[ZendTo] Login session problem (Users get logged off as soon as they click on any link)

Jules Field Jules at Zend.To
Fri Aug 31 16:47:54 BST 2018


Brad,

Yes. On CentOS or RedHat (or other RPM-based distros), the files are here:
     /etc/httpd/conf.d/zendto.conf
     /etc/httpd/conf.d/zendto-ssl.conf

On SuSE-based distributions (SLES and openSUSE), the files are here:
     /etc/apache2/vhosts.d/zendto.conf
     /etc/apache2/vhosts.d/zendto-ssl.conf

They need exactly the same fix the "Header edit" line.

I have already updated the Installer, so if anyone downloads the 
installer from now on, they won't hit this bug.

Cheers,
Jules.

On 31/08/2018 16:15, Brad Dokken via ZendTo wrote:
>
> I am having the same problem on Centos 7, is there a similar path on 
> this OS?
>
> Thanks
>
> Brad
>
> *From:*ZendTo <zendto-bounces at zend.to> *On Behalf Of *Jules Field via 
> ZendTo
> *Sent:* Friday, August 31, 2018 3:36 AM
> *To:* ZendTo Users <zendto at zend.to>
> *Cc:* Jules Field <Jules at Zend.To>
> *Subject:* Re: [ZendTo] Login session problem (Users get logged off as 
> soon as they click on any link)
>
> Michael,
>
> It appears there is another thing which can cause this problem.
> I recently greatly tightened up the security on the cookie that ZendTo 
> uses, to protect against CSRF (cross-site request forgery) attacks.
>
> Please edit
> /etc/apache2/sites-available/001-zendto-ssl.conf
>
> Right near the top of that file you should see a little section that 
> looks like this:
>
>   # Add the "SameSite" restriction to all cookies.
>   # Warning: This will break if you embed ZendTo in an iframe or similar!
>   <IfModule mod_headers.c>
>     Header edit Set-Cookie ^(.*)$ $1;SameSite=*Strict*
>   </IfModule>
>
> First, change the "Strict" (in bold above) to "Lax".
> Restart Apache completely and try to login to ZendTo and see if it now 
> works correctly.
>
> If that does not fix it, edit that file again and comment out that 
> whole little section (a "#" at the start of each of the 3 lines will 
> do the job).
> Restart Apache completely and try again.
>
> Hopefully one of those 2 will solve it for you.
>
> If it will work with "Lax" then keep it like that. Only remove the 
> whole section if "Lax" won't work either.
>
> I'm still discovering the true impact of setting the "SameSite" attribute.
> I set all the other necessary security attributes in my PHP code in 
> ZendTo itself. But PHP does not yet support the "SameSite" attribute, 
> so this is the only simple way of adding it. Once PHP 7.3 is released, 
> I will be able to remove this as PHP 7.3 understands "SameSite".
>
> Please do let me know how you get on.
>
> Cheers,
> Jules.
>
> On 31/08/2018 08:53, Michael Keller via ZendTo wrote:
>
>     Good Morning,
>
>     I am new to Zend.To and to this list.
>     A few days ago I installed zendto 5.11-6 on a fresh Debian 9
>     system without any problem.
>     But after successful login I got the same errors as Thilo
>     describes here.
>     So I checked all the php.ini files for correct timezone and also
>     set the cookieTTL value to 20 hours as suggested by Jules.
>
>     But it didn't work. If I could some further checks to solve this
>     problem let me know.
>     Thank you for your help
>
>     Best regards
>
>     Michael
>
>
>
>     _______________________________________________
>
>     ZendTo mailing list
>
>     ZendTo at zend.to <mailto:ZendTo at zend.to>
>
>     http://jul.es/mailman/listinfo/zendto
>
>
>
> Jules
> -- 
> Julian Field MEng CEng CITP MBCS MIEEE MACM
> 'Is the Holocaust an aberration, or a reflection of who we really are?'
>   - Holocaust Museum, Berlin
> www.Zend.To <http://www.Zend.To>
> Twitter: @JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'We face neither East nor West: we face forward.' - Kwame Nkrumah

www.Zend.To
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20180831/48df88ab/attachment.html>


More information about the ZendTo mailing list