eGW, Cookies, Site-Mgr and infinite redirections

GeorgK 2016-08-24 14:55:14 UTC #1

Hi,

in the former version I found a setup that works for us.
Now it wouldn’t work.

We use multidomain-setup and actually setup “root-dir of the webserver” as cookiepath

Some hints?

GeorgK 2016-08-25 09:15:26 UTC #2

According to firebug it was set the sessionid-cookie with and without the trailing dot. (rfc2109 & rfc6265 section-4.1.2.3)

When the cookie without trailing dot is deleted, login is possible, but the mail-module can’t find the session

It seems, that not all modules respect admin-site-config_newsettings[cookiedomain] and admin-site-config_newsettings[cookiepath] from the admin-panel?

Ralf_Becker_Stylite 2016-08-25 12:41:18 UTC #3

Hi Georg,

According to firebug it was set the sessionid-cookie with and without the
trailing dot. (rfc2109 & rfc6265 section-4.1.2.3)

When the cookie without trailing dot is deleted, login is possible, but the
mail-module can’t find the session

It seems, that not all modules respect
admin-site-config_newsettings[cookiedomain] and
admin-site-config_newsettings[cookiepath] from the admin-panel?

Sessions cookies are send from one central place in our code:

https://github.com/EGroupware/egroupware/blob/master/api/src/Session.php#L1234

Maybe you can add some debug / error_log there.

Cookies are send on session creation from:

https://github.com/EGroupware/egroupware/blob/master/api/src/Session.php#L613

Hope that helps you debug the issue.

Ralf

Ralf Becker
Director Software Development

Stylite AG

Isaac-Fulda-Allee 9 | Tel. +49 6131 32702-0
D-55124 Mainz | Fax. +49 6131 32702-70

Email: rb@stylite.de

www.stylite.de | www.egroupware.org

Managing Directors: Andre Keller | Gudrun Mueller
Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer

VAT DE214280951 | Registered HRB 46224 Mainz Germany

GeorgK 2016-09-30 09:43:55 UTC #4

Interesting fact is that the problem is different in actual firefox an other browsers.
On my iDevices I don’t habe any problems …

GeorgK 2016-10-24 06:55:02 UTC #5

Hi Ralf,

I think the problem is originated in modules like /api/src/Db/ADOdb/session/adodb-session.php where sessions are set over over session_get_cookie_params. In the actual trunk this module seems to be removed?

For the actual release we have fixed this issue over an entry in the parameters like this:

http://php.net/session.cookie-secure

php_admin_flag session.cookie_secure on

http://php.net/session.cookie-path

php_admin_flag session.cookie_path “/”

http://php.net/session.cookie-domain

php_admin_flag session.cookie_domain “egw.foor.bar”

http://php.net/session.cookie-httponly

php_admin_flag session.cookie_httponly on

session_get_cookie_params doesnt get the parameters from then egw-globals and the parameters of the sessions-cookies depends on the php-version and browser-version when using session_get_cookie_params