1
cecadm
XOOPS 2.5.11 session handling too strict?
  • 10/18 13:45

  • cecadm

  • Just popping in

  • Posts: 3

  • Since: 2009/4/30


2.5.10 test - always logged in
------------
install xoops 2.5.10

from PC or from tablet or android phone
open a browser
do the xoops login
open another tab copy and paste any link from the same xoops website => the login is still valid, you are still logged in
open another browser window (maybe this just from PC), copy and paste any link from the same xoops website => the login is still valid, you are still logged in

still in the same browser open whatsapp web,
copy paste the link of the installed xoops and then click it
the browser will open a new tab with xoops site and you are still logged in

whatsapp is an example I did it also with other apps that will open a browser with that link (where I'm already logged in in another tab) and it works, you are still logged in.


2.5.11 test - not always logged in
------------
install xoops 2.5.11

from PC (same result as in 2.5.10)
open a browser
do the xoops login
open another tab copy and paste any link from the same xoops website => the login is still valid, you are still logged in
open another window (maybe this just from PC), same browser, copy and paste any link from the same xoops website => the login is still valid, you are still logged in


from android phone - here is the difference
I open a tab, do the login, good
if I open another tab and copy paste the same link... I'm not logged in anymore, moreover I am logged out in the first tab too...

PC/android phone with whatsapp (or whatsapp web) or other app that will open a link - here is the difference
I already did the login in xoops in a browser if in the same browser I open whatsapp and copy paste my xoops link and then click there... the link opened is not logged in and I'm logged out in the first tab
if I use any app that open a browser with a link even if there is a tab where I already did the login the new tab with the link it will be not logged in

I can understand that in 2.5.11 the session control is different and maybe more strict,
how can I have the session behaviour of 2.5.10 in 2.5.11?

regards
Carlo

2
Mamba
Re: XOOPS 2.5.11 session handling too strict?

Hi Carlo,

to be honest, I never worked with Session, so I probably couldn't help you. Maybe somebody else with more session experience will jump in to help?

If not, could you research the issue and at least document the differences between code in 2.5.10 and 2.5.11 ?

That would help me or somebody else to investigate.

Thank you in advance!
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

3
Mamba
Re: XOOPS 2.5.11 session handling too strict?

Somebody suggested to add this code to mainfile.php

ini_set('session.cookie_lifetime'0); // Make session cookie persist until browser closes
ini_set('session.use_only_cookies'1);
ini_set('session.use_trans_sid'0);
ini_set('session.cookie_samesite''Lax'); // Allow cross-site requests while maintaining some security


Test if this would help, but don't leave the code in your mainfile.php, this is just for testing, so once you done, comment it out.

If it doesn't work, comment it out, and try to change the "strict" to "Lax" for

'samesite' => 'strict',

to:
'samesite' => 'Lax',


in /kernel/session.php

if (PHP_VERSION_ID >= 70300) {
            
$options = [
                
'lifetime' => $lifetime,
                
'path'     => '/',
                
'domain'   => XOOPS_COOKIE_DOMAIN,
                
'secure'   => $secure,
                
'httponly' => true,
                
'samesite' => 'strict',
            ];
            
session_set_cookie_params($options);
        } else {
            
session_set_cookie_params($lifetime'/'XOOPS_COOKIE_DOMAIN$securetrue);
        }


Again, once you're done with testing, reverse to the original code, and let us know if any of it helped
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

4
cecadm
Re: XOOPS 2.5.11 session handling too strict?
  • 10/22 12:32

  • cecadm

  • Just popping in

  • Posts: 3

  • Since: 2009/4/30


Hi all!
I just tested in 2.5.11 (php 7.3.33):
'samesite' => 'strict', / 'samesite' => 'Lax' in kernel/session.php
with "Lax" the behavior is like the 'old' 2.5.10, fantastic!

Now the question is, is it really unsecure to use samesite=Lax instead of samesite=strict?

I just think for example about Instagram used on the PC
if I send you a link via WhatsApp web and you click on it
the browser will open a new tab where the login will be still valid, it will not ask you to login every time.

thank you very much for the support!
Carlo

5
Mamba
Re: XOOPS 2.5.11 session handling too strict?

You should be able to use "Lax" safely, as it ensures a smoother user experience while still offering protection against potential threats.
If we don't find a better solution to deal with the issues you've encountered, we might switch to "Lax" as default and advise users to switch to "strict" if they want the highest level of security.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

6
Mage
Re: XOOPS 2.5.11 session handling too strict?
  • 10/27 20:17

  • Mage

  • Core Developer

  • Posts: 208

  • Since: 2009/8/2 1


Maybe we could add this possibility in the preferences? We add a drop-down menu with the possible options.
By default we could put "lax" but in the preferences. This is easier for users to be able to change from the preferences.

7
Mamba
Re: XOOPS 2.5.11 session handling too strict?
  • Yesterday 3:11

  • Mamba

  • Moderator

  • Posts: 11391

  • Since: 2004/4/23


Yes, preferences could be a good location for it.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

Login

Who's Online

176 user(s) are online (115 user(s) are browsing Support Forums)


Members: 0


Guests: 176


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Oct 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits