0020214: Firefox will soon reject the browsetrail cookie

ID	Project	Category	View Status	Date Submitted	Last Update

0020214	phpList 3 application	Browser Issues	public	29-05-20 12:28	06-07-20 10:06

Reporter	duncanc	Assigned To
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	assigned	Resolution	open
Product Version	3.5.0
Target Version	3.5.4

Summary	0020214: Firefox will soon reject the browsetrail cookie
Description	Firefox developer tools issues a warning about the browsetrail cookie.
Tags	No tags attached.

duncanc 29-05-20 12:28 updater	Screenshot from 2020-05-29 12-25-29.png (24,771 bytes) Screenshot from 2020-05-29 12-25-29.png (24,771 bytes)

michiel 29-05-20 21:03 administrator ~0063166	Resolved with https://github.com/phpList/phplist3/commit/ec874b7878d0d3f5844ccfe791c333d540e1e063 Assigning to @suela to handle the change log and versioning

duncanc 30-05-20 08:59 updater ~0063167	The same applies to the PHPSESSID cookie. The warning appears only once, so I missed that previously. Screenshot from 2020-05-30 06-19-23.png (38,038 bytes) Screenshot from 2020-05-30 06-19-23.png (38,038 bytes)

michiel 30-05-20 11:58 administrator ~0063168	Interesting. I don't get that warning on PHPSESSID. I wonder if that's a system setting. I guess it's time to take control of the session cookie and set our own, eg phpListSessID, so that we can explicitly control the way it is set.

michiel 30-05-20 12:27 administrator ~0063169	https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite the value on my system is empty, so I'm not sure why I didn't get the warning like you, as I should have. This should resolve it: https://github.com/phpList/phplist3/commit/1e8d95415440c3c786f5d9943ea5116096a54790

duncanc 04-07-20 07:09 updater ~0063196 Last edited: 04-07-20 07:09 View 2 revisions	@michiel I have only just noticed that this change breaks the session handling for the kcfinder image browsing used in ckeditor. Now not allowed to browse images, getting a pop-up "You don't have permissions to browse server". Need to investigate what is happening but I suggest reverting this change.

michiel 04-07-20 10:39 administrator ~0063197	It's probably because I renamed the session. I will check this today or tomorrow and then we can fix it.

michiel 04-07-20 10:40 administrator ~0063198	It may also be the ini_set('session.cookie_httponly',1); which blocks Javascript from using the cookie.

duncanc 04-07-20 18:28 updater ~0063199	It is the session name that is the problem. I should have noticed this earlier because kcfinder uses the default session settings so currently does not work with a different session name or with the "sessions in database" approach. Maybe if something can be added to config.php or just assume that the session is always going to be called "phpListSession", then I can change kcfinder. Maybe use the cms integration approach.

michiel 05-07-20 11:40 administrator ~0063200	Yes, let's stick to having phpListSession as the session name. This will of course create a version dependency, but considering we bundle the CKeditor with phpList, that should be fine. Are you happy to make the change?

michiel 05-07-20 15:54 administrator ~0063201	I've submitted https://github.com/bramley/phplist-plugin-ckeditor/pull/21 This fixes it for me on my local system, but worth checking it works for you as well.

duncanc 06-07-20 10:06 updater ~0063202	There is a new release of the CKEditor plugin that includes the kcfinder session initialisation.

View Issue Details

Activities