https://bugzilla.wikimedia.org/show_bug.cgi?id=27309

--- Comment #7 from Daniel Friesen <mediawiki-b...@nadir-seen-fire.com> 
2011-02-10 23:54:21 UTC ---
(In reply to comment #6)
> (In reply to comment #5)
> > The only configuration you describe where $wgCookiePath will not work is one
> > where you have a wiki in /foo/index.php and another wiki in 
> > /foo/bar/index.php
> > (installing MediaWiki inside another MediaWiki directory)...
> 
> The described effect is also when using /foo1/index.php and another wiki in
> /foo2/index.php .
> 
> You are right in saying to use different session cookies. From Security Audit
> reason I only wanted to point out that foo2 sees(regards) the foo1 Session
> parameter in the _current_ mediawiki version WHY NOT adding the 
> $wgCookiePrefix
> ?????? which solves this finally ?

You ONLY see this because you are not properly setting $wgCookiePath. I said
"The only configuration you describe where $wgCookiePath will not work is one
where you have a wiki in /foo/index.php and another wiki in
/foo/bar/index.php".

/foo1 Should have $wgCookiePath = "/foo1"; and /foo2 should have $wgCookiePath
= "/foo2";

There is nothing more secure about prefixing internal $_SESSION data with a
cookie prefix. The fact that you have this conflict means that these wikis
already know each other's $_SESSION (which they SHOULD NOT), THAT is insecure,
prefixing keys we use inside $_SESSION WILL NOT fix that making it more secure,
because both wikis will still be able to access each other's session data. The
only proper thing to do is to properly make use of http's cookie domain and
cookie path to restrict cookies so that the two wikis do not have access to
each other's session data.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to