From m.d.leeuw at schiedam.nl Tue Aug 7 13:11:25 2018 From: m.d.leeuw at schiedam.nl (Marcel de Leeuw) Date: Tue, 7 Aug 2018 12:11:25 +0000 Subject: [ZendTo] Good description of a ZendTo with Exchange IMAP connection. References: <1533643885361.25952@schiedam.nl> Message-ID: Hi there, Our Exchange system engineer says IMAP is enabled on our on-prem Exchange cluster. A test with Mozilla Thunderbird confirms this. I've opened both the secure and the unsecure IMAP port in our firewall from the ZendTo host in our DMZ to one of our Exchange cluster member servers. Telnet from the ZendTo host to the Exchange cluster member gives a hopeful response. I've fiddled with numerous configurations in preference.php but can't get it to work. Anyone any good suggestions or a comprehensive guide? Kind regards Marcel de Leeuw Vakspecialist B, SO Team ICT Beleid en Beheer Gemeente Schiedam Tel:+31 10 2191156 -------------- next part -------------- An HTML attachment was scrubbed... URL: From kbe2 at lehigh.edu Tue Aug 7 14:11:30 2018 From: kbe2 at lehigh.edu (Keith Erekson) Date: Tue, 7 Aug 2018 09:11:30 -0400 Subject: [ZendTo] Good description of a ZendTo with Exchange IMAP connection. In-Reply-To: References: <1533643885361.25952@schiedam.nl>

Message-ID: You want SMTP, not IMAP. ~Keith > On Aug 7, 2018, at 8:11 AM, Marcel de Leeuw via ZendTo wrote: > > Hi there, > > > Our Exchange system engineer says IMAP is enabled on our on-prem Exchange cluster. A test with Mozilla Thunderbird confirms this. I've opened both the secure and the unsecure IMAP port in our firewall from the ZendTo host in our DMZ to one of our Exchange cluster member servers. Telnet from the ZendTo host to the Exchange cluster member gives a hopeful response. I've fiddled with numerous configurations in preference.php but can't get it to work. Anyone any good suggestions or a comprehensive guide? > > Kind regards > Marcel de Leeuw > Vakspecialist B, SO > Team ICT Beleid en Beheer > Gemeente Schiedam > Tel:+31 10 2191156 > _______________________________________________ > ZendTo mailing list > ZendTo at zend.to > http://jul.es/mailman/listinfo/zendto -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jules at Zend.To Wed Aug 8 12:12:17 2018 From: Jules at Zend.To (Jules Field) Date: Wed, 8 Aug 2018 12:12:17 +0100 Subject: [ZendTo] Good description of a ZendTo with Exchange IMAP connection. In-Reply-To: References: <1533643885361.25952@schiedam.nl>

Message-ID: <673fcd62-8a5d-7286-f5d0-3bba49da2d21@Zend.To> To confirm what Keith says, You want IMAP if you are trying to use it for ZendTo authentication, but as you've got an Exchange server you've almost certainly got Active Directory running and so should use that for ZendTo authentication. If you are using it to send email, you want SMTP not IMAP. IMAP does not (and cannot) send email. IMAP is for reading mail (i.e. the content of mailboxes). Cheers, Jules. On 07/08/2018 14:11, Keith Erekson via ZendTo wrote: > You want SMTP, not IMAP. > > ~Keith > > On Aug 7, 2018, at 8:11 AM, Marcel de Leeuw via ZendTo > wrote: > >> Hi there, >> >> >> Our Exchange system engineer says IMAP is enabled on our on-prem >> Exchange cluster. A test with Mozilla Thunderbird confirms this.?I've >> opened?both the secure?and?the unsecure IMAP port?in our firewall >> from the ZendTo host in our DMZ to one of our Exchange cluster member >> servers. Telnet from the ZendTo host to the Exchange cluster member >> gives a hopeful response. I've fiddled with numerous configurations >> in preference.php but can't get it to work. Anyone any good >> suggestions or a comprehensive guide? >> >> >> Kind regards >> Marcel de Leeuw >> Vakspecialist B, SO >> Team ICT Beleid en Beheer >> Gemeente Schiedam >> Tel:+31 10 2191156 >> _______________________________________________ >> ZendTo mailing list >> ZendTo at zend.to >> http://jul.es/mailman/listinfo/zendto > > > _______________________________________________ > ZendTo mailing list > ZendTo at zend.to > http://jul.es/mailman/listinfo/zendto Jules -- Julian Field MEng CEng CITP MBCS MIEEE MACM 'The best and most beautiful things in life cannot be seen or even touched; they must be felt with the heart.' - Helen Keller www.Zend.To Twitter: @JulesFM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jake.Sallee at umhb.edu Wed Aug 8 16:53:11 2018 From: Jake.Sallee at umhb.edu (Sallee, Jake) Date: Wed, 8 Aug 2018 15:53:11 +0000 Subject: [ZendTo] unable to login In-Reply-To: References:

, <1493fc5ea44642938e9a651d458ec6dd@umhb.edu> , <402a59c6c6c841bbbf23818bb9fb3daa@umhb.edu> Message-ID: Sorry for the zombie thread here, but I wanted to provide some closure for anyone who may see this in the archives. In the interest of time I end up going nuclear and blowing away the install and restarting fresh. This solved the issue but obviously may not be a viable option for everyone. Sorry. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: ZendTo on behalf of Sallee, Jake via ZendTo Sent: Wednesday, July 25, 2018 10:51 AM To: ZendTo Users Cc: Sallee, Jake Subject: Re: [ZendTo] unable to login Jules: Thank you for your response. I read the upgrade instructions but I apparently did not read them closely enough. I read the bit about running the two commands as only being necessary if you are upgrading from a version earlier than 5.0. My apologies, it was my mistake. I did run the upgrade commands(and a reboot for good measure) and it did take care of the missing config option for me and the error is no longer showing up in the log file, so that is nice. But I still cannot log in. The ldap search command works using the info from my current preferences.php file, shouldn't that mean it should be working? What is really weird is when I do a packet capture I can see the bind response for the user logging in (me in this case) succeeds but the web page still says it failed ... is there a log file I can look at or something? Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor http://WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Jules Field Sent: Wednesday, July 25, 2018 9:23 AM To: ZendTo Users Cc: Sallee, Jake Subject: Re: [ZendTo] unable to login Jake, The PHP notice you got shows that you haven't used /opt/zendto/bin/upgrade_preferences_php and/or /opt/zendto/bin/upgrade_zendto_conf to upgrade those files. Once you've upgraded your preferences.php and zendto.conf files correctly, all the expected settings will be in them. For AD authentication troubleshooting, please see https://urldefense.proofpoint.com/v2/url?u=http-3A__zend.to_activedirectory.php&d=DwIDaQ&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=aPJXY5gIxyke0vsmlY9i_bOTQpaYFx8EeKemi8iBeFg&s=YoqPu2mQX7tUfQl8dXTkzGHuKZszFpEyBAE2uYB-kyk&e= Cheers, Jules. On 25/07/2018 14:54, Sallee, Jake via ZendTo wrote: > All: > > I'm having a weird issue in ZendTo version 5.02 with MS AD as the backend user DB. > > No one is able to login when they try they get: > > Authentication Error > The username or password was incorrect. > > However I have verified my username and password and still I am not able to log in. > > I have been scouring the logs without much success. the only thing I see is this when I get the error on login: > > ==> /var/log/apache2/error.log <== > [Wed Jul 25 08:32:17.700721 2018] [php7:notice] [pid 3496] [client 10.11.0.54:47742] PHP Notice: Undefined index: SMTPsetFromToSender in /opt/zendto/lib/NSSDropbox.php on line 317 > > Line 317 in the referenced file is this: > > $this->_SMTPsetFromToSender = $prefs['SMTPsetFromToSender']; > > It seems to be referencing an non-existent setting in the preferences.php file, but commenting this line out changed nothing. > > I have firewall logs showing there is communication going to the AD servers and this setup was working but then stopped. As far as I can tell the AD integration bits are setup correctly ... I' am at a loss here. > > Is there another log file I can look at to get some more info? Is there some other troubleshooting step I can use (like a debug mode somewhere) to see more info? > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > http://WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > _______________________________________________ > ZendTo mailing list > ZendTo at zend.to > https://urldefense.proofpoint.com/v2/url?u=http-3A__jul.es_mailman_listinfo_zendto&d=DwIDaQ&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=aPJXY5gIxyke0vsmlY9i_bOTQpaYFx8EeKemi8iBeFg&s=Z2YAnd5KuimjzLxfzaxEnjtbZX0J-9k6Na60pl5V7Qs&e= Jules -- Julian Field MEng CEng CITP MBCS MIEEE MACM 'Probability factor of one to one. We have normality. I repeat, we have normality. Anything you still can't cope with is therefore your own problem.' - Trillian, The Hitch Hikers Guide to the Galaxy https://urldefense.proofpoint.com/v2/url?u=http-3A__www.Zend.To&d=DwIDaQ&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=aPJXY5gIxyke0vsmlY9i_bOTQpaYFx8EeKemi8iBeFg&s=r_o7N-YZzAEiryEcRfnxnwyLaFR3nV848AWPI1EEL4c&e= Twitter: @JulesFM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 _______________________________________________ ZendTo mailing list ZendTo at zend.to https://urldefense.proofpoint.com/v2/url?u=http-3A__jul.es_mailman_listinfo_zendto&d=DwICAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=PLaxn3y1DDG0xTTVEtfLEi4bzrPEWTvCXq2VNmv6Voc&s=8Nf8goNylkoHQMFX_tT3KZH7Mc98dd5OdJo2-zDtSt8&e= From Jules at Zend.To Wed Aug 8 17:21:08 2018 From: Jules at Zend.To (Jules Field) Date: Wed, 8 Aug 2018 17:21:08 +0100 Subject: [ZendTo] unable to login In-Reply-To: References:

<1493fc5ea44642938e9a651d458ec6dd@umhb.edu> <402a59c6c6c841bbbf23818bb9fb3daa@umhb.edu> Message-ID: Jake, ZendTo protects itself from being used by attackers to brute-force guess passwords. So if a particular user fails to log in more than a set number of times within 24 hours, they are locked out for the next 24 hours. Obviously you don't want to tell the attacker this has happened, so the error message shown to the user is exactly the same. If you told the attacker this had happened, they would start trying another account. Much better for them to waste their time pointlessly trying passwords (one of which might be correct, but will still be rejected!). Take a look in preferences.php and you'll see this (which are the default settings): ? // If a user fails to login with the correct password 'loginFailMax' times ? // in a row within 'loginFailTime' seconds, then the user is locked out ? // until the time period has passed.? 86400 seconds = 1 day. ? // That means that if you fail to log in successfully 6 times in a row in ? // 1 day, your account is locked out for 1 day and you won't be able to ? // log in for that day. ? 'loginFailMax'????? => 6, ? 'loginFailTime'???? => 86400, If you are logged in as an admin user (and hence see the extra red buttons in the main menu), one of those takes you to a page which shows all the locked-out users and lets you unlock them selectively. That's often the cause of this problem with new installations. Sorry if I saw this thread before and didn't remember this feature! Cheers, Jules. On 08/08/2018 16:53, Sallee, Jake via ZendTo wrote: > Sorry for the zombie thread here, but I wanted to provide some closure for anyone who may see this in the archives. > > In the interest of time I end up going nuclear and blowing away the install and restarting fresh. This solved the issue but obviously may not be a viable option for everyone. > > Sorry. > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > ________________________________________ > From: ZendTo on behalf of Sallee, Jake via ZendTo > Sent: Wednesday, July 25, 2018 10:51 AM > To: ZendTo Users > Cc: Sallee, Jake > Subject: Re: [ZendTo] unable to login > > Jules: > > Thank you for your response. I read the upgrade instructions but I apparently did not read them closely enough. I read the bit about running the two commands as only being necessary if you are upgrading from a version earlier than 5.0. > > My apologies, it was my mistake. > > I did run the upgrade commands(and a reboot for good measure) and it did take care of the missing config option for me and the error is no longer showing up in the log file, so that is nice. > > But I still cannot log in. > > The ldap search command works using the info from my current preferences.php file, shouldn't that mean it should be working? > > What is really weird is when I do a packet capture I can see the bind response for the user logging in (me in this case) succeeds but the web page still says it failed ... is there a log file I can look at or something? > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > http://WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > ________________________________________ > From: Jules Field > Sent: Wednesday, July 25, 2018 9:23 AM > To: ZendTo Users > Cc: Sallee, Jake > Subject: Re: [ZendTo] unable to login > > Jake, > > The PHP notice you got shows that you haven't used > /opt/zendto/bin/upgrade_preferences_php > and/or > /opt/zendto/bin/upgrade_zendto_conf > to upgrade those files. Once you've upgraded your preferences.php and > zendto.conf files correctly, all the expected settings will be in them. > > For AD authentication troubleshooting, please see > https://urldefense.proofpoint.com/v2/url?u=http-3A__zend.to_activedirectory.php&d=DwIDaQ&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=aPJXY5gIxyke0vsmlY9i_bOTQpaYFx8EeKemi8iBeFg&s=YoqPu2mQX7tUfQl8dXTkzGHuKZszFpEyBAE2uYB-kyk&e= > > Cheers, > Jules. > > > On 25/07/2018 14:54, Sallee, Jake via ZendTo wrote: >> All: >> >> I'm having a weird issue in ZendTo version 5.02 with MS AD as the backend user DB. >> >> No one is able to login when they try they get: >> >> Authentication Error >> The username or password was incorrect. >> >> However I have verified my username and password and still I am not able to log in. >> >> I have been scouring the logs without much success. the only thing I see is this when I get the error on login: >> >> ==> /var/log/apache2/error.log <== >> [Wed Jul 25 08:32:17.700721 2018] [php7:notice] [pid 3496] [client 10.11.0.54:47742] PHP Notice: Undefined index: SMTPsetFromToSender in /opt/zendto/lib/NSSDropbox.php on line 317 >> >> Line 317 in the referenced file is this: >> >> $this->_SMTPsetFromToSender = $prefs['SMTPsetFromToSender']; >> >> It seems to be referencing an non-existent setting in the preferences.php file, but commenting this line out changed nothing. >> >> I have firewall logs showing there is communication going to the AD servers and this setup was working but then stopped. As far as I can tell the AD integration bits are setup correctly ... I' am at a loss here. >> >> Is there another log file I can look at to get some more info? Is there some other troubleshooting step I can use (like a debug mode somewhere) to see more info? >> >> Jake Sallee >> Godfather of Bandwidth >> System Engineer >> University of Mary Hardin-Baylor >> http://WWW.UMHB.EDU >> >> 900 College St. >> Belton, Texas >> 76513 >> >> Fone: 254-295-4658 >> Phax: 254-295-4221 >> >> _______________________________________________ >> ZendTo mailing list >> ZendTo at zend.to >> https://urldefense.proofpoint.com/v2/url?u=http-3A__jul.es_mailman_listinfo_zendto&d=DwIDaQ&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=aPJXY5gIxyke0vsmlY9i_bOTQpaYFx8EeKemi8iBeFg&s=Z2YAnd5KuimjzLxfzaxEnjtbZX0J-9k6Na60pl5V7Qs&e= > Jules > > -- > Julian Field MEng CEng CITP MBCS MIEEE MACM > > 'Probability factor of one to one. We have normality. I repeat, we > have normality. Anything you still can't cope with is therefore > your own problem.' - Trillian, The Hitch Hikers Guide to the Galaxy > > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.Zend.To&d=DwIDaQ&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=aPJXY5gIxyke0vsmlY9i_bOTQpaYFx8EeKemi8iBeFg&s=r_o7N-YZzAEiryEcRfnxnwyLaFR3nV848AWPI1EEL4c&e= > Twitter: @JulesFM > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > _______________________________________________ > ZendTo mailing list > ZendTo at zend.to > https://urldefense.proofpoint.com/v2/url?u=http-3A__jul.es_mailman_listinfo_zendto&d=DwICAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=PLaxn3y1DDG0xTTVEtfLEi4bzrPEWTvCXq2VNmv6Voc&s=8Nf8goNylkoHQMFX_tT3KZH7Mc98dd5OdJo2-zDtSt8&e= > > _______________________________________________ > ZendTo mailing list > ZendTo at zend.to > http://jul.es/mailman/listinfo/zendto Jules -- Julian Field MEng CEng CITP MBCS MIEEE MACM Forties: Southwesterly 4 or 5, becoming variable 2 or 3 later in east. Slight. Showers. Good. www.Zend.To Twitter: @JulesFM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 From Jules at Zend.To Wed Aug 22 17:06:08 2018 From: Jules at Zend.To (Jules Field) Date: Wed, 22 Aug 2018 17:06:08 +0100 Subject: [ZendTo] ANNOUNCE: 5.11-3 released Message-ID: <66afe7b3-c7e9-5ac6-8009-aeb69ecdc4e5@Zend.To> Hi folks! I have just released a new build, version 5.11-3. You can download it from the downloads page at ??? https://zend.to/downloads.php * For ZendTo itself, this is primarily a bug-fix release. * However, I have also configured the yum and apt repositories so they are now fully signed, so if you are using the repos you should check the https://zend.to/yum.php or https://zend.to/apt.php to find how to update your repo settings. * Oh, and the whole of https://zend.to website is now served over SSL. If you use "curl" to download packages from the site, remember to put "https" and not "http"! I have also added a new "X-Frame-Options" setting so you can control how that HTTP header is used. By default I would advise leaving it set to "sameorigin", but if you embed ZendTo within an iframe on another website, you will need to change that. For your own protection, I would also strongly advise an improvement to your Apache configuration. This will add the "SameSite" attribute to the cookie that ZendTo uses, which will help modern web browsers protect you from cross-site request forgery (CSRF) attacks. To add this protection, find the Apache config file for the https version of your ZendTo site. This is the file where you will have put the location of your server SSL certificate. It's usually in ??? /etc/httpd/conf.d/zendto-ssl.conf or ??? /etc/apache2/sites-enabled/001-zendto-ssl.conf Edit that file. Right near the top, just below the "DocumentRoot" setting, add these 3 lines: ? ??? Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict ? then restart Apache (or just reboot your ZendTo server). I have updated the Installer so that brand new installations get this feature added when the sites are created. Sadly PHP does not *yet* have built-in support for this cookie attribute, this is promised for PHP 7.3. Here is the full ChangeLog: Version 5.11-3 - Fixed bugs with 'X-Frame-Options' setting, and allow it to be disabled. - Fixed bug where localIPSubnets setting did not handle complete IP addresses ? correctly. - Updated to latest cookieconsent library. - Added "Header" rules to Apache configuration to add the "SameSite: strict" ? attribute. This will help modern browsers defend against CSRF attacks. ? This is only applied by the Installer on new installations. This will have ? no effect at all on existing installations. ? WARNING: This will cause problems if you embed the ZendTo website in an ? iframe. Don't worry, very few sites do and you will definitely know it if ? you do this. - Removed long-dead 'useRealProgressBar' setting from preferences.php. Version 5.11-2 - Added note to drop-off summary at the end of uploading files, to tell the ? user their files have been sent successfully. - Added 'X-Frame-Options' setting in preferences.php for those who need to ? embed ZendTo in a frame or iframe on their website. - The apt/yum repositories are now signed as are the new deb/rpm files ? in them. You will need to fetch the new zendto-repo.deb or zendto-repo.rpm ? files and install them first. See the downloads.php page for how to ? install the key if you are using Ubuntu/Debian. ? (Yum systems do it on their own) - Added GPG support to the Installer (except for SuSE). - Added GPG support to the Installer (including SuSE). - Added SLES 15 support to the Installer. Any problems or questions, please let me know straight away. Cheers, -- Jules Jules at Zend.To From t.schweizer at merkle-partner.de Thu Aug 30 09:30:11 2018 From: t.schweizer at merkle-partner.de (Thilo Schweizer) Date: Thu, 30 Aug 2018 08:30:11 +0000 Subject: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) References: <3E5F03D5BF5A2040B3AB2C4AB63026FA7CA6660C@mx> Message-ID: Good morning, yesterday I ran an upgrade from v4.12 to v5.11-6 using the installer script on an Ubuntu VM (ESX-Server). After some troubles with Ubuntu 12.04 I ran an in place upgrade to 14.04 and finally got it to work. But now the users doesn't stay logged in at all, as soon as the site gets refreshed or any button/link is clicked you get logged off. So I decided to do a completely fresh install, including the os (I switched to OpenSuSE Leap 15.0). Everything worked flawless, no problems with the installer script anymore. At the end I used the scripts to adopt my config files and "tada", exactly the same issue. I checked the timezone (system + php.ini - Europe/Berlin), I tried it with http instead of https, I even tried it with the original config files and a local test user - same problem! What did I miss? It's kinda urgent, my colleagues are using zendto very frequently and in this state they aren't able to send any files at all. Thank you! Best regards Thilo -------------- next part -------------- An HTML attachment was scrubbed... URL: From Massimo.Forni at turboden.it Thu Aug 30 09:35:13 2018 From: Massimo.Forni at turboden.it (Massimo Forni) Date: Thu, 30 Aug 2018 08:35:13 +0000 Subject: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) In-Reply-To: References: <3E5F03D5BF5A2040B3AB2C4AB63026FA7CA6660C@mx> <0A6BAE18ABEE3E4ABF2F406E9A6BB978016DC678@MailBox.turboden.local> Message-ID: Can you check that you do not have another VM with the same IP? From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Thilo Schweizer via ZendTo Sent: 30 August 2018 10:30 To: zendto at zend.to Cc: Thilo Schweizer Subject: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) Good morning, yesterday I ran an upgrade from v4.12 to v5.11-6 using the installer script on an Ubuntu VM (ESX-Server). After some troubles with Ubuntu 12.04 I ran an in place upgrade to 14.04 and finally got it to work. But now the users doesn't stay logged in at all, as soon as the site gets refreshed or any button/link is clicked you get logged off. So I decided to do a completely fresh install, including the os (I switched to OpenSuSE Leap 15.0). Everything worked flawless, no problems with the installer script anymore. At the end I used the scripts to adopt my config files and "tada", exactly the same issue. I checked the timezone (system + php.ini - Europe/Berlin), I tried it with http instead of https, I even tried it with the original config files and a local test user - same problem! What did I miss? It's kinda urgent, my colleagues are using zendto very frequently and in this state they aren't able to send any files at all. Thank you! Best regards Thilo -- Massimo Forni ICT Specialist, Advisor to Managing Director for ICT ________________________________ Turboden S.p.A. I via Cernaia 10 I 25124 Brescia I Italy t. +390303552001 I f. +390303552011 www.turboden.com Confidentiality notice: this message, together with its attachments, may contain strictly confidential and/or legally privileged information and it is destined solely to the intended addressee(s), who only may use it under his/their responsibility. Opinions, conclusions and other information contained in this message, that do not relate to the official business of this firm, shall be considered as not given or endorsed by it. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Any use, disclosure, copying or distribution of the contents of this communication by a not-intended recipient or in violation of the purposes of this communication is strictly prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jules at Zend.To Thu Aug 30 09:45:59 2018 From: Jules at Zend.To (Jules Field) Date: Thu, 30 Aug 2018 09:45:59 +0100 Subject: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) In-Reply-To: References: <3E5F03D5BF5A2040B3AB2C4AB63026FA7CA6660C@mx> Message-ID: <62e0d03e-cf6c-054a-ad0a-82376c23fe00@Zend.To> Thilo, On 30/08/2018 09:30, Thilo Schweizer via ZendTo wrote: > > Good morning, > > yesterday I ran an upgrade from v4.12 to v5.11-6 using the installer > script on an Ubuntu VM (ESX-Server). After some troubles with Ubuntu > 12.04 I ran an in place upgrade to 14.04 and finally got it to work. > Ubuntu 12 is no longer supported, sorry. Ubuntu themselves have 'end-of-life'd it and I can't get PHP 7 for it. > But now the users