View Issue Details

IDProjectCategoryView StatusLast Update
0015547phplist applicationSecuritypublic01-11-12 17:50
Reporterh2b2 
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version2.10.12 
Target Version4.0.xFixed in Version2.11.8 
Summary0015547: Setting secure cookies to true with phpList in subdomain causes session problem.
Descriptionschkovich reported this issue and provides attached patch, presumbably for v2.10.12 (needs to be checked):
==== Start Quote ====
Having set use secure cookies to true and phpList in subdomain caused the problem.

It would be better to create a class that will handle sessions (not only starting and destroying but getters and setters, timers, secuirty, etc) but since phpList is far, far away from OOP perhaps at list a single function that will handle starting sessions should be created. Unfortunately I did not have time to figure out where such function should be placed therefore several files need to be patched.
==== End Quote ====
ref: http://forums.phplist.com/viewtopic.php?p=79355#p79355
TagsNo tags attached.

Relationships

child of 0010998 new Enhance security 

Activities

h2b2

08-10-10 00:51

manager  

secure_sessions_patch.diff (6,621 bytes)
    # This patch file was generated by NetBeans IDE
    # Following Index: paths are relative to: /home/schkovich/NetBeansProjects/phpList/trunk/public_html/lists/config
    # This patch can be applied using context Tools: Patch action on respective folder.
    # It uses platform neutral UTF-8 encoding and \n newlines.
    # Above lines and this line are ignored by the patching process.
    Index: config.php
    --- config.php Remotely Modified (Based On HEAD)
    +++ config.php Locally Modified (Based On LOCAL)
    @@ -466,6 +466,11 @@
    # if you use this, you will need to teach your system regularly about patterns in new bounces
    define('USE_ADVANCED_BOUNCEHANDLING',0);

    +/**
    + * Cookie domain, for example 'www.php.net'. To make cookies visible on all
    + * subdomains then the domain must be prefixed with a dot like '.php.net'.
    + */
    +define("COOKIE_DOMAIN", ".yourdomain.tld");

    /*


    # This patch file was generated by NetBeans IDE
    # Following Index: paths are relative to: ${HOME}/NetBeansProjects/phpList/trunk/public_html/lists/admin/commonlib/lib
    # This patch can be applied using context Tools: Patch action on respective folder.
    # It uses platform neutral UTF-8 encoding and \n newlines.
    # Above lines and this line are ignored by the patching process.
    Index: userlib.php
    --- userlib.php Remotely Modified (Based On HEAD)
    +++ userlib.php Locally Modified (Based On LOCAL)
    @@ -15,7 +15,7 @@
       }
    //  $_SESSION["session"] = $GLOBALS["PHPSESSID"];
       // What should it be??
    -    $_SESSION["session"] = $_COOKIE["PHPSESSID"];
    +    $_SESSION["session"] = $_COOKIE[md5("phplist")];
    }

    function getEveryoneGroupID() {

    # This patch file was generated by NetBeans IDE
    # Following Index: paths are relative to: ${HOME}/NetBeansProjects/phpList/trunk/public_html/lists/admin/FCKeditor/editor/filemanager/connectors/phplist
    # This patch can be applied using context Tools: Patch action on respective folder.
    # It uses platform neutral UTF-8 encoding and \n newlines.
    # Above lines and this line are ignored by the patching process.
    Index: connector.php
    --- connector.php Remotely Modified (Based On HEAD)
    +++ connector.php Locally Modified (Based On LOCAL)
    @@ -33,8 +33,10 @@

    if ( !$Config['Enabled'] )
       SendError( 1, 'This connector is disabled. Please check the "editor/filemanager/connectors/php/config.php" file' ) ;
    -
    -@session_start();
    +session_name(md5("phplist"));
    +session_set_cookie_params(3600, "/", COOKIE_DOMAIN, false);
    +session_cache_limiter('nocache');
    +session_start();
    if (empty($_SESSION['logindetails'])) {
        SendError( 1, 'Access Denied' ) ;
    }

    # This patch file was generated by NetBeans IDE
    # Following Index: paths are relative to: ${HOME}/NetBeansProjects/phpList/trunk/public_html/lists/admin
    # This patch can be applied using context Tools: Patch action on respective folder.
    # It uses platform neutral UTF-8 encoding and \n newlines.
    # Above lines and this line are ignored by the patching process.
    Index: languages.php
    --- languages.php Remotely Modified (Based On HEAD)
    +++ languages.php Locally Modified (Based On LOCAL)
    @@ -46,7 +46,10 @@
    if (!empty($GLOBALS["SessionTableName"])) {
       require_once dirname(__FILE__).'/sessionlib.php';
    }
    -@session_start();
    +session_name(md5("phplist"));
    +session_set_cookie_params(3600, "/", COOKIE_DOMAIN, false);
    +session_cache_limiter('nocache');
    +session_start();

    if (isset($_POST['setlanguage']) && $_POST['setlanguage'] && is_array($LANGUAGES[$_POST['setlanguage']])) {
       $_SESSION['adminlanguage'] = array(

    # This patch file was generated by NetBeans IDE
    # Following Index: paths are relative to: ${HOME}/NetBeansProjects/phpList/trunk/public_html/lists/admin
    # This patch can be applied using context Tools: Patch action on respective folder.
    # It uses platform neutral UTF-8 encoding and \n newlines.
    # Above lines and this line are ignored by the patching process.
    Index: sidebar.php
    --- sidebar.php Remotely Modified (Based On HEAD)
    +++ sidebar.php Locally Modified (Based On LOCAL)
    @@ -5,6 +5,9 @@

       global $pixel,$tables,$require_login;
       if ($require_login) {
    +    session_name(md5("phplist"));
    +    session_set_cookie_params(3600, "/", COOKIE_DOMAIN, false);
    +    session_cache_limiter('nocache');
         session_start();
       }
       $_SESSION["sidebar_enabled"] = "yes";

    # This patch file was generated by NetBeans IDE
    # Following Index: paths are relative to: ${HOME}/NetBeansProjects/phpList/trunk/public_html/lists
    # This patch can be applied using context Tools: Patch action on respective folder.
    # It uses platform neutral UTF-8 encoding and \n newlines.
    # Above lines and this line are ignored by the patching process.
    Index: index.php
    --- index.php Remotely Modified (Based On HEAD)
    +++ index.php Locally Modified (Based On LOCAL)
    @@ -51,7 +51,10 @@
       if (!empty($GLOBALS["SessionTableName"])) {
         require_once dirname(__FILE__).'/admin/sessionlib.php';
       }
    -  @session_start(); # it may have been started already in languages
    +  session_name(md5("phplist"));
    +  session_set_cookie_params(3600, "/", COOKIE_DOMAIN, false);
    +  session_cache_limiter('nocache');
    +  session_start(); # it may have been started already in languages
    }

    if (!isset($_POST) && isset($HTTP_POST_VARS)) {

    # This patch file was generated by NetBeans IDE
    # Following Index: paths are relative to:${HOME}/NetBeansProjects/phpList/trunk/public_html/lists/admin
    # This patch can be applied using context Tools: Patch action on respective folder.
    # It uses platform neutral UTF-8 encoding and \n newlines.
    # Above lines and this line are ignored by the patching process.
    Index: logout.php
    --- logout.php Remotely Modified (Based On HEAD)
    +++ logout.php Locally Modified (Based On LOCAL)
    @@ -1,8 +1,10 @@
    <?php
    -require_once dirname(__FILE__).'/accesscheck.php';
    +require_once dirname(__FILE__) . '/accesscheck.php';

    -$_SESSION["adminloggedin"] = "";
    -$_SESSION["logindetails"] = "";
    +$_SESSION = array();
    +if (isset($_COOKIE[session_name()])) {
    +    setcookie(session_name(), '', time() - 42000, '/');
    +}
    session_destroy();
    ?>

h2b2

09-10-10 04:20

manager   ~0051124

Patch was confirmed to apply to v2.10.12

michiel

01-11-12 17:50

manager   ~0051835

can't see any "secure cookies" in the patch, but looks like session_name(md5("phplist")) is the main change.

revision3396