From ada26dd2cbf99e7e8395b4e466a3f73245d004f1 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Wed, 18 May 2016 21:00:31 -0700 Subject: This explains it all. Don't set the domain when creating a cookie. You'll get a wildcard and sessions will break if you have multiple domains running hubzilla (or any php basic session based code). --- Zotlabs/Web/Session.php | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) (limited to 'Zotlabs/Web/Session.php') diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php index 63ccd91fe..4f2a3f1f7 100644 --- a/Zotlabs/Web/Session.php +++ b/Zotlabs/Web/Session.php @@ -41,10 +41,15 @@ class Session { $arr = session_get_cookie_params(); + + // Note when setting cookies: set the domain to false which creates a single domain + // cookie. If you use a hostname it will create a .domain.com wildcard which will + // have some nasty side effects if you have any other subdomains running hubzilla. + session_set_cookie_params( ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0), ((isset($arr['path'])) ? $arr['path'] : '/'), - (($arr['domain']) ? $arr['domain'] : \App::get_hostname()), + (($arr['domain']) ? $arr['domain'] : false), ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), ((isset($arr['httponly'])) ? $arr['httponly'] : true) ); @@ -83,19 +88,7 @@ class Session { if($this->handler && $this->session_started) { - // The session should be regenerated to prevent session fixation attacks. - // Traditionally this has been working well, but stopped working in Firefox - // recently (~46.0). It works well in other browsers. FF takes time for the - // new cookie to propagate and it appears to still use the old cookie for the - // next several requests. We don't have an easy way to flush the cookies and - // ensure the browser is using the right one. I've tried several methods including - // delayed cookie deletion and issuing a page reload just after authentication - // and none have been successful and all are hacks to work around what looks to be - // a browser issue. This is an important @FIXME. We should enable by default and let - // folks disable it if they have issues, except they can't login to change it if - // their sessions aren't working. - - // session_regenerate_id(true); + session_regenerate_id(true); // force SessionHandler record creation with the new session_id // which occurs as a side effect of read() @@ -106,9 +99,9 @@ class Session { logger('no session handler'); if (x($_COOKIE, 'jsdisabled')) { - setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime, '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); + setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime, '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); } - setcookie(session_name(),session_id(),$newxtime, '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); + setcookie(session_name(),session_id(),$newxtime, '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); $arr = array('expire' => $xtime); call_hooks('new_cookie', $arr); @@ -124,7 +117,7 @@ class Session { $xtime = (($_SESSION['remember_me']) ? (60 * 60 * 24 * 365) : 0 ); if($xtime) - setcookie(session_name(),session_id(),(time() + $xtime), '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); + setcookie(session_name(),session_id(),(time() + $xtime), '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly'])) ? $arr['httponly'] : true)); $arr = array('expire' => $xtime); call_hooks('extend_cookie', $arr); -- cgit v1.2.3