Menu
▾
▴
Re: [WebERP-developers] Differentiating between cookie path
|
From: Phil D. <ph...@lo...> - 2015-06-28 01:10:01
|
I am not persuaded we need to change anything sorry Alistair.
I will add some words to the manual about it so it is easier for others
following to use the functionality we already have.
/*The path to which session files should be stored in the server -
useful for some multi-host web servers where pages are serviced using
load balancing servers - when the load picks a different server then the
session can be lost unless this option is used - which tells the server
explicitly where to find the session file.
It is also useful where there are several webERP installs where
the code is in two different paths on the same server and being used by
the same client browser. It is possible in this scenario for the session
to be over-written by the two different webERP installations. The
solution is to specify different $SessionSavePath in each installations
config.php
If there is only one installation of webERP on the web-server -
which can be used with many company databases (and there is no load
balancing difficulties to circumvent then this can be left commented out
*/
Phil
Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz
On 28/06/15 12:51, Alastair wrote:
> Any thoughts as to which variant may be prefered?
>
> On June 27, 2015 8:45:25 PM GMT+10:00, Phil Daintree
> <ph...@lo...> wrote:
>
> Ah OK.
>
> Phil
>
> Phil Daintree
> Logic Works Ltd - +64 (0)275 567890
> http://www.logicworks.co.nz
>
> On 27/06/15 18:57, Alastair Knowles wrote:
>
> Hi Phil, The session cookie path isn't actually a location on
> the server that the data is saved, nor is it a location on the
> client to save session information, it is instead an extra
> piece of information that tells the server which URL
> subdirectory the session belongs to. Thus the session
> information is still stored in the default session store on
> the server, but also has the same piece of information so that
> it knows it belongs to this session rather than the other. So
> in actuality, it is no less secure than the current solution
> (or even the default without the SessionSavePath variable set)
> and still has the added benefit that it is automatically
> configured and doesn't need a folder to be created, nor does
> it need any additional values set in the config file. My
> regards, Alastair Knowles. On 27/06/15 14:04, Phil Daintree
> wrote:
>
> Hi Alistair, It is not a good plan to have the
> SessionCookie accessible to all and sundry as it contains
> private stuff... so setting the path to a place where
> people could download it is a big "NO NO" Also, this
> solution doesn't really give us anything better than what
> we had. In config.php we have //The path to which session
> files should be stored in the server - useful for some
> multi-host web servers //this can be left commented out
> //$SessionSavePath = '/tmp'; All that is needed is to
> uncomment this and set it to some private place that the
> web-server user can read and write but is not visible to
> the outside world. Phil Phil Daintree Logic Works Ltd -
> +64 (0)275 567890 http://www.logicworks.co.nz On 27/06/15
> 12:40, Alastair Knowles wrote:
>
> Included bellow are 2 different options. The first is
> for if you wish to replace $SessionSavePath with my
> new $SessionCookiePath process (as I have now just
> dubbed it). The second is if you'd like to keep both
> the older $SessionSavePath and the newer
> $SessionCookiePath processes. Because
> $SessionCookiePath achieves the same end result as
> $SessionSavePath, I'm of the opinion that it would be
> a good idea to remove $SessionSavePath to reduce
> feature duplication. If either of you have a fairly
> strong preference of one over the other, I can prepare
> a change.log and submit the diff through to
> sub...@we.... On the other hand, if it makes
> it easier for you to play with, I can send both of
> them through to sub...@we... and you can
> pick which one you want to push to the svn codebase.
> Also note that you'll need to delete your current
> cookies for changes to take effect. ##### Both
> $SessionCookiePath and $SessionSavePath ##### Index:
> includes/session.inc
> ------------------------------------------------------------------------
> --- includes/session.inc (revision 7325) +++
> includes/session.inc (working copy) @@ -25,6 +25,10 @@
> session_save_path($SessionSavePath); } +if
> (!isset($SessionCookiePath)){ +
> $SessionCookiePath=$RootPath; +} + if
> (!isset($SysAdminEmail)) { $SysAdminEmail=''; } @@
> -35,6 +39,8 @@ set_time_limit($MaximumExecutionTime);
> ini_set('max_execution_time',$MaximumExecutionTime); }
> + +session_set_cookie_params( 0, $SessionCookiePath );
> session_write_close(); //in case a previous session is
> not closed session_start(); ########### Only
> $SessionCookiePath ########### Index:
> includes/session.inc
> ------------------------------------------------------------------------
> --- includes/session.inc (revision 7325) +++
> includes/session.inc (working copy) @@ -21,8 +21,8 @@
> $DBType=$dbType; } -if (isset($SessionSavePath)){ -
> session_save_path($SessionSavePath); +if
> (!isset($SessionCookiePath)){ +
> $SessionCookiePath=$RootPath; } if
> (!isset($SysAdminEmail)) { @@ -35,6 +35,8 @@
> set_time_limit($MaximumExecutionTime);
> ini_set('max_execution_time',$MaximumExecutionTime); }
> + +session_set_cookie_params( 0, $SessionCookiePath );
> session_write_close(); //in case a previous session is
> not closed session_start(); My Regards, Alastair
> Knowles On 27/06/15 06:45, phil wrote:
>
> Hi Alistair If there are just a few lines to your
> solution which requires no manual editing, then
> perhaps you would send me the duffs so I could
> study. As Tim points out it is quite easy to use
> the config.php sessionssavepath to explicitly set
> where the server should save the session to. Some
> documentation as you say might be all we really
> need Alastair <kn...@gm...> wrote: Hi
> Tim, I've just looked into this a little deeper
> and it appears you're referring to
> $SessionSavePath. After a while of fiddling around
> with this variable and manually creating folders
> for each isolated install, I was able to get this
> to work. Unfortunately this process isn't well
> documented and requires manual configuration on
> the server for this to work (not horrible, I'd
> prefer to keep manual config to a minimum).
> Perhaps, this could be simplified by setting the
> "Path" value in the session cookies instead. This
> removes the need to create folders and specify
> locations in the config file, and it can be easily
> automated too. On a side note, the session.inc
> script should probably be setting the session
> cookie name with session_name() as PHPSESSID is
> very generic and doesn't help with debugging at
> all. My Regards, Alastair Knowles.
>
> ------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with
> OpManager! OpManager is web-based network management
> software that monitors network devices and physical &
> virtual servers, alerts via email & sms for fault.
> Monitor 25 devices for free with no restriction.
> Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> ------------------------------------------------------------------------
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
> ------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with
> OpManager! OpManager is web-based network management
> software that monitors network devices and physical &
> virtual servers, alerts via email & sms for fault. Monitor
> 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> ------------------------------------------------------------------------
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that
> monitors network devices and physical & virtual servers,
> alerts via email & sms for fault. Monitor 25 devices for free
> with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> ------------------------------------------------------------------------
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
>
>
> ------------------------------------------------------------------------
>
> Monitor 25
> network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors
> network devices and physical & virtual servers, alerts via email & sms
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> ------------------------------------------------------------------------
>
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>
> ------------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors
> network devices and physical & virtual servers, alerts via email & sms
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
>
>
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
|
