[ZendTo] Login session problem (Users get logged off as soon as they click on any link)
Jules Field
Jules at Zend.To
Fri Aug 31 16:47:54 BST 2018
Brad,
Yes. On CentOS or RedHat (or other RPM-based distros), the files are here:
/etc/httpd/conf.d/zendto.conf
/etc/httpd/conf.d/zendto-ssl.conf
On SuSE-based distributions (SLES and openSUSE), the files are here:
/etc/apache2/vhosts.d/zendto.conf
/etc/apache2/vhosts.d/zendto-ssl.conf
They need exactly the same fix the "Header edit" line.
I have already updated the Installer, so if anyone downloads the
installer from now on, they won't hit this bug.
Cheers,
Jules.
On 31/08/2018 16:15, Brad Dokken via ZendTo wrote:
>
> I am having the same problem on Centos 7, is there a similar path on
> this OS?
>
> Thanks
>
> Brad
>
> *From:*ZendTo <zendto-bounces at zend.to> *On Behalf Of *Jules Field via
> ZendTo
> *Sent:* Friday, August 31, 2018 3:36 AM
> *To:* ZendTo Users <zendto at zend.to>
> *Cc:* Jules Field <Jules at Zend.To>
> *Subject:* Re: [ZendTo] Login session problem (Users get logged off as
> soon as they click on any link)
>
> Michael,
>
> It appears there is another thing which can cause this problem.
> I recently greatly tightened up the security on the cookie that ZendTo
> uses, to protect against CSRF (cross-site request forgery) attacks.
>
> Please edit
> /etc/apache2/sites-available/001-zendto-ssl.conf
>
> Right near the top of that file you should see a little section that
> looks like this:
>
> # Add the "SameSite" restriction to all cookies.
> # Warning: This will break if you embed ZendTo in an iframe or similar!
> <IfModule mod_headers.c>
> Header edit Set-Cookie ^(.*)$ $1;SameSite=*Strict*
> </IfModule>
>
> First, change the "Strict" (in bold above) to "Lax".
> Restart Apache completely and try to login to ZendTo and see if it now
> works correctly.
>
> If that does not fix it, edit that file again and comment out that
> whole little section (a "#" at the start of each of the 3 lines will
> do the job).
> Restart Apache completely and try again.
>
> Hopefully one of those 2 will solve it for you.
>
> If it will work with "Lax" then keep it like that. Only remove the
> whole section if "Lax" won't work either.
>
> I'm still discovering the true impact of setting the "SameSite" attribute.
> I set all the other necessary security attributes in my PHP code in
> ZendTo itself. But PHP does not yet support the "SameSite" attribute,
> so this is the only simple way of adding it. Once PHP 7.3 is released,
> I will be able to remove this as PHP 7.3 understands "SameSite".
>
> Please do let me know how you get on.
>
> Cheers,
> Jules.
>
> On 31/08/2018 08:53, Michael Keller via ZendTo wrote:
>
> Good Morning,
>
> I am new to Zend.To and to this list.
> A few days ago I installed zendto 5.11-6 on a fresh Debian 9
> system without any problem.
> But after successful login I got the same errors as Thilo
> describes here.
> So I checked all the php.ini files for correct timezone and also
> set the cookieTTL value to 20 hours as suggested by Jules.
>
> But it didn't work. If I could some further checks to solve this
> problem let me know.
> Thank you for your help
>
> Best regards
>
> Michael
>
>
>
> _______________________________________________
>
> ZendTo mailing list
>
> ZendTo at zend.to <mailto:ZendTo at zend.to>
>
> http://jul.es/mailman/listinfo/zendto
>
>
>
> Jules
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
> 'Is the Holocaust an aberration, or a reflection of who we really are?'
> - Holocaust Museum, Berlin
> www.Zend.To <http://www.Zend.To>
> Twitter: @JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'We face neither East nor West: we face forward.' - Kwame Nkrumah
www.Zend.To
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20180831/48df88ab/attachment.html>
More information about the ZendTo
mailing list