New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Write session name to file in cmsimple/ folder #215

Closed
cmb69 opened this Issue May 3, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@cmb69
Member

cmb69 commented May 3, 2017

Some complex scripts can't be embedded into CMSimple_XH (at least not without considerable effort), but they still can be useful. Hitherto, information could be passed to such "stand-alone" scripts easily via the session. This is unfortunately not easy anymore, since 33eaffe introduced named session, and the "stand-alone" script has no easy way to deduce the session name (especially, as this might change in a future version).

Therefore I suggest to store the name of the session in cmsimple/.sessionname, so a "stand-alone" script could read the file, set the session name accordingly and start the session.

@cmb69 cmb69 added the enhancement label May 3, 2017

@cmb69 cmb69 modified the milestones: 1.7.0beta2, 1.7.0rc1, 1.7 May 3, 2017

@cmb69

This comment has been minimized.

Show comment
Hide comment
@cmb69

cmb69 May 6, 2017

Member

I suggest to merge PR #219.

Member

cmb69 commented May 6, 2017

I suggest to merge PR #219.

@cmb69 cmb69 added the voting label May 7, 2017

@manu37

This comment has been minimized.

Show comment
Hide comment
@manu37

manu37 May 9, 2017

Contributor

I'm unsure if this is a security leak, but your sure know @cmb69.

Contributor

manu37 commented May 9, 2017

I'm unsure if this is a security leak, but your sure know @cmb69.

@cmb69

This comment has been minimized.

Show comment
Hide comment
@cmb69

cmb69 May 9, 2017

Member

I'm unsure if this is a security leak, […]

Before introducing the named sessions the session name always has been PHPSESSID. Using named sessions isn't supposed to improve security (but rather to separate the sessions of multiple installations), so there's no issue. Furthermore, in most cases the session name can be easily inferred from the URL (basically it's "XH" + CMSIMPLE_ROOT). Thirdly, direct access to cmsimple/ shouldn't be possible; the info in cmsimple/config.php would be more interesting for an attacker than the name of the session.

Member

cmb69 commented May 9, 2017

I'm unsure if this is a security leak, […]

Before introducing the named sessions the session name always has been PHPSESSID. Using named sessions isn't supposed to improve security (but rather to separate the sessions of multiple installations), so there's no issue. Furthermore, in most cases the session name can be easily inferred from the URL (basically it's "XH" + CMSIMPLE_ROOT). Thirdly, direct access to cmsimple/ shouldn't be possible; the info in cmsimple/config.php would be more interesting for an attacker than the name of the session.

@cmb69 cmb69 closed this in 07549db May 26, 2017

@cmb69 cmb69 removed the voting label May 26, 2017

@cmb69 cmb69 modified the milestones: 1.7.0rc1, 1.7 May 26, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment