Quantcast

Differentiating between cookie path

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Differentiating between cookie path

Alastair Knowles
Hi,
It seems currently if you've got 2 different WebERP installs on the same
web server with 2 different paths (e.g. http://server/webERP1/ and
http://server/webERP2/), they share the same session cookies and thus
logging into both sessions at once could end up overriding the wrong
database. After doing some reading, it seems its possible to set the
session path in the cookies, thus forcing each install to have its own
cookies. I've made the required changes to the session.inc file and have
been running 2 concurrent installs with no problems for the last couple
of months.

Just as a background as to how I've been using this functionality, this
allows me to have both a live system and a totally isolated development
system running concurrently from which I can try modifications without
the risk of damaging the live system and without having to temporarily
log out of the live system.

I've made the necessary modifications (a grand total of 4 added lines)
and have re-based it to the latest svn (as of half an hour ago). Would
it be possible for this feature to be added upstream to the sourceforge
svn? (Pending review of course) If so, I'll send through the diff asap.

My Regards,
Alastair Knowles.

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Differentiating between cookie path

Alastair Knowles
Hi Tim,

I've just looked into this a little deeper and it appears you're referring to $SessionSavePath. After a while of fiddling around with this variable and manually creating folders for each isolated install, I was able to get this to work. Unfortunately this process isn't well documented and requires manual configuration on the server for this to work (not horrible, I'd prefer to keep manual config to a minimum).

Perhaps, this could be simplified by setting the "Path" value in the session cookies instead. This removes the need to create folders and specify locations in the config file, and it can be easily automated too.

On a side note, the session.inc script should probably be setting the session cookie name with session_name() as PHPSESSID is very generic and doesn't help with debugging at all.

My Regards,
Alastair Knowles.

On 25/06/15 03:15, Tim Schofield wrote:

Hi Alastair the session save path can be set in config.php. The line is commented out by default.

Thanks
Tim

On 24 Jun 2015 12:40, "Alastair Knowles" <[hidden email]> wrote:

Hi,
It seems currently if you've got 2 different WebERP installs on the same
web server with 2 different paths (e.g. http://server/webERP1/ and
http://server/webERP2/), they share the same session cookies and thus
logging into both sessions at once could end up overriding the wrong
database. After doing some reading, it seems its possible to set the
session path in the cookies, thus forcing each install to have its own
cookies. I've made the required changes to the session.inc file and have
been running 2 concurrent installs with no problems for the last couple
of months.

Just as a background as to how I've been using this functionality, this
allows me to have both a live system and a totally isolated development
system running concurrently from which I can try modifications without
the risk of damaging the live system and without having to temporarily
log out of the live system.

I've made the necessary modifications (a grand total of 4 added lines)
and have re-based it to the latest svn (as of half an hour ago). Would
it be possible for this feature to be added upstream to the sourceforge
svn? (Pending review of course) If so, I'll send through the diff asap.

My Regards,
Alastair Knowles.

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers



--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Differentiating between cookie path

phildaintree
In reply to this post by Alastair Knowles
Absolutely

Alastair Knowles <[hidden email]> wrote:

>Hi,
>It seems currently if you've got 2 different WebERP installs on the same
>web server with 2 different paths (e.g. http://server/webERP1/ and
>http://server/webERP2/), they share the same session cookies and thus
>logging into both sessions at once could end up overriding the wrong
>database. After doing some reading, it seems its possible to set the
>session path in the cookies, thus forcing each install to have its own
>cookies. I've made the required changes to the session.inc file and have
>been running 2 concurrent installs with no problems for the last couple
>of months.
>
>Just as a background as to how I've been using this functionality, this
>allows me to have both a live system and a totally isolated development
>system running concurrently from which I can try modifications without
>the risk of damaging the live system and without having to temporarily
>log out of the live system.
>
>I've made the necessary modifications (a grand total of 4 added lines)
>and have re-based it to the latest svn (as of half an hour ago). Would
>it be possible for this feature to be added upstream to the sourceforge
>svn? (Pending review of course) If so, I'll send through the diff asap.
>
>My Regards,
>Alastair Knowles.
>
>------------------------------------------------------------------------------
>Monitor 25 network devices or servers for free with OpManager!
>OpManager is web-based network management software that monitors
>network devices and physical & virtual servers, alerts via email & sms
>for fault. Monitor 25 devices for free with no restriction. Download now
>http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
>_______________________________________________
>Web-erp-developers mailing list
>[hidden email]
>https://lists.sourceforge.net/lists/listinfo/web-erp-developers
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers
If anyone is wondering about the persistently nasty comments made by Tim Schofield and wants the full story please see: http://timschofield.blogspot.com/ Hell hath no fury like a woman (or Tim) scorned
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Differentiating between cookie path

phildaintree
In reply to this post by Alastair Knowles
Hi Alistair
If there are just a few lines to your solution which requires no manual editing, then perhaps you would send me the duffs so I could study. As Tim points out it is quite easy to use the config.php sessionssavepath to explicitly set where the server should save the session to. Some documentation as you say might be all we really need

Alastair &lt;[hidden email]&gt; wrote:

Hi Tim,

I've just looked into this a little deeper and it appears you're referring to $SessionSavePath. After a while of fiddling around with this variable and manually creating folders for each isolated install, I was able to get this to work. Unfortunately this process isn't well documented and requires manual configuration on the server for this to work (not horrible, I'd prefer to keep manual config to a minimum).

Perhaps, this could be simplified by setting the "Path" value in the session cookies instead. This removes the need to create folders and specify locations in the config file, and it can be easily automated too.

