CSRF problem
14 posts
• Page 2 of 2 • 1, 2
Re: CSRF problem
by hansfn » Thu Feb 27, 2014 11:01 pm
Thx for the access. It enabled me to debug it.
The problem was a bug in the cookie domain detection code in PivotX - ref http://sourceforge.net/p/pivot-weblog/code/4343 For any domain in the form "wwwX.example.org" (where X is any character), the bug caused PivotX to try to set the session cookie on the domain "..example.org". Notice the extra dot?
The problem was a bug in the cookie domain detection code in PivotX - ref http://sourceforge.net/p/pivot-weblog/code/4343 For any domain in the form "wwwX.example.org" (where X is any character), the bug caused PivotX to try to set the session cookie on the domain "..example.org". Notice the extra dot?
- Constantly trying to make PivotX better ... (I accept donations through Paypal. Just send money to hansfn@pivotx.net - select "friends or family".)
- Have your read the PivotX Template Tag documentation?
- hansfn
- Developer
- Posts: 3280
- Joined: Sun Nov 25, 2007 7:48 pm
- Location: Molde, Norway
Re: CSRF problem
by storm9c1 » Fri Feb 28, 2014 10:00 pm
Yes, thanks for taking the time to debug it! Very much appreciated! I owe you a beer......... 
I wonder what would happen if the webserver was called "something.domain.com" instead of "www.domain.com" -- would that cause any problems? If so, then that should be mentioned here just in case someone reading runs into that edge case. (then again only if I am truly understanding the problem...)
I wonder what would happen if the webserver was called "something.domain.com" instead of "www.domain.com" -- would that cause any problems? If so, then that should be mentioned here just in case someone reading runs into that edge case. (then again only if I am truly understanding the problem...)
- storm9c1
- Posts: 8
- Joined: Sun Feb 23, 2014 2:41 am
Re: CSRF problem
by hansfn » Sat Mar 01, 2014 4:42 pm
What the code does is to handle the very, very common case that www.example.org and example.org is the same site. Without the code the following could happen:
1) Log in at www.example.org/pivotx.
2) Move around and end up at example.org
3) Going to example.org/pivotx you would be asked to log in again since the login (the session cookie to be precise) in step 1 is only valid for the www subdomain.
In other words (after the bug fix), only subdomains named "www" (like www.example.org) gets this special treatment.
PS! A cookie is valid on the domain it is set and all subdomains of that domain.
1) Log in at www.example.org/pivotx.
2) Move around and end up at example.org
3) Going to example.org/pivotx you would be asked to log in again since the login (the session cookie to be precise) in step 1 is only valid for the www subdomain.
In other words (after the bug fix), only subdomains named "www" (like www.example.org) gets this special treatment.
PS! A cookie is valid on the domain it is set and all subdomains of that domain.
- Constantly trying to make PivotX better ... (I accept donations through Paypal. Just send money to hansfn@pivotx.net - select "friends or family".)
- Have your read the PivotX Template Tag documentation?
- hansfn
- Developer
- Posts: 3280
- Joined: Sun Nov 25, 2007 7:48 pm
- Location: Molde, Norway
14 posts
• Page 2 of 2 • 1, 2
Who is online
Users browsing this forum: Bing [Bot] and 3 guests