aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Web
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-05-18 21:00:31 -0700
committerredmatrix <git@macgirvin.com>2016-05-18 21:00:31 -0700
commitada26dd2cbf99e7e8395b4e466a3f73245d004f1 (patch)
tree2dfeb19b9e039622f55ff3950a10db897ce6e3a7 /Zotlabs/Web
parentf4b31dcb3a56789c9c96e982466b11fe472e1444 (diff)
downloadvolse-hubzilla-ada26dd2cbf99e7e8395b4e466a3f73245d004f1.tar.gz
volse-hubzilla-ada26dd2cbf99e7e8395b4e466a3f73245d004f1.tar.bz2
volse-hubzilla-ada26dd2cbf99e7e8395b4e466a3f73245d004f1.zip
This explains it all. Don't set the domain when creating a cookie. You'll get a wildcard and sessions will break if you have multiple domains running hubzilla (or any php basic session based code).
Diffstat (limited to 'Zotlabs/Web')
-rw-r--r--Zotlabs/Web/Session.php27
1 files changed, 10 insertions, 17 deletions
diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php
index 63ccd91fe..4f2a3f1f7 100644
--- a/Zotlabs/Web/Session.php
+++ b/Zotlabs/Web/Session.php
@@ -41,10 +41,15 @@ class Session {
$arr = session_get_cookie_params();
+
+ // Note when setting cookies: set the domain to false which creates a single domain
+ // cookie. If you use a hostname it will create a .domain.com wildcard which will
+ // have some nasty side effects if you have any other subdomains running hubzilla.
+
session_set_cookie_params(
((isset($arr['lifetime'])) ? $arr['lifetime'] : 0),
((isset($arr['path'])) ? $arr['path'] : '/'),
- (($arr['domain']) ? $arr['domain'] : \App::get_hostname()),
+ (($arr['domain']) ? $arr['domain'] : false),
((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
((isset($arr['httponly'])) ? $arr['httponly'] : true)
);
@@ -83,19 +88,7 @@ class Session {
if($this->handler && $this->session_started) {
- // The session should be regenerated to prevent session fixation attacks.
- // Traditionally this has been working well, but stopped working in Firefox
- // recently (~46.0). It works well in other browsers. FF takes time for the
- // new cookie to propagate and it appears to still use the old cookie for the
- // next several requests. We don't have an easy way to flush the cookies and
- // ensure the browser is using the right one. I've tried several methods including
- // delayed cookie deletion and issuing a page reload just after authentication
- // and none have been successful and all are hacks to work around what looks to be
- // a browser issue. This is an important @FIXME. We should enable by default and let
- // folks disable it if they have issues, except they can't login to change it if
- // their sessions aren't working.
-
- // session_regenerate_id(true);
+ session_regenerate_id(true);
// force SessionHandler record creation with the new session_id
// which occurs as a side effect of read()
@@ -106,9 +99,9 @@ class Session {
logger('no session handler');
if (x($_COOKIE, 'jsdisabled')) {
- setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime, '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true));
+ setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime, '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true));
}
- setcookie(session_name(),session_id(),$newxtime, '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true));
+ setcookie(session_name(),session_id(),$newxtime, '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true));
$arr = array('expire' => $xtime);
call_hooks('new_cookie', $arr);
@@ -124,7 +117,7 @@ class Session {
$xtime = (($_SESSION['remember_me']) ? (60 * 60 * 24 * 365) : 0 );
if($xtime)
- setcookie(session_name(),session_id(),(time() + $xtime), '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true));
+ setcookie(session_name(),session_id(),(time() + $xtime), '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true));
$arr = array('expire' => $xtime);
call_hooks('extend_cookie', $arr);