-
-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues with cookie domain behind a reverse proxy #2454
Comments
I had the same problem a month ago and had to hijack the DOMAIN constant to make it work. I am not sure how to deal with this, but we sure must find a solution. |
My suggestion is to remove the problematic part Honestly I don't remember which setups caused issues, and I hardly ever run Symphony locally (most of the time I am working on vServers, automatically |
Why can't the domain be 'localhost' ? |
I don't remember. |
Let's hope @brendo does. But if not, I would not mind removing the |
I don't remember either, it's well before my time. It's not something to do with Windows is it? |
I would then do @michael-e's proposed change and see if anybody has problems with it. |
I can send a pull request if @brendo agrees with it. |
Is there any other way to detect the reverse proxy? When this information is removed, I assume this will result in a cookie created for the domain 127.0.0.1? Does this trigger weird behaviour, or potentially leak the information out to other domains? Perhaps no more so then 'null'? |
A proxy should pass the location /some/path/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8000;
} One might attempt to detect a frontend proxy using special headers like So instead I ask: Why do we need the second condition? Are we trying to cover cases where PHP's if (!$_SERVER['HTTP_HOST'] || preg_match('/(localhost|127\.0\.0\.1)/', $_SERVER['HTTP_HOST'])) {
return null; // prevent problems on local setups
} |
I do not want to start yet another debate on where to get server/env values... But, we deal with potentially dangerous data all the time and need to address those cases ourself (sadly). I'be been doing quite a bit of system programming in C, and almost all system calls can return errors. There are no "safe" values. That being said, having NO Host header is a violation of the HTTP/1.1 spec, but HTTP/1.0 allows it. HTTP/1.x is ready to be replaced with a new version and I hope it does the same thing So, I would fix the case where case where PHP's $_SERVER['HTTP_HOST'] is empty? like so: if (empty($_SERVER['HTTP_HOST'])) {
header($_SERVER['SERVER_PROTOCOL'].' 400 Bad Request');
exit;
} |
AFAIK, if (!$_SERVER['HTTP_HOST']) { I agree with your point that any data sent by a client are potentially dangerous, so if we see potential issues we should fix them. But if HTTP 1.0 allows the |
The only HTTP/1.0 traffic I get on my servers are weird looking requests, i.e. hackers. 1.1 mandates Maybe 400 is a bit arsh, maybe 412 Precondition Failed should be used. I think disabling http/1.0 support would solve a lot of problems. But maybe that's something I need to do server-wise. |
Let's see what @brendo thinks. |
Yup :) |
It's quite difficult to know exactly why this was introduced as it's not documented, and therefore, it's not easy to know what repercussions may result from removing it. Because of that, I'm hesitant to make any changes in a point release that we cannot easily verify. Unfortunately, Cookies & Sessions have a notorious history with Symphony and any ill effects are usually widely and immediately felt. Whatever we do here, it has to be measured and tested carefully so to avoid a string of future point releases attempting to 'fix' it. The existing code already has logic for dealing (rather crudely) with the lack of the |
I wouldn't mind the point release, because it's just a bugfix in my eyes. The No wonder we don't remember, the code must be more than 6 years old. :-) Normally I am the one to say "test, test test!". But in this case I think it's pretty hard, simply because we don't know which problems to expect. |
By test I mean verify it still works in the environments above. I wouldn't be comfortable in removing the condition and pushing the release out without this verification. |
Oh, everything seems to work as before
I'd be happy if others could verify different setups. |
Out of curiosity, what does the |
PHP runs in Apache, and |
Hmm, I'm looking at it now and what I think the purpose of the code is to prevent problems when you use local hostnames in development, and then the cookie will be shared on the 'live' site. For example, if you have your development site setup to run as There seems to be a lot of advice about never set the domain, and let PHP handle it as this results in more predictable behaviour with subdomains. Our little regex at the moment seems to handle the making the cookie available on all subdomains by stripping the
So now it's a weird one, if we remove the Both scenarios risk breaking changes, and as such, I'm not comfortable pushing into a 2.6.x release. |
Completely removing the function has one disadvantage: We drop a place where we can "hack" things. For a long time I have been using a modified
If a developer really does this (instead of using Symphony shouldn't try to be clever here. |
Agreed.
Agreed. But lets hold up for a major release then. 3.x will break things anyways. |
Hmmm. |
Given the nature of the proposed fix (re-reading the above discussion I name it a "maybe breaking bugfix") I suggest to include it in Symphony 2.7. I can send a PR if desired. |
Yes please! I presume you've been running it for some time now ? |
Yep, sure. It's one of the hacks I always add (i.e. rebase) on top of the current Symphony version. |
If Symphony runs behind a reverse proxy, Symphony's server will probably listen to 127.0.0.1. In this case the
getDomain
function inlib/toolkit/class.session.php
will cause issues:Checking for
$_SERVER['SERVER_ADDR'] == '127.0.0.1'
is no good idea in this case, because it will prevent Symphony from returning (and properly setting) the correct cookie domain.I don't remember why exactly we needed that "prevent problems on local setups" logic, but there must have been issues with certain browsers on certain "localhost" setups. Nevertheless, looking forward, I suggest to remove at least the mentioned part of the if clause, because it prevents correct cookies in real-world scenarios, for example Symphony running on Apache behind nginx as frontend server (and SSL terminator, in my case).
(It really took me a while to find out what was causing my issues.)
The text was updated successfully, but these errors were encountered: