> session_write_close(); //in case a previous session is not >closed >>>> session_start(); >>>> >>>> My Regards, >>>> Alastair Knowles >>>> >>>> On 27/06/15 06:45, phil wrote: >>>>> Hi Alistair >>>>> If there are just a few lines to your solution which requires no >>>>> manual editing, then perhaps you would send me the duffs so I >could >>>>> study. As Tim points out it is quite easy to use the config.php >>>>> sessionssavepath to explicitly set where the server should save >the >>>>> session to. Some documentation as you say might be all we really >need >>>>> >>>>> Alastair <kn...@gm...> wrote: >>>>> >>>>> Hi Tim, >>>>> >>>>> I've just looked into this a little deeper and it appears you're >>>>> referring to $SessionSavePath. After a while of fiddling around >with >>>>> this variable and manually creating folders for each isolated >install, >>>>> I was able to get this to work. Unfortunately this process isn't >well >>>>> documented and requires manual configuration on the server for >this to >>>>> work (not horrible, I'd prefer to keep manual config to a >minimum). >>>>> >>>>> Perhaps, this could be simplified by setting the "Path" value in >the >>>>> session cookies instead. This removes the need to create folders >and >>>>> specify locations in the config file, and it can be easily >automated too. >>>>> >>>>> On a side note, the session.inc script should probably be setting >the >>>>> session cookie name with session_name() as PHPSESSID is very >generic >>>>> and doesn't help with debugging at all. >>>>> >>>>> My Regards, >>>>> Alastair Knowles. >>>> >------------------------------------------------------------------------------ >>>> Monitor 25 network devices or servers for free with OpManager! >>>> OpManager is web-based network management software that monitors >>>> network devices and physical & virtual servers, alerts via email & >sms >>>> for fault. Monitor 25 devices for free with no restriction. >Download now >>>> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o >>>> _______________________________________________ >>>> Web-erp-developers mailing list >>>> Web...@li... >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>> >>> >------------------------------------------------------------------------------ >>> Monitor 25 network devices or servers for free with OpManager! >>> OpManager is web-based network management software that monitors >>> network devices and physical & virtual servers, alerts via email & >sms >>> for fault. Monitor 25 devices for free with no restriction. Download >now >>> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> >> >------------------------------------------------------------------------------ >> Monitor 25 network devices or servers for free with OpManager! >> OpManager is web-based network management software that monitors >> network devices and physical & virtual servers, alerts via email & >sms >> for fault. Monitor 25 devices for free with no restriction. Download >now >> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> > > >------------------------------------------------------------------------------ >Monitor 25 network devices or servers for free with OpManager! >OpManager is web-based network management software that monitors >network devices and physical & virtual servers, alerts via email & sms >for fault. Monitor 25 devices for free with no restriction. Download >now >http://ad.doubleclick.net/ddm/clk/292181274;119417398;o >_______________________________________________ >Web-erp-developers mailing list >Web...@li... >https://lists.sourceforge.net/lists/listinfo/web-erp-developers -- Sent from my Android device with K-9 Mail. Please excuse my brevity. |
