CSRF problem

Get help with installation and running PivotX 2.0.x here. Please do not post Extension or Theme related questions here.

Re: CSRF problem

Postby storm9c1 » Tue Feb 25, 2014 4:12 pm

Email sent. Thanks!!!
storm9c1
 
Posts: 8
Joined: Sun Feb 23, 2014 2:41 am

Re: CSRF problem

Postby hansfn » Thu Feb 27, 2014 11:01 pm

Thx for the access. It enabled me to debug it.

The problem was a bug in the cookie domain detection code in PivotX - ref http://sourceforge.net/p/pivot-weblog/code/4343 For any domain in the form "wwwX.example.org" (where X is any character), the bug caused PivotX to try to set the session cookie on the domain "..example.org". Notice the extra dot?
hansfn
Developer
 
Posts: 3281
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Re: CSRF problem

Postby storm9c1 » Fri Feb 28, 2014 10:00 pm

Yes, thanks for taking the time to debug it! Very much appreciated! I owe you a beer......... :lol:

I wonder what would happen if the webserver was called "something.domain.com" instead of "www.domain.com" -- would that cause any problems? If so, then that should be mentioned here just in case someone reading runs into that edge case. (then again only if I am truly understanding the problem...)
storm9c1
 
Posts: 8
Joined: Sun Feb 23, 2014 2:41 am

Re: CSRF problem

Postby hansfn » Sat Mar 01, 2014 4:42 pm

What the code does is to handle the very, very common case that www.example.org and example.org is the same site. Without the code the following could happen:

1) Log in at www.example.org/pivotx.
2) Move around and end up at example.org
3) Going to example.org/pivotx you would be asked to log in again since the login (the session cookie to be precise) in step 1 is only valid for the www subdomain.

In other words (after the bug fix), only subdomains named "www" (like www.example.org) gets this special treatment.

PS! A cookie is valid on the domain it is set and all subdomains of that domain.
hansfn
Developer
 
Posts: 3281
Joined: Sun Nov 25, 2007 7:48 pm
Location: Molde, Norway

Previous

Return to 2.x Support Forum

Who is online

Users browsing this forum: No registered users and 5 guests

cron