Hi,
I'm using xoops 2.5.11 behind Nginx Proxy Manager (https://nginxproxymanager.com/)
Nginx Proxy Manager has "Block Common Exploits" enabled for this proxy host
When you access to any page where in the url is present the parameter XOOPS_TOKEN_REQUEST you receive "403 Forbidden openresty"
Mostly in the System admin pages, I was using the block page when I found it

I'm not saying it is an bug in xoops or in Nginx Proxy Manager but since I want to keep "Block Common Exploits" enabled I need to hack xoops.

The problem is the presence of the word _REQUEST in the url
the following instructions will change that word in the xoops installation
I suggest to backup the files before to change them

change XOOPS_TOKEN_REQUEST in XOOPS_TOKEN_REQUE
include/findusers.php
modules/system/templates/system_notification_list.tpl
modules/system/templates/system_notification_list.html
modules/system/templates/blocks/system_block_notification.tpl
themes/xswatch4/modules/system/blocks/system_block_notification.tpl

change '_REQUEST' in '_REQUE'
class/xoopssecurity.php
class/xoopsform/formhiddentoken.php

I'm not using protector, maybe there is something to change also there
In preference I have: "Check templates for modifications? YES" otherwise I think you have to rebuild the templates

that's it
Carlo

Hi all!
I just tested in 2.5.11 (php 7.3.33):
'samesite' => 'strict', / 'samesite' => 'Lax' in kernel/session.php
with "Lax" the behavior is like the 'old' 2.5.10, fantastic!

Now the question is, is it really unsecure to use samesite=Lax instead of samesite=strict?

I just think for example about Instagram used on the PC
if I send you a link via WhatsApp web and you click on it
the browser will open a new tab where the login will be still valid, it will not ask you to login every time.

thank you very much for the support!
Carlo

2.5.10 test - always logged in
------------
install xoops 2.5.10

from PC or from tablet or android phone
open a browser
do the xoops login
open another tab copy and paste any link from the same xoops website => the login is still valid, you are still logged in
open another browser window (maybe this just from PC), copy and paste any link from the same xoops website => the login is still valid, you are still logged in

still in the same browser open whatsapp web,
copy paste the link of the installed xoops and then click it
the browser will open a new tab with xoops site and you are still logged in

whatsapp is an example I did it also with other apps that will open a browser with that link (where I'm already logged in in another tab) and it works, you are still logged in.


2.5.11 test - not always logged in
------------
install xoops 2.5.11

from PC (same result as in 2.5.10)
open a browser
do the xoops login
open another tab copy and paste any link from the same xoops website => the login is still valid, you are still logged in
open another window (maybe this just from PC), same browser, copy and paste any link from the same xoops website => the login is still valid, you are still logged in


from android phone - here is the difference
I open a tab, do the login, good
if I open another tab and copy paste the same link... I'm not logged in anymore, moreover I am logged out in the first tab too...

PC/android phone with whatsapp (or whatsapp web) or other app that will open a link - here is the difference
I already did the login in xoops in a browser if in the same browser I open whatsapp and copy paste my xoops link and then click there... the link opened is not logged in and I'm logged out in the first tab
if I use any app that open a browser with a link even if there is a tab where I already did the login the new tab with the link it will be not logged in

I can understand that in 2.5.11 the session control is different and maybe more strict,
how can I have the session behaviour of 2.5.10 in 2.5.11?

regards
Carlo

Hi,
sorry for the late reply,
yes it working for my installation
regards
Carlo