Config changes for sessions name and server_name/http_host #136
Conversation
…alid url, but host_name will likely always be. Not sure if changes also need to be made in other sections, such as MY_config library and CI email library
This reverts commit 90c1b1c.
|
Aaron, can you expand on what these changes are in response to? I think we can fall back to HTTP_HOST if server name is not available. The part that worries me about doing this is that SERVER_NAME is a configuration value set in the Apache config and HTTP_HOST is a value sent by the client. The HTTP_HOST is not reliable because it can be modified by the client at the time of the request (ie: spoofed). This can potentially open up some security issues as we're now using URLs that have possibly been modified by the user. Edit after further looking I found that the I'm still leaning towards leaving SERVER_NAME and making sure that Apache properly reports back the server's name when it can't pull that from the client request. |
|
It was in response to http_host being more reliable as a url than server_name, but maybe a check to see if server name is properly formed and a fallback would work. What got this going was working on dotcloud, which uses NGINX not reporting the server name as a url, so it would never actually set the cookie. |
|
Okay. We'll test this out and see how it looks. |
|
Some of these changes have been integrated in to the See: 9e0b89a If this stabilizes us then we'll work on the best way to implement some xss protection in to this. Not like we had any before, but no time like the present to fix that, right? |
|
Closing this as these changes largely got integrated through different means. |
Need to check codebase for other $_SERVER['server_name'] uses. One is in MY_config.php (https://github.com/twilio/OpenVBX/blob/master/OpenVBX/libraries/MY_Config.php#L70) and the other is in builtin email library (https://github.com/twilio/OpenVBX/blob/master/system/libraries/Email.php#L1841)