| Re: XOOPS 2.5.11 session handling too strict? |
| by Mamba on 2024/10/29 3:11:14 Yes, preferences could be a good location for it. |
| Re: XOOPS 2.5.11 session handling too strict? |
| by Mage on 2024/10/27 20:17:58 Maybe we could add this possibility in the preferences? We add a drop-down menu with the possible options. By default we could put "lax" but in the preferences. This is easier for users to be able to change from the preferences. |
| Re: XOOPS 2.5.11 session handling too strict? |
| by Mamba on 2024/10/23 22:42:21 You should be able to use "Lax" safely, as it ensures a smoother user experience while still offering protection against potential threats. If we don't find a better solution to deal with the issues you've encountered, we might switch to "Lax" as default and advise users to switch to "strict" if they want the highest level of security. |
| Re: XOOPS 2.5.11 session handling too strict? |
| by cecadm on 2024/10/22 12:32:22 Hi all! I just tested in 2.5.11 (php 7.3.33): 'samesite' => 'strict', / 'samesite' => 'Lax' in kernel/session.php with "Lax" the behavior is like the 'old' 2.5.10, fantastic! Now the question is, is it really unsecure to use samesite=Lax instead of samesite=strict? I just think for example about Instagram used on the PC if I send you a link via WhatsApp web and you click on it the browser will open a new tab where the login will be still valid, it will not ask you to login every time. thank you very much for the support! Carlo |
| Re: XOOPS 2.5.11 session handling too strict? |
| by Mamba on 2024/10/22 1:30:14 Somebody suggested to add this code to mainfile.php le="color: #000000"><?php ini_set('session.cookie_lifetime', 0); // Make session cookie persist until browser closes ini_set('session.use_only_cookies', 1); ini_set('session.use_trans_sid', 0); ini_set('session.cookie_samesite', 'Lax'); // Allow cross-site requests while maintaining some security Test if this would help, but don't leave the code in your mainfile.php, this is just for testing, so once you done, comment it out. If it doesn't work, comment it out, and try to change the "strict" to "Lax" for le="color: #000000"><?php 'samesite' => 'strict', to: le="color: #000000"><?php 'samesite' => 'Lax', in /kernel/session.php le="color: #000000"><?php if (PHP_VERSION_ID >= 70300) { $options = [ 'lifetime' => $lifetime, 'path' => '/', 'domain' => XOOPS_COOKIE_DOMAIN, 'secure' => $secure, 'httponly' => true, 'samesite' => 'strict', ]; session_set_cookie_params($options); } else { session_set_cookie_params($lifetime, '/', XOOPS_COOKIE_DOMAIN, $secure, true); } Again, once you're done with testing, reverse to the original code, and let us know if any of it helped |