[Phpgroupware-tracker] [bug #22763] strange domain set for session cookies

Fri, 28 Mar 2008 09:01:39 -0700 

URL:
  <http://savannah.gnu.org/bugs/?22763>

                 Summary: strange domain set for session cookies
                 Project: phpGroupWare
            Submitted by: olberger
            Submitted on: vendredi 28.03.2008 à 17:01
              Item Group: 0.9.16.012
                Category: API - phpGWapi
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
       Component Version: DEB
        Operating System: GNU/Linux - Debian
         Reproducibility: Every Time
         Planned Release: None
           Fixed Release: 

    _______________________________________________________

Details:

FYI, this is a forward of bug #421580 tracked in Debian BTS, with Dave's
answer, about not using fqdn but parent domain in session cookies, which is a
bug in the most generic case.

If the only justification is sitemanager, better fix sitemanager, then ;)

----- Forwarded message from Dave Hall <[EMAIL PROTECTED]> -----
> 
> On Mon, 2007-04-30 at 10:37 +0200, Olivier Berger wrote:
> > Package: phpgroupware
> > Version: 0.9.16.011-3
> > Severity: normal
> > 
> > Phpgroupware session cookies seem to get their domain set to the domain
> > instead of the fqdn...
> > 
> > On a server like phpgroupware.mydomain.com, the cookies domain will be
> > '.mydomain.com'.
> > 
> > I thinks this is not a generic setup which would match most installation
> > where several phpgroupware servers could be installed on the same
> > network and be isolated session-wide.
> > 
> > Correct me if I'm wrong as I'm no expert in cookie specification.
> 
> phpGroupWare attempts to set the cookie to the parent of the phpgw
> domain (usually .domain.tld) so sitemgr can be used for sites running on
> sub (or super) doamins of the phpgw hostname.  It is kinda buggy as
> running phpgw on domain.com.au sets the cookie to .com.au  which is a
> real problem.  
> 
> It is something on my "i will get to it one day list".  If someone wants
> to submit a patch, I would propose the following:
> 
> * setup - add cookie domain which defaults the parent of the current
> phpgw domain
> 
> * the session classes use this value when setting the domain of cookies
> 
> * the patch to developed for HEAD :)
> 
> Cheers
> 
> Dave




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?22763>

_______________________________________________
  Message posté via/par Savannah
  http://savannah.gnu.org/



_______________________________________________
phpGroupWare-tracker mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/phpgroupware-tracker

Reply via email to