Good to know this. Thanks!
On Wed, Mar 20, 2013 at 3:50 PM, Benoit Chesneau <[email protected]> wrote: > On Wed, Mar 20, 2013 at 5:26 AM, Anthony Ananich > <[email protected]> wrote: >> I think I've found an answer. It seems that while using vhost >> /_session handler is available in the root of vhost independent on if >> there are any rewrite rules or not. >> >> I was not able to find any documentation about that, so I'm not sure >> if it is bug or feature :) > > It's a feature, see in the section [httpd] of default.ini: > > vhost_global_handlers = _utils, _uuids, _session, _oauth, _users > > - benoƮt > > >> >> On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson <[email protected]> wrote: >>> Hm, not without a code change, I think. The secure rewrites setting is >>> to prevent a rewrite jumping between databases. At first glance it >>> does seem an overreach to block a rewrite to _session (and presumably >>> anything else at the top level). >>> >>> B. >>> >>> On 20 March 2013 12:13, Anthony Ananich <[email protected]> wrote: >>>> Hi! >>>> >>>> I'm trying to make _session handler accessible via url like >>>> http://mysite.com/_session while using rewrite rules. I get the >>>> following error: >>>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"} >>>> >>>> I found that it could be fixed with adding this to an ini file: >>>> [httpd] >>>> secure_rewrites = false >>>> >>>> Is there a way to allow _session without disabling secure_rewrites? >>>> >>>> Thanks, >>>> Anthony
