Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
0 + 2 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
     

Re: XOOPS 2.5.11 session handling too strict?
by Mamba on 2024/10/29 3:11:14

Yes, preferences could be a good location for it.
Re: XOOPS 2.5.11 session handling too strict?
by Mage on 2024/10/27 20:17:58

Maybe we could add this possibility in the preferences? We add a drop-down menu with the possible options.
By default we could put "lax" but in the preferences. This is easier for users to be able to change from the preferences.
Re: XOOPS 2.5.11 session handling too strict?
by Mamba on 2024/10/23 22:42:21

You should be able to use "Lax" safely, as it ensures a smoother user experience while still offering protection against potential threats.
If we don't find a better solution to deal with the issues you've encountered, we might switch to "Lax" as default and advise users to switch to "strict" if they want the highest level of security.
Re: XOOPS 2.5.11 session handling too strict?
by cecadm on 2024/10/22 12:32:22

Hi all!
I just tested in 2.5.11 (php 7.3.33):
'samesite' => 'strict', / 'samesite' => 'Lax' in kernel/session.php
with "Lax" the behavior is like the 'old' 2.5.10, fantastic!

Now the question is, is it really unsecure to use samesite=Lax instead of samesite=strict?

I just think for example about Instagram used on the PC
if I send you a link via WhatsApp web and you click on it
the browser will open a new tab where the login will be still valid, it will not ask you to login every time.

thank you very much for the support!
Carlo
Re: XOOPS 2.5.11 session handling too strict?
by Mamba on 2024/10/22 1:30:14

Somebody suggested to add this code to mainfile.php

le="color: #000000"><?php ini_set('session.cookie_lifetime', 0); // Make session cookie persist until browser closes ini_set('session.use_only_cookies', 1); ini_set('session.use_trans_sid', 0); ini_set('session.cookie_samesite', 'Lax'); // Allow cross-site requests while maintaining some security


Test if this would help, but don't leave the code in your mainfile.php, this is just for testing, so once you done, comment it out.

If it doesn't work, comment it out, and try to change the "strict" to "Lax" for

le="color: #000000"><?php 'samesite' => 'strict',

to:
le="color: #000000"><?php 'samesite' => 'Lax',


in /kernel/session.php

le="color: #000000"><?php if (PHP_VERSION_ID >= 70300) { $options = [ 'lifetime' => $lifetime, 'path' => '/', 'domain' => XOOPS_COOKIE_DOMAIN, 'secure' => $secure, 'httponly' => true, 'samesite' => 'strict', ]; session_set_cookie_params($options); } else { session_set_cookie_params($lifetime, '/', XOOPS_COOKIE_DOMAIN, $secure, true); }


Again, once you're done with testing, reverse to the original code, and let us know if any of it helped

Who's Online

138 user(s) are online (62 user(s) are browsing Support Forums)


Members: 0


Guests: 138


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits