1
Mamba
Re: XOOPS 2.5.11 session handling too strict?

You should be able to use "Lax" safely, as it ensures a smoother user experience while still offering protection against potential threats.
If we don't find a better solution to deal with the issues you've encountered, we might switch to "Lax" as default and advise users to switch to "strict" if they want the highest level of security.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs



2
cecadm
Re: XOOPS 2.5.11 session handling too strict?
  • 10/22 12:32

  • cecadm

  • Just popping in

  • Posts: 3

  • Since: 2009/4/30


Hi all!
I just tested in 2.5.11 (php 7.3.33):
'samesite' => 'strict', / 'samesite' => 'Lax' in kernel/session.php
with "Lax" the behavior is like the 'old' 2.5.10, fantastic!

Now the question is, is it really unsecure to use samesite=Lax instead of samesite=strict?

I just think for example about Instagram used on the PC
if I send you a link via WhatsApp web and you click on it
the browser will open a new tab where the login will be still valid, it will not ask you to login every time.

thank you very much for the support!
Carlo



3
Mamba
Re: XOOPS 2.5.11 session handling too strict?

Somebody suggested to add this code to mainfile.php

ini_set('session.cookie_lifetime'0); // Make session cookie persist until browser closes
ini_set('session.use_only_cookies'1);
ini_set('session.use_trans_sid'0);
ini_set('session.cookie_samesite''Lax'); // Allow cross-site requests while maintaining some security


Test if this would help, but don't leave the code in your mainfile.php, this is just for testing, so once you done, comment it out.

If it doesn't work, comment it out, and try to change the "strict" to "Lax" for

'samesite' => 'strict',

to:
'samesite' => 'Lax',


in /kernel/session.php

if (PHP_VERSION_ID >= 70300) {
            
$options = [
                
'lifetime' => $lifetime,
                
'path'     => '/',
                
'domain'   => XOOPS_COOKIE_DOMAIN,
                
'secure'   => $secure,
                
'httponly' => true,
                
'samesite' => 'strict',
            ];
            
session_set_cookie_params($options);
        } else {
            
session_set_cookie_params($lifetime'/'XOOPS_COOKIE_DOMAIN$securetrue);
        }


Again, once you're done with testing, reverse to the original code, and let us know if any of it helped
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs



4
Mamba
Re: Help Needed with Custom Module Development in XOOPS

Quote:
What’s the best way to retrieve data from other modules in XOOPS? Should I be using the existing APIs, or is there another recommended method?
Is there a specific XOOPS function or best practice for interacting with the database across multiple modules? I want to ensure that my approach is clean and efficient.

The best way would be probably to use XMF (see the XMF Cookbook), and specifically the Module Helpers

Maybe something like this (please note: none of this code is tested!):

use Xmf\Module\Helper;

// Get the helper for the 'news' module
$helper Helper::getHelper('news');

// Get the handler for the 'story' object in the 'news' module
$storyHandler $helper->getHandler('story');

// Define criteria for data retrieval
$criteria = new CriteriaCompo();
$criteria->setLimit(10); // Limit to 10 items

// Retrieve data objects
$newsItems $storyHandler->getObjects($criteria);

// Loop through and display data
foreach ($newsItems as $newsItem) {
    echo 
$newsItem->getVar('title');
}


Quote:
How should I structure the permissions for users accessing this dashboard, especially considering the different access levels required for the different modules?

I would work with the XMF Permission Helper

Maybe something like this:

Initialize the Permission Helper:

use Xmf\Module\Helper\Permission;

$permHelper = new Permission();


Check User Permissions:

// Assuming you're in your custom module context
$moduleDirName basename(dirname(__DIR__));
$helper Helper::getHelper($moduleDirName);
$permHelper = new Permission($helper);

$permissionName 'view_dashboard'// Define your custom permission
$itemId null// Use null if not item-specific
$userGroups $xoopsUser $xoopsUser->getGroups() : [XOOPS_GROUP_ANONYMOUS];

if (
$permHelper->checkPermission($permissionName$itemId$userGroups)) {
    
// User has permission, display dashboard
} else {
    
// User doesn't have permission, show an error or redirect
    
redirect_header('index.php'3_NOPERM);
}


Define Permissions in Your Module:
In your xoops_version.php, define the permissions your module will use.

Example in xoops_version.php:

$modversion['config'][] = [
    
'name'        => 'permissions',
    
'title'       => '_MI_YOURMODULE_PERMISSIONS',
    
'description' => '_MI_YOURMODULE_PERMISSIONS_DESC',
    
'formtype'    => 'group_multi',
    
'valuetype'   => 'array',
    
'default'     => [XOOPS_GROUP_ADMINXOOPS_GROUP_USERS],
];


Set Up Permission Items:
Use the Permission Helper to set up permission items in your module's administration interface.

Example in Your Module's Admin Code:

$permHelper->savePermissionForItem('view_dashboard'$itemId$groupIds);


Consider Module Permissions:
When accessing other modules' data, check if the user has permissions in those modules.

Example:
// For the 'news' module
$newsHelper Helper::getHelper('news');
$newsPermHelper = new Permission($newsHelper);

if (
$newsPermHelper->checkPermission('view'$newsItemId$userGroups)) {
    
// User has permission to view the news item
} else {
    
// Handle lack of permission
}


Quote:
Are there any examples or tutorials for similar use cases (integrating data from multiple modules) that you could point me to?

You might look at the modules from Mage:
xmArticle
xmstock
xmdoc

Regarding blockchain, this would be a completely custom implementation - you would need to use use PHP libraries to interact with blockchain APIs (like Ethereum, Bitcoin, or Hyperledger), but this would be quite complex.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs



5
Mamba
Re: Error in newbb - footer.php ligne 44

Great to hear that it's working now!
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs



6
Mamba
Re: Tuto/news: Old themes with XOOPS 2.5.11

Merci, Alain!
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs



7
Mamba
Re: XOOPS 2.5.11 session handling too strict?

Hi Carlo,

to be honest, I never worked with Session, so I probably couldn't help you. Maybe somebody else with more session experience will jump in to help?

If not, could you research the issue and at least document the differences between code in 2.5.10 and 2.5.11 ?

That would help me or somebody else to investigate.

Thank you in advance!
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs



8
Mamba
Re: XOOPS 2.5.11 search user is not working

Terrific, I'm happy to hear that it's working!
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs



9
Mamba
Re: Suggetions for xmNews & xSitemap

Thank you very much for providing all the feedback and suggestions.

So is everything working now correctly? Or is there anything to be fixed? If yes, what and how?

Since this is Open Source, we always appreciate helping us with fixing bugs and improving functionality.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs



10
alain01
Re: Error in newbb - footer.php ligne 44
  • 10/21 23:19

  • alain01

  • Just can't stay away

  • Posts: 534

  • Since: 2003/6/20


Ok now !




TopTop
(1) 2 3 4 ... 29429 »



Login

Who's Online

149 user(s) are online (47 user(s) are browsing Support Forums)


Members: 0


Guests: 149


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Oct 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits