problems with Cotonti setting cookies and outh_session when using brute url_rewrite
| donP |
|
|---|---|
|
From when I realized my own url_rewrite transformation to obtain "fake" subdomains (cat1.mydomain.net/subcat... cat2.mydomain.net/subcat/subsubcat...) I had much problems in stay logged in.
In fact, everytime I surfed from www.mydomain.net to one of the subdomains I got logged-out (and when I returned to the same location but with normal ulr (e.g. www.mydomain.net/list.php?c=cat1) I was magically still logged-in. I think I've found the problem... In system/common.php we have: $site_id = 'ct' . substr(md5($cfg['mainurl']), 0, 10);
$sys['site_id'] = $site_id;
session_start();
if(!empty($_COOKIE[$site_id]) || !empty($_SESSION[$site_id]))
{
$u = empty($_SESSION[$site_id]) ? base64_decode($_COOKIE[$site_id]) : base64_decode($_SESSION[$site_id]);
$u = explode(':_:', $u);
$u_id = (int) sed_import($u[0], 'D', 'INT');
$u_passhash = sed_import($u[1], 'D', 'ALP');
if($u_id > 0)
{
As you can clearly see, the value of $sys['site_id'] (used to create log-session-cookie) is derived from $cfg['mainurl']... obviously, a url with a subdomain format doesn't match with this cookie... so, the user is seen as logged-out when we have a subdomain in url but not when we write the corresponding (original) ulr for that location. For now, the only solution I've found is always checking the "Remember me" checkbox when loggin-in (I don't know how this trick interacts with session-coockie-creation... I had to core-hack system/header.php changing this line: $out['guest_cookiettl'] = '<input type="checkbox" name="rremember" />';$out['guest_cookiettl'] = '<input type="checkbox" checked="yes" name="rremember" style=" visibility: hidden; " />';I hope Developers could find a solution with newer auth_session methods... in [color=#729FCF][b]BLUES[/b][/color] I trust
|
