[ZendTo] Login session problem (Users get logged off as soon as they click on any link)
Brad Dokken
bbdokken at dokkenengineering.com
Fri Aug 31 16:15:26 BST 2018
I am having the same problem on Centos 7, is there a similar path on this OS?
Thanks
Brad
From: ZendTo <zendto-bounces at zend.to> On Behalf Of Jules Field via ZendTo
Sent: Friday, August 31, 2018 3:36 AM
To: ZendTo Users <zendto at zend.to>
Cc: Jules Field <Jules at Zend.To>
Subject: Re: [ZendTo] Login session problem (Users get logged off as soon as they click on any link)
Michael,
It appears there is another thing which can cause this problem.
I recently greatly tightened up the security on the cookie that ZendTo uses, to protect against CSRF (cross-site request forgery) attacks.
Please edit
/etc/apache2/sites-available/001-zendto-ssl.conf
Right near the top of that file you should see a little section that looks like this:
# Add the "SameSite" restriction to all cookies.
# Warning: This will break if you embed ZendTo in an iframe or similar!
<IfModule mod_headers.c>
Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict
</IfModule>
First, change the "Strict" (in bold above) to "Lax".
Restart Apache completely and try to login to ZendTo and see if it now works correctly.
If that does not fix it, edit that file again and comment out that whole little section (a "#" at the start of each of the 3 lines will do the job).
Restart Apache completely and try again.
Hopefully one of those 2 will solve it for you.
If it will work with "Lax" then keep it like that. Only remove the whole section if "Lax" won't work either.
I'm still discovering the true impact of setting the "SameSite" attribute.
I set all the other necessary security attributes in my PHP code in ZendTo itself. But PHP does not yet support the "SameSite" attribute, so this is the only simple way of adding it. Once PHP 7.3 is released, I will be able to remove this as PHP 7.3 understands "SameSite".
Please do let me know how you get on.
Cheers,
Jules.
On 31/08/2018 08:53, Michael Keller via ZendTo wrote:
Good Morning,
I am new to Zend.To and to this list.
A few days ago I installed zendto 5.11-6 on a fresh Debian 9 system without any problem.
But after successful login I got the same errors as Thilo describes here.
So I checked all the php.ini files for correct timezone and also set the cookieTTL value to 20 hours as suggested by Jules.
But it didn't work. If I could some further checks to solve this problem let me know.
Thank you for your help
Best regards
Michael
_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://jul.es/mailman/listinfo/zendto
Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'Is the Holocaust an aberration, or a reflection of who we really are?'
- Holocaust Museum, Berlin
www.Zend.To<http://www.Zend.To>
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20180831/f047144b/attachment-0001.html>
More information about the ZendTo
mailing list