On a side note, the session.inc script should probably be setting the session cookie name with session_name() as PHPSESSID is very generic and doesn't help with debugging at all.

My Regards,
Alastair Knowles.

On 25/06/15 03:15, Tim Schofield wrote:

Hi Alastair the session save path can be set in config.php. The line is commented out by default.

Thanks
Tim

On 24 Jun 2015 12:40, "Alastair Knowles" <[hidden email]> wrote:

Hi,
It seems currently if you've got 2 different WebERP installs on the same
web server with 2 different paths (e.g. http://server/webERP1/ and
http://server/webERP2/), they share the same session cookies and thus
logging into both sessions at once could end up overriding the wrong
database. After doing some reading, it seems its possible to set the
session path in the cookies, thus forcing each install to have its own
cookies. I've made the required changes to the session.inc file and have
been running 2 concurrent installs with no problems for the last couple
of months.

Just as a background as to how I've been using this functionality, this
allows me to have both a live system and a totally isolated development
system running concurrently from which I can try modifications without
the risk of damaging the live system and without having to temporarily
log out of the live system.

I've made the necessary modifications (a grand total of 4 added lines)
and have re-based it to the latest svn (as of half an hour ago). Would
it be possible for this feature to be added upstream to the sourceforge
svn? (Pending review of course) If so, I'll send through the diff asap.

My Regards,
Alastair Knowles.

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers



--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers
If anyone is wondering about the persistently nasty comments made by Tim Schofield and wants the full story please see: http://timschofield.blogspot.com/ Hell hath no fury like a woman (or Tim) scorned
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Differentiating between cookie path

Alastair Knowles
Included bellow are 2 different options.
The first is for if you wish to replace $SessionSavePath with my new
$SessionCookiePath process (as I have now just dubbed it). The second is
if you'd like to keep both the older $SessionSavePath and the newer
$SessionCookiePath processes. Because $SessionCookiePath achieves the
same end result as $SessionSavePath, I'm of the opinion that it would be
a good idea to remove $SessionSavePath to reduce feature duplication.

If either of you have a fairly strong preference of one over the other,
I can prepare a change.log and submit the diff through to
[hidden email]. On the other hand, if it makes it easier for you
to play with, I can send both of them through to [hidden email]
and you can pick which one you want to push to the svn codebase.

Also note that you'll need to delete your current cookies for changes to
take effect.

##### Both $SessionCookiePath and $SessionSavePath #####

Index: includes/session.inc
===================================================================
--- includes/session.inc    (revision 7325)
+++ includes/session.inc    (working copy)
@@ -25,6 +25,10 @@
      session_save_path($SessionSavePath);
  }

+if (!isset($SessionCookiePath)){
+    $SessionCookiePath=$RootPath;
+}
+
  if (!isset($SysAdminEmail)) {
      $SysAdminEmail='';
  }
@@ -35,6 +39,8 @@
      set_time_limit($MaximumExecutionTime);
      ini_set('max_execution_time',$MaximumExecutionTime);
  }
+
+session_set_cookie_params( 0, $SessionCookiePath );
  session_write_close(); //in case a previous session is not closed
  session_start();

########### Only $SessionCookiePath ###########

Index: includes/session.inc
===================================================================
--- includes/session.inc    (revision 7325)
+++ includes/session.inc    (working copy)
@@ -21,8 +21,8 @@
      $DBType=$dbType;
  }

-if (isset($SessionSavePath)){
-    session_save_path($SessionSavePath);
+if (!isset($SessionCookiePath)){
+    $SessionCookiePath=$RootPath;
  }

  if (!isset($SysAdminEmail)) {
@@ -35,6 +35,8 @@
      set_time_limit($MaximumExecutionTime);
      ini_set('max_execution_time',$MaximumExecutionTime);
  }
+
+session_set_cookie_params( 0, $SessionCookiePath );
  session_write_close(); //in case a previous session is not closed
  session_start();

My Regards,
Alastair Knowles

On 27/06/15 06:45, phil wrote:

> Hi Alistair
> If there are just a few lines to your solution which requires no
> manual editing, then perhaps you would send me the duffs so I could
> study. As Tim points out it is quite easy to use the config.php
> sessionssavepath to explicitly set where the server should save the
> session to. Some documentation as you say might be all we really need
>
> Alastair &lt;[hidden email]&gt; wrote:
>
> Hi Tim,
>
> I've just looked into this a little deeper and it appears you're
> referring to $SessionSavePath. After a while of fiddling around with
> this variable and manually creating folders for each isolated install,
> I was able to get this to work. Unfortunately this process isn't well
> documented and requires manual configuration on the server for this to
> work (not horrible, I'd prefer to keep manual config to a minimum).
>
> Perhaps, this could be simplified by setting the "Path" value in the
> session cookies instead. This removes the need to create folders and
> specify locations in the config file, and it can be easily automated too.
>
> On a side note, the session.inc script should probably be setting the
> session cookie name with session_name() as PHPSESSID is very generic
> and doesn't help with debugging at all.
>
> My Regards,
> Alastair Knowles.


------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Differentiating between cookie path

phildaintree
Hi Alistair,

It is not a good plan to have the SessionCookie  accessible to all and
sundry as it contains private stuff... so setting the path to a place
where people could download it is a big "NO NO"

Also, this solution doesn't really give us anything better than what we had.

In config.php we have

//The path to which session files should be stored in the server -
useful for some multi-host web servers
//this can be left commented out
//$SessionSavePath = '/tmp';

All that is needed is to uncomment this and set it to some private place
that the web-server user can read and write but is not visible to the
outside world.


