[ZendTo] Login session problem (Users get logged off as soon as they click on any link)

Jules Field Jules at Zend.To
Fri Aug 31 11:36:13 BST 2018 

Michael,

It appears there is another thing which can cause this problem.
I recently greatly tightened up the security on the cookie that ZendTo 
uses, to protect against CSRF (cross-site request forgery) attacks.

Please edit
     /etc/apache2/sites-available/001-zendto-ssl.conf

Right near the top of that file you should see a little section that 
looks like this:

   # Add the "SameSite" restriction to all cookies.
   # Warning: This will break if you embed ZendTo in an iframe or similar!
   <IfModule mod_headers.c>
     Header edit Set-Cookie ^(.*)$ $1;SameSite=*Strict*
   </IfModule>

First, change the "Strict" (in bold above) to "Lax".
Restart Apache completely and try to login to ZendTo and see if it now 
works correctly.

If that does not fix it, edit that file again and comment out that whole 
little section (a "#" at the start of each of the 3 lines will do the job).
Restart Apache completely and try again.

Hopefully one of those 2 will solve it for you.

If it will work with "Lax" then keep it like that. Only remove the whole 
section if "Lax" won't work either.

I'm still discovering the true impact of setting the "SameSite" attribute.
I set all the other necessary security attributes in my PHP code in 
ZendTo itself. But PHP does not yet support the "SameSite" attribute, so 
this is the only simple way of adding it. Once PHP 7.3 is released, I 
will be able to remove this as PHP 7.3 understands "SameSite".

Please do let me know how you get on.

Cheers,
Jules.


On 31/08/2018 08:53, Michael Keller via ZendTo wrote:
> Good Morning,
>
> I am new to Zend.To and to this list.
> A few days ago I installed zendto 5.11-6 on a fresh Debian 9 system 
> without any problem.
> But after successful login I got the same errors as Thilo describes here.
> So I checked all the php.ini files for correct timezone and also set 
> the cookieTTL value to 20 hours as suggested by Jules.
>
> But it didn't work. If I could some further checks to solve this 
> problem let me know.
> Thank you for your help
>
> Best regards
>
> Michael
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'Is the Holocaust an aberration, or a reflection of who we really are?'
  - Holocaust Museum, Berlin

www.Zend.To
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20180831/ad172317/attachment.html>

More information about the ZendTo mailing list