+1 Jeff Charette | Principal We Are Charette web / identity / packaging
m 415.298.2707 w wearecharette.com e [email protected] On Mar 20, 2013, at 9:21 AM, Anthony Ananich <[email protected]> wrote: > Good to know this. Thanks! > > On Wed, Mar 20, 2013 at 3:50 PM, Benoit Chesneau <[email protected]> wrote: >> On Wed, Mar 20, 2013 at 5:26 AM, Anthony Ananich >> <[email protected]> wrote: >>> I think I've found an answer. It seems that while using vhost >>> /_session handler is available in the root of vhost independent on if >>> there are any rewrite rules or not. >>> >>> I was not able to find any documentation about that, so I'm not sure >>> if it is bug or feature :) >> >> It's a feature, see in the section [httpd] of default.ini: >> >> vhost_global_handlers = _utils, _uuids, _session, _oauth, _users >> >> - benoƮt >> >> >>> >>> On Wed, Mar 20, 2013 at 3:18 PM, Robert Newson <[email protected]> wrote: >>>> Hm, not without a code change, I think. The secure rewrites setting is >>>> to prevent a rewrite jumping between databases. At first glance it >>>> does seem an overreach to block a rewrite to _session (and presumably >>>> anything else at the top level). >>>> >>>> B. >>>> >>>> On 20 March 2013 12:13, Anthony Ananich <[email protected]> wrote: >>>>> Hi! >>>>> >>>>> I'm trying to make _session handler accessible via url like >>>>> http://mysite.com/_session while using rewrite rules. I get the >>>>> following error: >>>>> {"error":"insecure_rewrite_rule","reason":"too many ../.. segments"} >>>>> >>>>> I found that it could be fixed with adding this to an ini file: >>>>> [httpd] >>>>> secure_rewrites = false >>>>> >>>>> Is there a way to allow _session without disabling secure_rewrites? >>>>> >>>>> Thanks, >>>>> Anthony