doesn?t stay logged in at all, as soon as the site > gets refreshed or any button/link is clicked you get logged off. So I > decided to do a completely fresh install, including the os (I switched > to OpenSuSE Leap 15.0). Everything worked flawless, no problems with > the installer script anymore. At the end I used the scripts to adopt > my config files and ?tada?, exactly the same issue. I checked the > timezone (system + php.ini ? Europe/Berlin), I tried it with http > instead of https, I even tried it with the original config files and a > local test user ? same problem! > > What did I miss? > > It?s kinda urgent, my colleagues are using zendto very frequently and > in this state they aren?t able to send any files at all. > My guess would be the timezone. The expiry time (an absolute point in time, not just "now + 2 hours") of the session cookies are set on the server, but their expiry is handled by the user's web browser. So if the timezone on the server isn't perfect, it can end up creating cookies that have already expired. Did you re-run the ZendTo Installer *after* you upgraded the Ubuntu 12 box to Ubuntu 14? If not, I would strongly advise you try that first, particularly stage number 5 (configuring Apache and php). You can run the stages individually. Look in the Installer directory and you'll see a "Ubuntu-Debian" dir. cd into that and just run ./5-httpd-php.sh. They work out that they aren't being run by install.sh and go and find the file(s) they need on their own. My page about this ??? https://zend.to/timezone.php is a bit out of date, but should help. Make sure that /etc/localtime is the correct timezone (on some Linuxes it's a symlink into /usr/share/zoneinfo/, on others it's a copy of a file in /usr/share/zoneinfo. Hope that helps, Jules -- Julian Field MEng CEng CITP MBCS MIEEE MACM 'If I were a Brazilian without land or money or the means to feed my children, I would be burning the rain forest too.' - Sting www.Zend.To Twitter: @JulesFM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jules at Zend.To Thu Aug 30 09:55:12 2018 From: Jules at Zend.To (Jules Field) Date: Thu, 30 Aug 2018 09:55:12 +0100 Subject: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) In-Reply-To: References: <3E5F03D5BF5A2040B3AB2C4AB63026FA7CA6660C@mx> Message-ID: Thilo, Check the log file in /var/zendto/zendto.log as well, to see if there is anything interesting there. Cheers, Jules. On 30/08/2018 09:30, Thilo Schweizer via ZendTo wrote: > > Good morning, > > yesterday I ran an upgrade from v4.12 to v5.11-6 using the installer > script on an Ubuntu VM (ESX-Server). After some troubles with Ubuntu > 12.04 I ran an in place upgrade to 14.04 and finally got it to work. > But now the users doesn?t stay logged in at all, as soon as the site > gets refreshed or any button/link is clicked you get logged off. So I > decided to do a completely fresh install, including the os (I switched > to OpenSuSE Leap 15.0). Everything worked flawless, no problems with > the installer script anymore. At the end I used the scripts to adopt > my config files and ?tada?, exactly the same issue. I checked the > timezone (system + php.ini ? Europe/Berlin), I tried it with http > instead of https, I even tried it with the original config files and a > local test user ? same problem! > > What did I miss? > > It?s kinda urgent, my colleagues are using zendto very frequently and > in this state they aren?t able to send any files at all. > > Thank you! > > > Best regards > > Thilo > > > > _______________________________________________ > ZendTo mailing list > ZendTo at zend.to > http://jul.es/mailman/listinfo/zendto Jules -- Julian Field MEng CEng CITP MBCS MIEEE MACM 'Ever since the dawn of civilization, people have craved for an understanding of the underlying order of the world: why it is as it is, and why it exists at all. But even if we do find a complete theory of everything, it is just a set of rules and equations. What is it that breathes fire into the equations, and makes a universe for them to describe?' - Stephen Hawking www.Zend.To Twitter: @JulesFM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: From t.schweizer at merkle-partner.de Thu Aug 30 11:42:17 2018 From: t.schweizer at merkle-partner.de (Thilo Schweizer) Date: Thu, 30 Aug 2018 10:42:17 +0000 Subject: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) In-Reply-To: References: <3E5F03D5BF5A2040B3AB2C4AB63026FA7CA6660C@mx> <0A6BAE18ABEE3E4ABF2F406E9A6BB978016DC678@MailBox.turboden.local> <3E5F03D5BF5A2040B3AB2C4AB63026FA7CA66917@mx> Message-ID: Hi, thanks I rechecked it, it's definately the only host with that ip address (dmz zone, no dhcp and only few servers). Best wishes Von: ZendTo [mailto:zendto-bounces at zend.to] Im Auftrag von Massimo Forni via ZendTo Gesendet: Donnerstag, 30. August 2018 11:20 An: ZendTo Users Cc: Massimo Forni Betreff: Re: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) Can you check that you do not have another VM with the same IP? From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Thilo Schweizer via ZendTo Sent: 30 August 2018 10:30 To: zendto at zend.to Cc: Thilo Schweizer > Subject: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) Good morning, yesterday I ran an upgrade from v4.12 to v5.11-6 using the installer script on an Ubuntu VM (ESX-Server). After some troubles with Ubuntu 12.04 I ran an in place upgrade to 14.04 and finally got it to work. But now the users doesn't stay logged in at all, as soon as the site gets refreshed or any button/link is clicked you get logged off. So I decided to do a completely fresh install, including the os (I switched to OpenSuSE Leap 15.0). Everything worked flawless, no problems with the installer script anymore. At the end I used the scripts to adopt my config files and "tada", exactly the same issue. I checked the timezone (system + php.ini - Europe/Berlin), I tried it with http instead of https, I even tried it with the original config files and a local test user - same problem! What did I miss? It's kinda urgent, my colleagues are using zendto very frequently and in this state they aren't able to send any files at all. Thank you! Best regards Thilo -- Massimo Forni ICT Specialist, Advisor to Managing Director for ICT ________________________________ Turboden S.p.A. I via Cernaia 10 I 25124 Brescia I Italy t. +390303552001 I f. +390303552011 www.turboden.com Confidentiality notice: this message, together with its attachments, may contain strictly confidential and/or legally privileged information and it is destined solely to the intended addressee(s), who only may use it under his/their responsibility. Opinions, conclusions and other information contained in this message, that do not relate to the official business of this firm, shall be considered as not given or endorsed by it. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Any use, disclosure, copying or distribution of the contents of this communication by a not-intended recipient or in violation of the purposes of this communication is strictly prohibited and may be unlawful. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jules at Zend.To Thu Aug 30 15:22:29 2018 From: Jules at Zend.To (Jules Field) Date: Thu, 30 Aug 2018 15:22:29 +0100 Subject: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) In-Reply-To: References: <3E5F03D5BF5A2040B3AB2C4AB63026FA7CA6660C@mx> <62e0d03e-cf6c-054a-ad0a-82376c23fe00@Zend.To> <3E5F03D5BF5A2040B3AB2C4AB63026FA7CA6696F@mx> Message-ID: Thilo, As an easy test, try this: ??? 1. Ubuntu has multiple php.ini files. The important one for ZendTo is /etc/php/72/apache2/php.ini. Make sure your timezone is correct in there. ??? 2. Reboot your Ubuntu server. That will guarantee everything in the system agrees on the timezone. ??? 3. Try logging in to ZendTo. ??? 4. If that still fails to work properly (i.e. it effectively logs you out on 1st click anywhere), edit preferences.php and change 'cookieTTL' by adding another 0 on the end, so you multiply it to 20 hours instead of 2 hours (72000 instead of 7200 seconds). ??? 5. Try ZendTo again. Let me know how you get on. Cheers, Jules. On 30/08/2018 12:09, Thilo Schweizer wrote: > > Hey again, > > Ubuntu 12 is no longer supported, sorry. > Ubuntu themselves have 'end-of-life'd it and I can't get PHP 7 for it. > > /?//Yes it became clear after I looked at the third party repository > for php7, no problem and not your fault.// > > / > > ** > > ** > > But now the users doesn?t stay logged in at all, as soon as the site > gets refreshed or any button/link is clicked you get logged off. So I > decided to do a completely fresh install, including the os (I switched > to OpenSuSE Leap 15.0). Everything worked flawless, no problems with > the installer script anymore. At the end I used the scripts to adopt > my config files and ?tada?, exactly the same issue. I checked the > timezone (system + php.ini ? Europe/Berlin), I tried it with http > instead of https, I even tried it with the original config files and a > local test user ? same problem! > > What did I miss? > > It?s kinda urgent, my colleagues are using zendto very frequently and > in this state they aren?t able to send any files at all. > > My guess would be the timezone. The expiry time (an absolute point in > time, not just "now + 2 hours") of the session cookies are set on the > server, but their expiry is handled by the user's web browser. So if > the timezone on the server isn't perfect, it can end up creating > cookies that have already expired. > > Did you re-run the ZendTo Installer *after* you upgraded the Ubuntu 12 > box to Ubuntu 14? If not, I would strongly advise you try that first, > particularly stage number 5 (configuring Apache and php). You can run > the stages individually. Look in the Installer directory and you'll > see a "Ubuntu-Debian" dir. cd into that and just run ./5-httpd-php.sh. > They work out that they aren't being run by install.sh and go and find > the file(s) they need on their own. > > /?//I did rerun it, but I?m now on a fresh OpenSuSE Leap 15.0 with a > fresh zendto install, I just took the config files from the old zendto > installation and converted them with the scripts.// > > / > > > My page about this > https://zend.to/timezone.php > is a bit out of date, but should help. > Make sure that /etc/localtime is the correct timezone (on some Linuxes > it's a symlink into /usr/share/zoneinfo/, on others it's a > copy of a file in /usr/share/zoneinfo > > /?//Yes, I have found that page before and I have checked the global > timezone several times:/ > > timedatectl > > Local time: Thu 2018-08-30 13:00:27 CEST > > Universal time: Thu 2018-08-30 11:00:27 UTC > > RTC time: Thu 2018-08-30 11:00:26 > > Time zone: Europe/Berlin (CEST, +0200) > > Network time on: no > > NTP synchronized: yes > > RTC in local TZ: no > > And also I looked for the php ini-files (/etc/php7/apache2/php.ini / > /etc/php7/cli/php.ini) > > date.timezone = 'Europe/Berlin' > > Thank you! > > Regards > > Thilo > > *Von:*Jules Field [mailto:Jules at Zend.To] > *Gesendet:* Donnerstag, 30. August 2018 11:21 > *An:* ZendTo Users > *Cc:* Thilo Schweizer > *Betreff:* Re: [ZendTo] Login session problem (Users get logged off as > soon as they click on any link) > > Thilo, > > On 30/08/2018 09:30, Thilo Schweizer via ZendTo wrote: > > Good morning, > > yesterday I ran an upgrade from v4.12 to v5.11-6 using the > installer script on an Ubuntu VM (ESX-Server). After some troubles > with Ubuntu 12.04 I ran an in place upgrade to 14.04 and finally > got it to work. > > Ubuntu 12 is no longer supported, sorry. > Ubuntu themselves have 'end-of-life'd it and I can't get PHP 7 for it. > > > But now the users doesn?t stay logged in at all, as soon as the > site gets refreshed or any button/link is clicked you get logged > off. So I decided to do a completely fresh install, including the > os (I switched to OpenSuSE Leap 15.0). Everything worked flawless, > no problems with the installer script anymore. At the end I used > the scripts to adopt my config files and ?tada?, exactly the same > issue. I checked the timezone (system + php.ini ? Europe/Berlin), > I tried it with http instead of https, I even tried it with the > original config files and a local test user ? same problem! > > What did I miss? > > It?s kinda urgent, my colleagues are using zendto very frequently > and in this state they aren?t able to send any files at all. > > My