Phil

Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz

On 27/06/15 12:40, Alastair Knowles wrote:

> Included bellow are 2 different options.
> The first is for if you wish to replace $SessionSavePath with my new
> $SessionCookiePath process (as I have now just dubbed it). The second is
> if you'd like to keep both the older $SessionSavePath and the newer
> $SessionCookiePath processes. Because $SessionCookiePath achieves the
> same end result as $SessionSavePath, I'm of the opinion that it would be
> a good idea to remove $SessionSavePath to reduce feature duplication.
>
> If either of you have a fairly strong preference of one over the other,
> I can prepare a change.log and submit the diff through to
> [hidden email]. On the other hand, if it makes it easier for you
> to play with, I can send both of them through to [hidden email]
> and you can pick which one you want to push to the svn codebase.
>
> Also note that you'll need to delete your current cookies for changes to
> take effect.
>
> ##### Both $SessionCookiePath and $SessionSavePath #####
>
> Index: includes/session.inc
> ===================================================================
> --- includes/session.inc    (revision 7325)
> +++ includes/session.inc    (working copy)
> @@ -25,6 +25,10 @@
>        session_save_path($SessionSavePath);
>    }
>
> +if (!isset($SessionCookiePath)){
> +    $SessionCookiePath=$RootPath;
> +}
> +
>    if (!isset($SysAdminEmail)) {
>        $SysAdminEmail='';
>    }
> @@ -35,6 +39,8 @@
>        set_time_limit($MaximumExecutionTime);
>        ini_set('max_execution_time',$MaximumExecutionTime);
>    }
> +
> +session_set_cookie_params( 0, $SessionCookiePath );
>    session_write_close(); //in case a previous session is not closed
>    session_start();
>
> ########### Only $SessionCookiePath ###########
>
> Index: includes/session.inc
> ===================================================================
> --- includes/session.inc    (revision 7325)
> +++ includes/session.inc    (working copy)
> @@ -21,8 +21,8 @@
>        $DBType=$dbType;
>    }
>
> -if (isset($SessionSavePath)){
> -    session_save_path($SessionSavePath);
> +if (!isset($SessionCookiePath)){
> +    $SessionCookiePath=$RootPath;
>    }
>
>    if (!isset($SysAdminEmail)) {
> @@ -35,6 +35,8 @@
>        set_time_limit($MaximumExecutionTime);
>        ini_set('max_execution_time',$MaximumExecutionTime);
>    }
> +
> +session_set_cookie_params( 0, $SessionCookiePath );
>    session_write_close(); //in case a previous session is not closed
>    session_start();
>
> My Regards,
> Alastair Knowles
>
> On 27/06/15 06:45, phil wrote:
>> Hi Alistair
>> If there are just a few lines to your solution which requires no
>> manual editing, then perhaps you would send me the duffs so I could
>> study. As Tim points out it is quite easy to use the config.php
>> sessionssavepath to explicitly set where the server should save the
>> session to. Some documentation as you say might be all we really need
>>
>> Alastair &lt;[hidden email]&gt; wrote:
>>
>> Hi Tim,
>>
>> I've just looked into this a little deeper and it appears you're
>> referring to $SessionSavePath. After a while of fiddling around with
>> this variable and manually creating folders for each isolated install,
>> I was able to get this to work. Unfortunately this process isn't well
>> documented and requires manual configuration on the server for this to
>> work (not horrible, I'd prefer to keep manual config to a minimum).
>>
>> Perhaps, this could be simplified by setting the "Path" value in the
>> session cookies instead. This removes the need to create folders and
>> specify locations in the config file, and it can be easily automated too.
>>
>> On a side note, the session.inc script should probably be setting the
>> session cookie name with session_name() as PHPSESSID is very generic
>> and doesn't help with debugging at all.
>>
>> My Regards,
>> Alastair Knowles.
>
> ------------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors
> network devices and physical & virtual servers, alerts via email & sms
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> _______________________________________________
> Web-erp-developers mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>


------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers
If anyone is wondering about the persistently nasty comments made by Tim Schofield and wants the full story please see: http://timschofield.blogspot.com/ Hell hath no fury like a woman (or Tim) scorned
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Differentiating between cookie path

Alastair Knowles
Hi Phil,

The session cookie path isn't actually a location on the server that the
data is saved, nor is it a location on the client to save session
information, it is instead an extra piece of information that tells the
server which URL subdirectory the session belongs to. Thus the session
information is still stored in the default session store on the server,
but also has the same piece of information so that it knows it belongs
to this session rather than the other. So in actuality, it is no less
secure than the current solution (or even the default without the
SessionSavePath variable set) and still has the added benefit that it is
automatically configured and doesn't need a folder to be created, nor
does it need any additional values set in the config file.

My regards,
Alastair Knowles.

On 27/06/15 14:04, Phil Daintree wrote:

> Hi Alistair,
>
> It is not a good plan to have the SessionCookie  accessible to all and
> sundry as it contains private stuff... so setting the path to a place
> where people could download it is a big "NO NO"
>
> Also, this solution doesn't really give us anything better than what we had.
>
> In config.php we have
>
> //The path to which session files should be stored in the server -
> useful for some multi-host web servers
> //this can be left commented out
> //$SessionSavePath = '/tmp';
>
> All that is needed is to uncomment this and set it to some private place
> that the web-server user can read and write but is not visible to the
> outside world.
>
>
> Phil
>
> Phil Daintree
> Logic Works Ltd - +64 (0)275 567890
> http://www.logicworks.co.nz
>
> On 27/06/15 12:40, Alastair Knowles wrote:
>> Included bellow are 2 different options.
>> The first is for if you wish to replace $SessionSavePath with my new
>> $SessionCookiePath process (as I have now just dubbed it). The second is
>> if you'd like to keep both the older $SessionSavePath and the newer
>> $SessionCookiePath processes. Because $SessionCookiePath achieves the
>> same end result as $SessionSavePath, I'm of the opinion that it would be
>> a good idea to remove $SessionSavePath to reduce feature duplication.
>>
>> If either of you have a fairly strong preference of one over the other,
>> I can prepare a change.log and submit the diff through to
>> [hidden email]. On the other hand, if it makes it easier for you
>> to play with, I can send both of them through to [hidden email]
>> and you can pick which one you want to push to the svn codebase.
>>
>> Also note that you'll need to delete your current cookies for changes to
>> take effect.
>>
>> ##### Both $SessionCookiePath and $SessionSavePath #####
>>
>> Index: includes/session.inc
>> ===================================================================
>> --- includes/session.inc    (revision 7325)
>> +++ includes/session.inc    (working copy)
>> @@ -25,6 +25,10 @@
>>         session_save_path($SessionSavePath);
>>     }
>>
>> +if (!isset($SessionCookiePath)){
>> +    $SessionCookiePath=$RootPath;
>> +}
>> +
>>     if (!isset($SysAdminEmail)) {
>>         $SysAdminEmail='';
>>     }
>> @@ -35,6 +39,8 @@
>>         set_time_limit($MaximumExecutionTime);
>>         ini_set('max_execution_time',$MaximumExecutionTime);
>>     }
>> +
>> +session_set_cookie_params( 0, $SessionCookiePath );
>>     session_write_close(); //in case a previous session is not closed
>>     session_start();
>>
>> ########### Only $SessionCookiePath ###########
>>
>> Index: includes/session.inc
>> ===================================================================
>> --- includes/session.inc    (revision 7325)
>> +++ includes/session.inc    (working copy)
>> @@ -21,8 +21,8 @@
>>         $DBType=$dbType;
>>     }
>>
>> -if (isset($SessionSavePath)){
>> -    session_save_path($SessionSavePath);
>> +if (!isset($SessionCookiePath)){
>> +    $SessionCookiePath=$RootPath;
>>     }
>>
>>     if (!isset($SysAdminEmail)) {
>> @@ -35,6 +35,8 @@
>>         set_time_limit($MaximumExecutionTime);
>>         ini_set('max_execution_time',$MaximumExecutionTime);
>>     }
>> +
>> +session_set_cookie_params( 0, $SessionCookiePath );
>>     session_write_close(); //in case a previous session is not closed
>>     session_start();
>>
>> My Regards,
>> Alastair Knowles
>>
>> On 27/06/15 06:45, phil wrote:
>>> Hi Alistair
>>> If there are just a few lines to your solution which requires no
>>> manual editing, then perhaps you would send me the duffs so I could
>>> study. As Tim points out it is quite easy to use the config.php
>>> sessionssavepath to explicitly set where the server should save the
>>> session to. Some documentation as you say might be all we really need
>>>
>>> Alastair &lt;[hidden email]&gt; wrote:
>>>
>>> Hi Tim,
>>>
>>> I've just looked into this a little deeper and it appears you're
>>> referring to $SessionSavePath. After a while of fiddling around with
>>> this variable and manually creating folders for each isolated install,
>>> I was able to get this to work. Unfortunately this process isn't well
>>> documented and requires manual configuration on the server for this to
>>> work (not horrible, I'd prefer to keep manual config to a minimum).
>>>
>>> Perhaps, this could be simplified by setting the "Path" value in the
>>> session cookies instead. This removes the need to create folders and
>>> specify locations in the config file, and it can be easily automated too.
>>>
>>> On a side note, the session.inc script should probably be setting the
>>> session cookie name with session_name() as PHPSESSID is very generic
>>> and doesn't help with debugging at all.
>>>
>>> My Regards,
>>> Alastair Knowles.
>> ------------------------------------------------------------------------------
>> Monitor 25 network devices or servers for free with OpManager!
>> OpManager is web-based network management software that monitors
>> network devices and physical & virtual servers, alerts via email & sms
>> for fault. Monitor 25 devices for free with no restriction. Download now
>> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
>> _______________________________________________
>> Web-erp-developers mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>
> ------------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors
> network devices and physical & virtual servers, alerts via email & sms
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> _______________________________________________
> Web-erp-developers mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers


------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Differentiating between cookie path

phildaintree
Ah OK.

Phil

Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz

On 27/06/15 18:57, Alastair Knowles wrote:

> Hi Phil,
>
> The session cookie path isn't actually a location on the server that the
> data is saved, nor is it a location on the client to save session
> information, it is instead an extra piece of information that tells the
> server which URL subdirectory the session belongs to. Thus the session
> information is still stored in the default session store on the server,
> but also has the same piece of information so that it knows it belongs
> to this session rather than the other. So in actuality, it is no less
> secure than the current solution (or even the default without the
> SessionSavePath variable set) and still has the added benefit that it is
> automatically configured and doesn't need a folder to be created, nor
> does it need any additional values set in the config file.
>
> My regards,
> Alastair Knowles.
>
> On 27/06/15 14:04, Phil Daintree wrote:
>> Hi Alistair,
>>
>> It is not a good plan to have the SessionCookie  accessible to all and
>> sundry as it contains private stuff... so setting the path to a place
>> where people could download it is a big "NO NO"
>>
>> Also, this solution doesn't really give us anything better than what we had.
>>
>> In config.php we have
>>
>> //The path to which session files should be stored in the server -
>> useful for some multi-host web servers
>> //this can be left commented out
>> //$SessionSavePath = '/tmp';
>>
>> All that is needed is to uncomment this and set it to some private place
>> that the web-server user can read and write but is not visible to the
>> outside world.
>>
>>
>> Phil
>>
>> Phil Daintree
>> Logic Works Ltd - +64 (0)275 567890
>> http://www.logicworks.co.nz
>>
>> On 27/06/15 12:40, Alastair Knowles wrote:
>>> Included bellow are 2 different options.
>>> The first is for if you wish to replace $SessionSavePath with my new
>>> $SessionCookiePath process (as I have now just dubbed it). The second is
>>> if you'd like to keep both the older $SessionSavePath and the newer
>>> $SessionCookiePath processes. Because $SessionCookiePath achieves the
>>> same end result as $SessionSavePath, I'm of the opinion that it would be
>>> a good idea to remove $SessionSavePath to reduce feature duplication.
>>>
>>> If either of you have a fairly strong preference of one over the other,
>>> I can prepare a change.log and submit the diff through to
>>> [hidden email]. On the other hand, if it makes it easier for you
>>> to play with, I can send both of them through to [hidden email]
>>> and you can pick which one you want to push to the svn codebase.
>>>
>>> Also note that you'll need to delete your current cookies for changes to
>>> take effect.
>>>
>>> ##### Both $SessionCookiePath and $SessionSavePath #####
>>>
>>> Index: includes/session.inc
>>> ===================================================================
>>> --- includes/session.inc    (revision 7325)
>>> +++ includes/session.inc    (working copy)
>>> @@ -25,6 +25,10 @@
>>>          session_save_path($SessionSavePath);
>>>      }
>>>
>>> +if (!isset($SessionCookiePath)){
>>> +    $SessionCookiePath=$RootPath;
>>> +}
>>> +
>>>      if (!isset($SysAdminEmail)) {
>>>          $SysAdminEmail='';
>>>      }
>>> @@ -35,6 +39,8 @@
>>>          set_time_limit($MaximumExecutionTime);
>>>          ini_set('max_execution_time',$MaximumExecutionTime);
>>>      }
>>> +
>>> +session_set_cookie_params( 0, $SessionCookiePath );
>>>      session_write_close(); //in case a previous session is not closed
>>>      session_start();
>>>
>>> ########### Only $SessionCookiePath ###########
>>>
>>> Index: includes/session.inc
>>> ===================================================================
>>> --- includes/session.inc    (revision 7325)
>>> +++ includes/session.inc    (working copy)
>>> @@ -21,8 +21,8 @@
>>>          $DBType=$dbType;
>>>      }
>>>
>>> -if (isset($SessionSavePath)){
>>> -    session_save_path($SessionSavePath);
>>> +if (!isset($SessionCookiePath)){
>>> +    $SessionCookiePath=$RootPath;
>>>      }
>>>
>>>      if (!isset($SysAdminEmail)) {
>>> @@ -35,6 +35,8 @@
>>>          set_time_limit($MaximumExecutionTime);
>>>          ini_set('max_execution_time',$MaximumExecutionTime);
>>>      }
>>> +
>>> +session_set_cookie_params( 0, $SessionCookiePath );
>>>      session_write_close(); //in case a previous session is not closed
>>>      session_start();
>>>
>>> My Regards,
>>> Alastair Knowles
>>>
>>> On 27/06/15 06:45, phil wrote:
>>>> Hi Alistair
>>>> If there are just a few lines to your solution which requires no
>>>> manual editing, then perhaps you would send me the duffs so I could
>>>> study. As Tim points out it is quite easy to use the config.php
>>>> sessionssavepath to explicitly set where the server should save the
>>>> session to. Some documentation as you say might be all we really need
>>>>
>>>> Alastair &lt;[hidden email]&gt; wrote:
>>>>
>>>> Hi Tim,
>>>>
>>>> I've just looked into this a little deeper and it appears you're
>>>> referring to $SessionSavePath. After a while of fiddling around with
>>>> this variable and manually creating folders for each isolated install,
>>>> I was able to get this to work. Unfortunately this process isn't well
>>>> documented and requires manual configuration on the server for this to
>>>> work (not horrible, I'd prefer to keep manual config to a minimum).
>>>>
>>>> Perhaps, this could be simplified by setting the "Path" value in the
>>>> session cookies instead. This removes the need to create folders and
>>>> specify locations in the config file, and it can be easily automated too.
>>>>
>>>> On a side note, the session.inc script should probably be setting the
>>>> session cookie name with session_name() as PHPSESSID is very generic
>>>> and doesn't help with debugging at all.
>>>>
>>>> My Regards,
>>>> Alastair Knowles.
>>> ------------------------------------------------------------------------------
>>> Monitor 25 network devices or servers for free with OpManager!
>>> OpManager is web-based network management software that monitors
>>> network devices and physical & virtual servers, alerts via email & sms
>>> for fault. Monitor 25 devices for free with no restriction. Download now
>>> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>
>> ------------------------------------------------------------------------------
>> Monitor 25 network devices or servers for free with OpManager!
>> OpManager is web-based network management software that monitors
>> network devices and physical & virtual servers, alerts via email & sms
>> for fault. Monitor 25 devices for free with no restriction. Download now
>> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
>> _______________________________________________
>> Web-erp-developers mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
> ------------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors
> network devices and physical & virtual servers, alerts via email & sms
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> _______________________________________________
> Web-erp-developers mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>


------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers
If anyone is wondering about the persistently nasty comments made by Tim Schofield and wants the full story please see: http://timschofield.blogspot.com/ Hell hath no fury like a woman (or Tim) scorned
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Differentiating between cookie path

Alastair Knowles
Any thoughts as to which variant may be prefered?

On June 27, 2015 8:45:25 PM GMT+10:00, Phil Daintree <[hidden email]> wrote:
Ah OK.

Phil

Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz

On 27/06/15 18:57, Alastair Knowles wrote:
Hi Phil,

The session cookie path isn't actually a location on the server that the
data is saved, nor is it a location on the client to save session
information, it is instead an extra piece of information that tells the
server which URL subdirectory the session belongs to. Thus the session
information is still stored in the default session store on the server,
but also has the same piece of information so that it knows it belongs
to this session rather than the other. So in actuality, it is no less
secure than the current solution (or even the default without the
SessionSavePath variable set) and still has the added benefit that it is
automatically configured and doesn't need a folder to be created, nor
does it need any additional values set in the config file.

My regards,
Alastair Knowles.

On 27/06/15 14:04, Phil Daintree wrote:
Hi Alistair,

It is not a good plan to have the SessionCookie accessible to all and
sundry as it contains private stuff... so setting the path to a place
where people could download it is a big "NO NO"

Also, this solution doesn't really give us anything better than what we had.

In config.php we have

//The path to which session files should be stored in the server -
useful for some multi-host web servers
//this can be left commented out
//$SessionSavePath = '/tmp';

All that is needed is to uncomment this and set it to some private place
that the web-server user can read and write but is not visible to the
outside world.


Phil

Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz

On 27/06/15 12:40, Alastair Knowles wrote:
Included bellow are 2 different options.
The first is for if you wish to replace $SessionSavePath with my new
$SessionCookiePath process (as I have now just dubbed it). The second is
if you'd like to keep both the older $SessionSavePath and the newer
$SessionCookiePath processes. Because $SessionCookiePath achieves the
same end result as $SessionSavePath, I'm of the opinion that it would be
a good idea to remove $SessionSavePath to reduce feature duplication.

If either of you have a fairly strong preference of one over the other,
I can prepare a change.log and submit the diff through to
[hidden email]. On the other hand, if it makes it easier for you
to play with, I can send both of them through to [hidden email]
and you can pick which one you want to push to the svn codebase.

Also note that you'll need to delete your current cookies for changes to
take effect.

##### Both $SessionCookiePath and $SessionSavePath #####

Index: includes/session.inc


--- includes/session.inc (revision 7325)
+++ includes/session.inc (working copy)
@@ -25,6 +25,10 @@
session_save_path($SessionSavePath);
}

+if (!isset($SessionCookiePath)){
+ $SessionCookiePath=$RootPath;
+}
+
if (!isset($SysAdminEmail)) {
$SysAdminEmail='';
}
@@ -35,6 +39,8 @@
set_time_limit($MaximumExecutionTime);
ini_set('max_execution_time',$MaximumExecutionTime);
}
+
+session_set_cookie_params( 0, $SessionCookiePath );
session_write_close(); //in case a previous session is not closed
session_start();

########### Only $SessionCookiePath ###########

Index: includes/session.inc


--- includes/session.inc (revision 7325)
+++ includes/session.inc (working copy)
@@ -21,8 +21,8 @@
$DBType=$dbType;
}

-if (isset($SessionSavePath)){
- session_save_path($SessionSavePath);
+if (!isset($SessionCookiePath)){
+ $SessionCookiePath=$RootPath;
}

if (!isset($SysAdminEmail)) {
@@ -35,6 +35,8 @@
set_time_limit($MaximumExecutionTime);
ini_set('max_execution_time',$MaximumExecutionTime);
}
+
+session_set_cookie_params( 0, $SessionCookiePath );
session_write_close(); //in case a previous session is not closed
session_start();

My Regards,
Alastair Knowles

On 27/06/15 06:45, phil wrote:
Hi Alistair
If there are just a few lines to your solution which requires no
manual editing, then perhaps you would send me the duffs so I could
study. As Tim points out it is quite easy to use the config.php
sessionssavepath to explicitly set where the server should save the
session to. Some documentation as you say might be all we really need

Alastair &lt;[hidden email]&gt; wrote:

Hi Tim,

I've just looked into this a little deeper and it appears you're
referring to $SessionSavePath. After a while of fiddling around with
this variable and manually creating folders for each isolated install,
I was able to get this to work. Unfortunately this process isn't well
documented and requires manual configuration on the server for this to
work (not horrible, I'd prefer to keep manual config to a minimum).

Perhaps, this could be simplified by setting the "Path" value in the
session cookies instead. This removes the need to create folders and
specify locations in the config file, and it can be easily automated too.

On a side note, the session.inc script should probably be setting the
session cookie name with session_name() as PHPSESSID is very generic
and doesn't help with debugging at all.

My Regards,
Alastair Knowles.


Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o


Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers



Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o


Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers



Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o


Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers





Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o


Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Differentiating between cookie path

phildaintree
I am not persuaded we need to change anything sorry Alistair.
I will add some words to the manual about it so it is easier for others following to use the functionality we already have.

/*The path to which session files should be stored in the server - useful for some multi-host web servers where pages are serviced using load balancing servers - when the load picks a different server then the session can be lost unless this option is used - which tells the server explicitly where to find the session file.
        It is also useful where there are several webERP installs where the code is in two different paths on the same server and being used by the same client browser. It is possible in this scenario for the session to be over-written by the two different webERP installations. The solution is to specify different $SessionSavePath in each installations config.php
       
        If there is only one installation of webERP on the web-server - which can be used with many company databases (and there is no load balancing difficulties to circumvent then this can be left commented out
*/
Phil

Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz
On 28/06/15 12:51, Alastair wrote:
Any thoughts as to which variant may be prefered?

