cotonti.com : auto-logged out if using url_rewrite and not checking "remember me" box

Trustmaster

Thu, 01 Jul 2010 15:10:23 -0000

Sorry, I've missed this message. No, random number (like sed_unique) won't work because it changes every request. The 'alphanumericalstring' seems like what I really meant. Yes, PHP sessions are tied to the same domain by default so you need to change php.ini to make it support subdomains... or enforce "remember me" like you did.

donP

Mon, 07 Jun 2010 15:45:05 -0000

No, I'm not at my work-PC till this night... I'll try as soon as possible. Thank you.

P.S. Do you suggest me to use a random-value-generator function? Do you know some?
P.S.2 I'd remember you that many other parts of Cotonti Code have to be changed in my case (using mod_rewrite to create subdomauins)... all SED_ABSOLUTE_ULR codes at first...

Added 1 day later:

I've tried, following your suggestions...

I first used

$site_id = 'ct' . sed_unique(16);

but I couldn't login at all, no more.

Then I tried

$site_id = 'alphanumericalstring';

and the problem was the same I described in the first post of this topic... so, it would be the PHPSESSID cookie and its domain (but I can't figure how it can function now simply by permanently checking the "remember me" checkbox... but it work well, and I use this solution for now).

Trustmaster

Fri, 04 Jun 2010 13:51:14 -0000

You're right, currently subdomain authentication is not supported because of site_id. You can manually fix it like

$site_id = 'ctSomeRandomThingHere';

In Siena it will be possible to set site_id in config.php with $cfg['site_id'] for sites with subdomains.

Added 3 days later:

Have you tried this solution? If it doesn't work then I think the reason might be PHPSESSID cookie and its domain.

donP

Fri, 04 Jun 2010 07:16:20 -0000

From when I realized my own url_rewrite transformation to obtain "fake" subdomains (cat1.mydomain.net/subcat... cat2.mydomain.net/subcat/subsubcat...) I had much problems in stay logged in.
In fact, everytime I surfed from www.mydomain.net to one of the subdomains I got logged-out (and when I returned to the same location but with normal ulr (e.g. www.mydomain.net/list.php?c=cat1) I was magically still logged-in.

I think I've found the problem...

In system/common.php we have:

$site_id = 'ct' . substr(md5($cfg['mainurl']), 0, 10);
$sys['site_id'] = $site_id;

session_start();

if(!empty($_COOKIE[$site_id]) || !empty($_SESSION[$site_id]))
{
	$u = empty($_SESSION[$site_id]) ? base64_decode($_COOKIE[$site_id]) : base64_decode($_SESSION[$site_id]);
	$u = explode(':_:', $u);
	$u_id = (int) sed_import($u[0], 'D', 'INT');
	$u_passhash = sed_import($u[1], 'D', 'ALP');
	if($u_id > 0)
	{

As you can clearly see, the value of $sys['site_id'] (used to create log-session-cookie) is derived from $cfg['mainurl']... obviously, a url with a subdomain format doesn't match with this cookie... so, the user is seen as logged-out when we have a subdomain in url but not when we write the corresponding (original) ulr for that location.

For now, the only solution I've found is always checking the "Remember me" checkbox when loggin-in (I don't know how this trick interacts with session-coockie-creation...
I had to core-hack system/header.php changing this line:

$out['guest_cookiettl'] = '';

like that:

$out['guest_cookiettl'] = '';

to set always checked that box and not to permit users to un-check...

I hope Developers could find a solution with newer auth_session methods...