View Issue Details

IDProjectCategoryView StatusLast Update
0020214phpList 3 applicationBrowser Issuespublic31-07-20 12:59
Reporterduncanc Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version3.5.0 
Target Version3.5.4Fixed in Version3.5.5 
Summary0020214: Firefox will soon reject the browsetrail cookie
DescriptionFirefox developer tools issues a warning about the browsetrail cookie.
TagsNo tags attached.

Activities

duncanc

29-05-20 12:28

updater  

michiel

29-05-20 21:03

administrator   ~0063166


Resolved with https://github.com/phpList/phplist3/commit/ec874b7878d0d3f5844ccfe791c333d540e1e063

Assigning to @suela to handle the change log and versioning

duncanc

30-05-20 08:59

updater   ~0063167

The same applies to the PHPSESSID cookie. The warning appears only once, so I missed that previously.

michiel

30-05-20 11:58

administrator   ~0063168

Interesting. I don't get that warning on PHPSESSID. I wonder if that's a system setting.
I guess it's time to take control of the session cookie and set our own, eg phpListSessID, so that we can explicitly control the way it is set.

michiel

30-05-20 12:27

administrator   ~0063169

https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-samesite

the value on my system is empty, so I'm not sure why I didn't get the warning like you, as I should have.

This should resolve it: https://github.com/phpList/phplist3/commit/1e8d95415440c3c786f5d9943ea5116096a54790

duncanc

04-07-20 07:09

updater   ~0063196

Last edited: 04-07-20 07:09

View 2 revisions

@michiel I have only just noticed that this change breaks the session handling for the kcfinder image browsing used in ckeditor.
Now not allowed to browse images, getting a pop-up "You don't have permissions to browse server".

Need to investigate what is happening but I suggest reverting this change.

michiel

04-07-20 10:39

administrator   ~0063197

It's probably because I renamed the session. I will check this today or tomorrow and then we can fix it.

michiel

04-07-20 10:40

administrator   ~0063198

It may also be the

 ini_set('session.cookie_httponly',1);

which blocks Javascript from using the cookie.

duncanc

04-07-20 18:28

updater   ~0063199

It is the session name that is the problem. I should have noticed this earlier because kcfinder uses the default session settings so currently does not work with a different session name or with the "sessions in database" approach.

Maybe if something can be added to config.php or just assume that the session is always going to be called "phpListSession", then I can change kcfinder. Maybe use the cms integration approach.

michiel

05-07-20 11:40

administrator   ~0063200

Yes, let's stick to having phpListSession as the session name. This will of course create a version dependency, but considering we bundle the CKeditor with phpList, that should be fine.

Are you happy to make the change?

michiel

05-07-20 15:54

administrator   ~0063201

I've submitted https://github.com/bramley/phplist-plugin-ckeditor/pull/21

This fixes it for me on my local system, but worth checking it works for you as well.

duncanc

06-07-20 10:06

updater   ~0063202

There is a new release of the CKEditor plugin that includes the kcfinder session initialisation.