On June 27, 2015 8:45:25 PM GMT+10:00, Phil Daintree [hidden email] wrote:
Ah OK.

Phil

Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz

On 27/06/15 18:57, Alastair Knowles wrote:
Hi Phil, The session cookie path isn't actually a location on the server that the data is saved, nor is it a location on the client to save session information, it is instead an extra piece of information that tells the server which URL subdirectory the session belongs to. Thus the session information is still stored in the default session store on the server, but also has the same piece of information so that it knows it belongs to this session rather than the other. So in actuality, it is no less secure than the current solution (or even the default without the SessionSavePath variable set) and still has the added benefit that it is automatically configured and doesn't need a folder to be created, nor does it need any additional values set in the config file. My regards, Alastair Knowles. On 27/06/15 14:04, Phil Daintree wrote:
Hi Alistair, It is not a good plan to have the SessionCookie accessible to all and sundry as it contains private stuff... so setting the path to a place where people could download it is a big "NO NO" Also, this solution doesn't really give us anything better than what we had. In config.php we have //The path to which session files should be stored in the server - useful for some multi-host web servers //this can be left commented out //$SessionSavePath = '/tmp'; All that is needed is to uncomment this and set it to some private place that the web-server user can read and write but is not visible to the outside world. Phil Phil Daintree Logic Works Ltd - +64 (0)275 567890 http://www.logicworks.co.nz On 27/06/15 12:40, Alastair Knowles wrote:
Included bellow are 2 different options. The first is for if you wish to replace $SessionSavePath with my new $SessionCookiePath process (as I have now just dubbed it). The second is if you'd like to keep both the older $SessionSavePath and the newer $SessionCookiePath processes. Because $SessionCookiePath achieves the same end result as $SessionSavePath, I'm of the opinion that it would be a good idea to remove $SessionSavePath to reduce feature duplication. If either of you have a fairly strong preference of one over the other, I can prepare a change.log and submit the diff through to [hidden email]. On the other hand, if it makes it easier for you to play with, I can send both of them through to [hidden email] and you can pick which one you want to push to the svn codebase. Also note that you'll need to delete your current cookies for changes to take effect. ##### Both $SessionCookiePath and $SessionSavePath ##### Index: includes/session.inc
--- includes/session.inc (revision 7325) +++ includes/session.inc (working copy) @@ -25,6 +25,10 @@ session_save_path($SessionSavePath); } +if (!isset($SessionCookiePath)){ + $SessionCookiePath=$RootPath; +} + if (!isset($SysAdminEmail)) { $SysAdminEmail=''; } @@ -35,6 +39,8 @@ set_time_limit($MaximumExecutionTime); ini_set('max_execution_time',$MaximumExecutionTime); } + +session_set_cookie_params( 0, $SessionCookiePath ); session_write_close(); //in case a previous session is not closed session_start(); ########### Only $SessionCookiePath ########### Index: includes/session.inc
--- includes/session.inc (revision 7325) +++ includes/session.inc (working copy) @@ -21,8 +21,8 @@ $DBType=$dbType; } -if (isset($SessionSavePath)){ - session_save_path($SessionSavePath); +if (!isset($SessionCookiePath)){ + $SessionCookiePath=$RootPath; } if (!isset($SysAdminEmail)) { @@ -35,6 +35,8 @@ set_time_limit($MaximumExecutionTime); ini_set('max_execution_time',$MaximumExecutionTime); } + +session_set_cookie_params( 0, $SessionCookiePath ); session_write_close(); //in case a previous session is not closed session_start(); My Regards, Alastair Knowles On 27/06/15 06:45, phil wrote:
Hi Alistair If there are just a few lines to your solution which requires no manual editing, then perhaps you would send me the duffs so I could study. As Tim points out it is quite easy to use the config.php sessionssavepath to explicitly set where the server should save the session to. Some documentation as you say might be all we really need Alastair &lt;[hidden email]&gt; wrote: Hi Tim, I've just looked into this a little deeper and it appears you're referring to $SessionSavePath. After a while of fiddling around with this variable and manually creating folders for each isolated install, I was able to get this to work. Unfortunately this process isn't well documented and requires manual configuration on the server for this to work (not horrible, I'd prefer to keep manual config to a minimum). Perhaps, this could be simplified by setting the "Path" value in the session cookies instead. This removes the need to create folders and specify locations in the config file, and it can be easily automated too. On a side note, the session.inc script should probably be setting the session cookie name with session_name() as PHPSESSID is very generic and doesn't help with debugging at all. My Regards, Alastair Knowles.

Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
Web-erp-developers mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/web-erp-developers

Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
Web-erp-developers mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/web-erp-developers

Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
Web-erp-developers mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/web-erp-developers

Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
Web-erp-developers mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/web-erp-developers

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o


_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers


------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers
If anyone is wondering about the persistently nasty comments made by Tim Schofield and wants the full story please see: http://timschofield.blogspot.com/ Hell hath no fury like a woman (or Tim) scorned
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Differentiating between cookie path

Alastair Knowles
Ok, fair enough.
Thanks for addressing the documentation issue, not the solution I was after, but I'm sure it will still be quite helpful to a number of people :)
You might also want to add a note in the documentation about the session directory needing write permissions for whatever user php is running under (it's something that will probably trip up quite a few people).

My regards,
Alastair Knowles.

On June 28, 2015 11:08:25 AM GMT+10:00, Phil Daintree <[hidden email]> wrote:
I am not persuaded we need to change anything sorry Alistair.
I will add some words to the manual about it so it is easier for others following to use the functionality we already have.

