Verify that any existing session path is correct and avoid trying to … #855
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…set an empty path for the session cookie.
|
Note: unfortunately it seems there's no equivalent for session_unset() in ZF's SessionManager, and session writes are temporarily disabled when creating a new session since PHP's documentation says PHP 7 will write the old session on session_regenerate_id(). |
|
Looks reasonable to me; I've backported to release-3.1. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…set an empty path for the session cookie.
We have cases where there is a common VuFind instance in domain root and sub-instances in subdirectories. Currently, if a user enters the common instance first, he'll get a session cookie with '/' as the path, and it will also be used for the sub-instances. This causes trouble when e.g. login methods differ between the instances. Since the cookie headers a browser sends don't include information on the cookie path, this PR adds storing of the path to the session and verification of its correctness. This of course applies in practice only when [Session] limit_by_path is enabled.
The other small change is to ensure that an empty path is never used, otherwise Zend will throw an InvalidArgumentException. That would have happened with VuFind installed in domain root with limit_by_path enabled.