problems with Cotonti setting cookies and outh_session when using brute url_rewrite
| donP |
|
|---|---|
|
From when I realized my own url_rewrite transformation to obtain "fake" subdomains (cat1.mydomain.net/subcat... cat2.mydomain.net/subcat/subsubcat...) I had much problems in stay logged in.
In fact, everytime I surfed from www.mydomain.net to one of the subdomains I got logged-out (and when I returned to the same location but with normal ulr (e.g. www.mydomain.net/list.php?c=cat1) I was magically still logged-in. I think I've found the problem... In system/common.php we have: $site_id = 'ct' . substr(md5($cfg['mainurl']), 0, 10);
$sys['site_id'] = $site_id;
session_start();
if(!empty($_COOKIE[$site_id]) || !empty($_SESSION[$site_id]))
{
$u = empty($_SESSION[$site_id]) ? base64_decode($_COOKIE[$site_id]) : base64_decode($_SESSION[$site_id]);
$u = explode(':_:', $u);
$u_id = (int) sed_import($u[0], 'D', 'INT');
$u_passhash = sed_import($u[1], 'D', 'ALP');
if($u_id > 0)
{
As you can clearly see, the value of $sys['site_id'] (used to create log-session-cookie) is derived from $cfg['mainurl']... obviously, a url with a subdomain format doesn't match with this cookie... so, the user is seen as logged-out when we have a subdomain in url but not when we write the corresponding (original) ulr for that location. For now, the only solution I've found is always checking the "Remember me" checkbox when loggin-in (I don't know how this trick interacts with session-coockie-creation... I had to core-hack system/header.php changing this line: $out['guest_cookiettl'] = '<input type="checkbox" name="rremember" />';$out['guest_cookiettl'] = '<input type="checkbox" checked="yes" name="rremember" style=" visibility: hidden; " />';I hope Developers could find a solution with newer auth_session methods... in [color=#729FCF][b]BLUES[/b][/color] I trust
|
| Trustmaster |
|
|---|---|
|
You're right, currently subdomain authentication is not supported because of site_id. You can manually fix it like
$site_id = 'ctSomeRandomThingHere';Added 3 days later: Have you tried this solution? If it doesn't work then I think the reason might be PHPSESSID cookie and its domain. May the Source be with you!
|
|
Dit bericht is bewerkt door Trustmaster (2010-06-07 13:52, 13 jaren ago) |
| donP |
|
|---|---|
|
No, I'm not at my work-PC till this night... I'll try as soon as possible. Thank you.
P.S. Do you suggest me to use a random-value-generator function? Do you know some? P.S.2 I'd remember you that many other parts of Cotonti Code have to be changed in my case (using mod_rewrite to create subdomauins)... all SED_ABSOLUTE_ULR codes at first... Added 1 day later: I've tried, following your suggestions... I first used $site_id = 'ct' . sed_unique(16);but I couldn't login at all, no more. Then I tried $site_id = 'alphanumericalstring';and the problem was the same I described in the first post of this topic... so, it would be the PHPSESSID cookie and its domain (but I can't figure how it can function now simply by permanently checking the "remember me" checkbox... but it work well, and I use this solution for now). in [color=#729FCF][b]BLUES[/b][/color] I trust
|
|
Dit bericht is bewerkt door donP (2010-06-08 20:20, 13 jaren ago) |
| Trustmaster |
|
|---|---|
|
Sorry, I've missed this message. No, random number (like sed_unique) won't work because it changes every request. The 'alphanumericalstring' seems like what I really meant. Yes, PHP sessions are tied to the same domain by default so you need to change php.ini to make it support subdomains... or enforce "remember me" like you did.
May the Source be with you!
|