/*The path to which session files should be stored in the server - useful for some multi-host web servers where pages are serviced using load balancing servers - when the load picks a different server then the session can be lost unless this option is used - which tells the server explicitly where to find the session file.
        It is also useful where there are several webERP installs where the code is in two different paths on the same server and being used by the same client browser. It is possible in this scenario for the session to be over-written by the two different webERP installations. The solution is to specify different $SessionSavePath in each installations config.php
       
        If there is only one installation of webERP on the web-server - which can be used with many company databases (and there is no load balancing difficulties to circumvent then this can be left commented out
*/
Phil

Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz
On 28/06/15 12:51, Alastair wrote:
Any thoughts as to which variant may be prefered?

On June 27, 2015 8:45:25 PM GMT+10:00, Phil Daintree [hidden email] wrote:
Ah OK.

Phil

Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz

On 27/06/15 18:57, Alastair Knowles wrote:
Hi Phil, The session cookie path isn't actually a location on the server that the data is saved, nor is it a location on the client to save session information, it is instead an extra piece of information that tells the server which URL subdirectory the session belongs to. Thus the session information is still stored in the default session store on the server, but also has the same piece of information so that it knows it belongs to this session rather than the other. So in actuality, it is no less secure than the current solution (or even the default without the SessionSavePath variable set) and still has the added benefit that it is automatically configured and doesn't need a folder to be created, nor does it need any additional values set in the config file. My regards, Alastair Knowles. On 27/06/15 14:04, Phil Daintree wrote:
Hi Alistair, It is not a good plan to have the SessionCookie accessible to all and sundry as it contains private stuff... so setting the path to a place where people could download it is a big "NO NO" Also, this solution doesn't really give us anything better than what we had. In config.php we have //The path to which session files should be stored in the server - useful for some multi-host web servers //this can be left commented out //$SessionSavePath = '/tmp'; All that is needed is to uncomment this and set it to some private place that the web-server user can read and write but is not visible to the outside world. Phil Phil Daintree Logic Works Ltd - +64 (0)275 567890 http://www.logicworks.co.nz On 27/06/15 12:40, Alastair Knowles wrote:
Included bellow are 2 different options. The first is for if you wish to replace $SessionSavePath with my new $SessionCookiePath process (as I have now just dubbed it). The second is if you'd like to keep both the older $SessionSavePath and the newer $SessionCookiePath processes. Because $SessionCookiePath achieves the same end result as $SessionSavePath, I'm of the opinion that it would be a good idea to remove $SessionSavePath to reduce feature duplication. If either of you have a fairly strong preference of one over the other, I can prepare a change.log and submit the diff through to [hidden email]. On the other hand, if it makes it easier for you to play with, I can send both of them through to [hidden email] and you can pick which one you want to push to the svn codebase. Also note that you'll need to delete your current cookies for changes to take effect. ##### Both $SessionCookiePath and $SessionSavePath ##### Index: includes/session.inc
--- includes/session.inc (revision 7325) +++ includes/session.inc (working copy) @@ -25,6 +25,10 @@ session_save_path($SessionSavePath); } +if (!isset($SessionCookiePath)){ + $SessionCookiePath=$RootPath; +} + if (!isset($SysAdminEmail)) { $SysAdminEmail=''; } @@ -35,6 +39,8 @@ set_time_limit($MaximumExecutionTime); ini_set('max_execution_time',$MaximumExecutionTime); } + +session_set_cookie_params( 0, $SessionCookiePath ); session_write_close(); //in case a previous session is not closed session_start(); ########### Only $SessionCookiePath ########### Index: includes/session.inc
--- includes/session.inc (revision 7325) +++ includes/session.inc (working copy) @@ -21,8 +21,8 @@ $DBType=$dbType; } -if (isset($SessionSavePath)){ - session_save_path($SessionSavePath); +if (!isset($SessionCookiePath)){ + $SessionCookiePath=$RootPath; } if (!isset($SysAdminEmail)) { @@ -35,6 +35,8 @@ set_time_limit($MaximumExecutionTime); ini_set('max_execution_time',$MaximumExecutionTime); } + +session_set_cookie_params( 0, $SessionCookiePath ); session_write_close(); //in case a previous session is not closed session_start(); My Regards, Alastair Knowles On 27/06/15 06:45, phil wrote:
Hi Alistair If there are just a few lines to your solution which requires no manual editing, then perhaps you would send me the duffs so I could study. As Tim points out it is quite easy to use the config.php sessionssavepath to explicitly set where the server should save the session to. Some documentation as you say might be all we really need Alastair &lt;[hidden email]&gt; wrote: Hi Tim, I've just looked into this a little deeper and it appears you're referring to $SessionSavePath. After a while of fiddling around with this variable and manually creating folders for each isolated install, I was able to get this to work. Unfortunately this process isn't well documented and requires manual configuration on the server for this to work (not horrible, I'd prefer to keep manual config to a minimum). Perhaps, this could be simplified by setting the "Path" value in the session cookies instead. This removes the need to create folders and specify locations in the config file, and it can be easily automated too. On a side note, the session.inc script should probably be setting the session cookie name with session_name() as PHPSESSID is very generic and doesn't help with debugging at all. My Regards, Alastair Knowles.

Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
Web-erp-developers mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/web-erp-developers

Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
Web-erp-developers mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/web-erp-developers

Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
Web-erp-developers mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/web-erp-developers

Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
Web-erp-developers mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/web-erp-developers

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o


_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers



Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o



Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Web-erp-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/web-erp-developers
Loading...