guess would be the timezone. The expiry time (an absolute point in > time, not just "now + 2 hours") of the session cookies are set on the > server, but their expiry is handled by the user's web browser. So if > the timezone on the server isn't perfect, it can end up creating > cookies that have already expired. > > Did you re-run the ZendTo Installer *after* you upgraded the Ubuntu 12 > box to Ubuntu 14? If not, I would strongly advise you try that first, > particularly stage number 5 (configuring Apache and php). You can run > the stages individually. Look in the Installer directory and you'll > see a "Ubuntu-Debian" dir. cd into that and just run ./5-httpd-php.sh. > They work out that they aren't being run by install.sh and go and find > the file(s) they need on their own. > > My page about this > https://zend.to/timezone.php > is a bit out of date, but should help. > Make sure that /etc/localtime is the correct timezone (on some Linuxes > it's a symlink into /usr/share/zoneinfo/, on others it's a > copy of a file in /usr/share/zoneinfo. > > Hope that helps, > > Jules > -- > Julian Field MEng CEng CITP MBCS MIEEE MACM > 'If I were a Brazilian without land or money or the means to feed > my children, I would be burning the rain forest too.' - Sting > www.Zend.To > Twitter: @JulesFM > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Jules -- Julian Field MEng CEng CITP MBCS MIEEE MACM How to stop time: kiss. How to travel in time: read. How to escape time: music. How to feel time: write. How to release time: breathe. www.Zend.To Twitter: @JulesFM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkeller at psi.de Fri Aug 31 08:53:12 2018 From: mkeller at psi.de (Michael Keller) Date: Fri, 31 Aug 2018 09:53:12 +0200 Subject: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) In-Reply-To: References: <1765089208.120249.1535701993006.JavaMail.tbone@infra-abg-mcr1.psi.de> Message-ID: Good Morning, I am new to Zend.To and to this list. A few days ago I installed zendto 5.11-6 on a fresh Debian 9 system without any problem. But after successful login I got the same errors as Thilo describes here. So I checked all the php.ini files for correct timezone and also set the cookieTTL value to 20 hours as suggested by Jules. But it didn't work. If I could some further checks to solve this problem let me know. Thank you for your help Best regards Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: mkeller at psi.de-certificate-1.pem Type: application/octet-stream Size: 2325 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3795 bytes Desc: not available URL: From Jules at Zend.To Fri Aug 31 11:36:13 2018 From: Jules at Zend.To (Jules Field) Date: Fri, 31 Aug 2018 11:36:13 +0100 Subject: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) In-Reply-To: References: <1765089208.120249.1535701993006.JavaMail.tbone@infra-abg-mcr1.psi.de> Message-ID: <940ddb8d-d7a9-3dcd-3f49-0ff20bd7658c@Zend.To> Michael, It appears there is another thing which can cause this problem. I recently greatly tightened up the security on the cookie that ZendTo uses, to protect against CSRF (cross-site request forgery) attacks. Please edit ??? /etc/apache2/sites-available/001-zendto-ssl.conf Right near the top of that file you should see a little section that looks like this: ? # Add the "SameSite" restriction to all cookies. ? # Warning: This will break if you embed ZendTo in an iframe or similar! ? ??? Header edit Set-Cookie ^(.*)$ $1;SameSite=*Strict* ? First, change the "Strict" (in bold above) to "Lax". Restart Apache completely and try to login to ZendTo and see if it now works correctly. If that does not fix it, edit that file again and comment out that whole little section (a "#" at the start of each of the 3 lines will do the job). Restart Apache completely and try again. Hopefully one of those 2 will solve it for you. If it will work with "Lax" then keep it like that. Only remove the whole section if "Lax" won't work either. I'm still discovering the true impact of setting the "SameSite" attribute. I set all the other necessary security attributes in my PHP code in ZendTo itself. But PHP does not yet support the "SameSite" attribute, so this is the only simple way of adding it. Once PHP 7.3 is released, I will be able to remove this as PHP 7.3 understands "SameSite". Please do let me know how you get on. Cheers, Jules. On 31/08/2018 08:53, Michael Keller via ZendTo wrote: > Good Morning, > > I am new to Zend.To and to this list. > A few days ago I installed zendto 5.11-6 on a fresh Debian 9 system > without any problem. > But after successful login I got the same errors as Thilo describes here. > So I checked all the php.ini files for correct timezone and also set > the cookieTTL value to 20 hours as suggested by Jules. > > But it didn't work. If I could some further checks to solve this > problem let me know. > Thank you for your help > > Best regards > > Michael > > > _______________________________________________ > ZendTo mailing list > ZendTo at zend.to > http://jul.es/mailman/listinfo/zendto Jules -- Julian Field MEng CEng CITP MBCS MIEEE MACM 'Is the Holocaust an aberration, or a reflection of who we really are?' - Holocaust Museum, Berlin www.Zend.To Twitter: @JulesFM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: From bbdokken at dokkenengineering.com Fri Aug 31 16:15:26 2018 From: bbdokken at dokkenengineering.com (Brad Dokken) Date: Fri, 31 Aug 2018 15:15:26 +0000 Subject: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) In-Reply-To: References: <1765089208.120249.1535701993006.JavaMail.tbone@infra-abg-mcr1.psi.de> <940ddb8d-d7a9-3dcd-3f49-0ff20bd7658c@Zend.To> Message-ID: I am having the same problem on Centos 7, is there a similar path on this OS? Thanks Brad From: ZendTo On Behalf Of Jules Field via ZendTo Sent: Friday, August 31, 2018 3:36 AM To: ZendTo Users Cc: Jules Field Subject: Re: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) Michael, It appears there is another thing which can cause this problem. I recently greatly tightened up the security on the cookie that ZendTo uses, to protect against CSRF (cross-site request forgery) attacks. Please edit /etc/apache2/sites-available/001-zendto-ssl.conf Right near the top of that file you should see a little section that looks like this: # Add the "SameSite" restriction to all cookies. # Warning: This will break if you embed ZendTo in an iframe or similar! Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict First, change the "Strict" (in bold above) to "Lax". Restart Apache completely and try to login to ZendTo and see if it now works correctly. If that does not fix it, edit that file again and comment out that whole little section (a "#" at the start of each of the 3 lines will do the job). Restart Apache completely and try again. Hopefully one of those 2 will solve it for you. If it will work with "Lax" then keep it like that. Only remove the whole section if "Lax" won't work either. I'm still discovering the true impact of setting the "SameSite" attribute. I set all the other necessary security attributes in my PHP code in ZendTo itself. But PHP does not yet support the "SameSite" attribute, so this is the only simple way of adding it. Once PHP 7.3 is released, I will be able to remove this as PHP 7.3 understands "SameSite". Please do let me know how you get on. Cheers, Jules. On 31/08/2018 08:53, Michael Keller via ZendTo wrote: Good Morning, I am new to Zend.To and to this list. A few days ago I installed zendto 5.11-6 on a fresh Debian 9 system without any problem. But after successful login I got the same errors as Thilo describes here. So I checked all the php.ini files for correct timezone and also set the cookieTTL value to 20 hours as suggested by Jules. But it didn't work. If I could some further checks to solve this problem let me know. Thank you for your help Best regards Michael _______________________________________________ ZendTo mailing list ZendTo at zend.to http://jul.es/mailman/listinfo/zendto Jules -- Julian Field MEng CEng CITP MBCS MIEEE MACM 'Is the Holocaust an aberration, or a reflection of who we really are?' - Holocaust Museum, Berlin www.Zend.To Twitter: @JulesFM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jules at Zend.To Fri Aug 31 16:47:54 2018 From: Jules at Zend.To (Jules Field) Date: Fri, 31 Aug 2018 16:47:54 +0100 Subject: [ZendTo] Login session problem (Users get logged off as soon as they click on any link) In-Reply-To: References: <1765089208.120249.1535701993006.JavaMail.tbone@infra-abg-mcr1.psi.de> <940ddb8d-d7a9-3dcd-3f49-0ff20bd7658c@Zend.To> Message-ID: <97bc34b4-e045-4186-00f7-9e9268eeeadd@Zend.To> Brad, Yes. On CentOS or RedHat (or other RPM-based distros), the files are here: ??? /etc/httpd/conf.d/zendto.conf ??? /etc/httpd/conf.d/zendto-ssl.conf On SuSE-based distributions (SLES and openSUSE), the files are here: ??? /etc/apache2/vhosts.d/zendto.conf ??? /etc/apache2/vhosts.d/zendto-ssl.conf They need exactly the same fix the "Header edit" line. I have already updated the Installer, so if anyone downloads the installer from now on, they won't hit this bug. Cheers, Jules. On 31/08/2018 16:15, Brad Dokken via ZendTo wrote: > > I am having the same problem on Centos 7, is there a similar path on > this OS? > > Thanks > > Brad > > *From:*ZendTo *On Behalf Of *Jules Field via > ZendTo > *Sent:* Friday, August 31, 2018 3:36 AM > *To:* ZendTo Users > *Cc:* Jules Field > *Subject:* Re: [ZendTo] Login session problem (Users get logged off as > soon as they click on any link) > > Michael, > > It appears there is another thing which can cause this problem. > I recently greatly tightened up the security on the cookie that ZendTo > uses, to protect against CSRF (cross-site request forgery) attacks. > > Please edit > /etc/apache2/sites-available/001-zendto-ssl.conf > > Right near the top of that file you should see a little section that > looks like this: > > ? # Add the "SameSite" restriction to all cookies. > ? # Warning: This will break if you embed ZendTo in an iframe or similar! > ? > ??? Header edit Set-Cookie ^(.*)$ $1;SameSite=*Strict* > ? > > First, change the "Strict" (in bold above) to "Lax". > Restart Apache completely and try to login to ZendTo and see if it now > works correctly. > > If that does not fix it, edit that file again and comment out that > whole little section (a "#" at the start of each of the 3 lines will > do the job). > Restart Apache completely and try again. > > Hopefully one of those 2 will solve it for you. > > If it will work with "Lax" then keep it like that. Only remove the > whole section if "Lax" won't work either. > > I'm still discovering the true impact of setting the "SameSite" attribute. > I set all the other necessary security attributes in my PHP code in > ZendTo itself. But PHP does not yet support the "SameSite" attribute, > so this is the only simple way of adding it. Once PHP 7.3 is released, > I will be able to remove this as PHP 7.3 understands "SameSite". > > Please do let me know how you get on. > > Cheers, > Jules. > > On 31/08/2018 08:53, Michael Keller via ZendTo wrote: > > Good Morning, > > I am new to Zend.To and to this list. > A few days ago I installed zendto 5.11-6 on a fresh Debian 9 > system without any problem. > But after successful login I got the same errors as Thilo > describes here. > So I checked all the php.ini files for correct timezone and also > set the cookieTTL value to 20 hours as suggested by Jules. > > But it didn't work. If I could some further checks to solve this > problem let me know. > Thank you for your help > > Best regards > > Michael > > > > _______________________________________________ > > ZendTo mailing list > > ZendTo at zend.to > > http://jul.es/mailman/listinfo/zendto > > > > Jules > -- > Julian Field MEng CEng CITP MBCS MIEEE MACM > 'Is the Holocaust an aberration, or a reflection of who we really are?' > - Holocaust Museum, Berlin > www.Zend.To > Twitter: @JulesFM > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > _______________________________________________ > ZendTo mailing list > ZendTo at zend.to > http://jul.es/mailman/listinfo/zendto Jules -- Julian Field MEng CEng CITP MBCS MIEEE MACM 'We face neither East nor West: we face forward.' - Kwame Nkrumah www.Zend.To Twitter: @JulesFM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -------------- next part -------------- An HTML attachment was scrubbed... URL: