View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0020214 | phpList 3 application | Browser Issues | public | 29-05-20 12:28 | 31-07-20 12:59 |
Reporter | duncanc | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | resolved | Resolution | fixed | ||
Product Version | 3.5.0 | ||||
Target Version | 3.5.4 | Fixed in Version | 3.5.5 | ||
Summary | 0020214: Firefox will soon reject the browsetrail cookie | ||||
Description | Firefox developer tools issues a warning about the browsetrail cookie. | ||||
Tags | No tags attached. | ||||
|
|
|
Resolved with https://github.com/phpList/phplist3/commit/ec874b7878d0d3f5844ccfe791c333d540e1e063 Assigning to @suela to handle the change log and versioning |
|
The same applies to the PHPSESSID cookie. The warning appears only once, so I missed that previously. |
|
Interesting. I don't get that warning on PHPSESSID. I wonder if that's a system setting. I guess it's time to take control of the session cookie and set our own, eg phpListSessID, so that we can explicitly control the way it is set. |
|
https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite the value on my system is empty, so I'm not sure why I didn't get the warning like you, as I should have. This should resolve it: https://github.com/phpList/phplist3/commit/1e8d95415440c3c786f5d9943ea5116096a54790 |
|
@michiel I have only just noticed that this change breaks the session handling for the kcfinder image browsing used in ckeditor. Now not allowed to browse images, getting a pop-up "You don't have permissions to browse server". Need to investigate what is happening but I suggest reverting this change. |
|
It's probably because I renamed the session. I will check this today or tomorrow and then we can fix it. |
|
It may also be the ini_set('session.cookie_httponly',1); which blocks Javascript from using the cookie. |
|
It is the session name that is the problem. I should have noticed this earlier because kcfinder uses the default session settings so currently does not work with a different session name or with the "sessions in database" approach. Maybe if something can be added to config.php or just assume that the session is always going to be called "phpListSession", then I can change kcfinder. Maybe use the cms integration approach. |
|
Yes, let's stick to having phpListSession as the session name. This will of course create a version dependency, but considering we bundle the CKeditor with phpList, that should be fine. Are you happy to make the change? |
|
I've submitted https://github.com/bramley/phplist-plugin-ckeditor/pull/21 This fixes it for me on my local system, but worth checking it works for you as well. |
|
There is a new release of the CKEditor plugin that includes the kcfinder session initialisation. |