aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-05-18 20:36:03 -0700
committerredmatrix <git@macgirvin.com>2016-05-18 20:36:03 -0700
commitf4b31dcb3a56789c9c96e982466b11fe472e1444 (patch)
treea7cf8740917cd61237dcaebd583d0f17d1f574b2
parent7abb214eaf0061c7cede570e398c3a92b8c874d1 (diff)
downloadvolse-hubzilla-f4b31dcb3a56789c9c96e982466b11fe472e1444.tar.gz
volse-hubzilla-f4b31dcb3a56789c9c96e982466b11fe472e1444.tar.bz2
volse-hubzilla-f4b31dcb3a56789c9c96e982466b11fe472e1444.zip
Document what I know about the session regeneration issue. I'm really tired of fighting this darn thing. Sessions and cookies need to work.
-rw-r--r--Zotlabs/Web/Session.php13
1 files changed, 13 insertions, 0 deletions
diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php
index 2b058d379..63ccd91fe 100644
--- a/Zotlabs/Web/Session.php
+++ b/Zotlabs/Web/Session.php
@@ -82,6 +82,19 @@ class Session {
$arr = session_get_cookie_params();
if($this->handler && $this->session_started) {
+
+ // The session should be regenerated to prevent session fixation attacks.
+ // Traditionally this has been working well, but stopped working in Firefox
+ // recently (~46.0). It works well in other browsers. FF takes time for the
+ // new cookie to propagate and it appears to still use the old cookie for the
+ // next several requests. We don't have an easy way to flush the cookies and
+ // ensure the browser is using the right one. I've tried several methods including
+ // delayed cookie deletion and issuing a page reload just after authentication
+ // and none have been successful and all are hacks to work around what looks to be
+ // a browser issue. This is an important @FIXME. We should enable by default and let
+ // folks disable it if they have issues, except they can't login to change it if
+ // their sessions aren't working.
+
// session_regenerate_id(true);
// force SessionHandler record creation with the new session_id