1
cecadm
Re: XOOPS 2.5.11 session handling too strict?
  • 10/22 12:32

  • cecadm

  • Just popping in

  • Posts: 3

  • Since: 2009/4/30


Hi all!
I just tested in 2.5.11 (php 7.3.33):
'samesite' => 'strict', / 'samesite' => 'Lax' in kernel/session.php
with "Lax" the behavior is like the 'old' 2.5.10, fantastic!

Now the question is, is it really unsecure to use samesite=Lax instead of samesite=strict?

I just think for example about Instagram used on the PC
if I send you a link via WhatsApp web and you click on it
the browser will open a new tab where the login will be still valid, it will not ask you to login every time.

thank you very much for the support!
Carlo



2
cecadm
XOOPS 2.5.11 session handling too strict?
  • 10/18 13:45

  • cecadm

  • Just popping in

  • Posts: 3

  • Since: 2009/4/30


2.5.10 test - always logged in
------------
install xoops 2.5.10

from PC or from tablet or android phone
open a browser
do the xoops login
open another tab copy and paste any link from the same xoops website => the login is still valid, you are still logged in
open another browser window (maybe this just from PC), copy and paste any link from the same xoops website => the login is still valid, you are still logged in

still in the same browser open whatsapp web,
copy paste the link of the installed xoops and then click it
the browser will open a new tab with xoops site and you are still logged in

whatsapp is an example I did it also with other apps that will open a browser with that link (where I'm already logged in in another tab) and it works, you are still logged in.


2.5.11 test - not always logged in
------------
install xoops 2.5.11

from PC (same result as in 2.5.10)
open a browser
do the xoops login
open another tab copy and paste any link from the same xoops website => the login is still valid, you are still logged in
open another window (maybe this just from PC), same browser, copy and paste any link from the same xoops website => the login is still valid, you are still logged in


from android phone - here is the difference
I open a tab, do the login, good
if I open another tab and copy paste the same link... I'm not logged in anymore, moreover I am logged out in the first tab too...

PC/android phone with whatsapp (or whatsapp web) or other app that will open a link - here is the difference
I already did the login in xoops in a browser if in the same browser I open whatsapp and copy paste my xoops link and then click there... the link opened is not logged in and I'm logged out in the first tab
if I use any app that open a browser with a link even if there is a tab where I already did the login the new tab with the link it will be not logged in

I can understand that in 2.5.11 the session control is different and maybe more strict,
how can I have the session behaviour of 2.5.10 in 2.5.11?

regards
Carlo



3
cecadm
Re: XOOPS 2.5.11 search user is not working
  • 10/12 8:23

  • cecadm

  • Just popping in

  • Posts: 3

  • Since: 2009/4/30


Hi,
sorry for the late reply,
yes it working for my installation
regards
Carlo




TopTop



Login

Who's Online

161 user(s) are online (22 user(s) are browsing Support Forums)


Members: 0


Guests: 161


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits