This explains it all. Don't set the domain when creating a cookie. You'll get a wildcard and sessions will break if you have multiple domains running hubzilla (or any php basic session based code).

2016-05-18 21:00:31 -07:00 · 2016-05-18 21:00:31 -07:00 · ada26dd2cb
commit ada26dd2cb
parent f4b31dcb3a
1 changed files with 10 additions and 17 deletions
--- a/Zotlabs/Web/Session.php
+++ b/Zotlabs/Web/Session.php
@ -41,10 +41,15 @@ class Session {
 		$arr = session_get_cookie_params();
 		// Note when setting cookies: set the domain to false which creates a single domain
 		// cookie. If you use a hostname it will create a .domain.com wildcard which will
 		// have some nasty side effects if you have any other subdomains running hubzilla. 
 		session_set_cookie_params(
 			((isset($arr['lifetime']))   ? $arr['lifetime'] : 0),
 			((isset($arr['path']))      ? $arr['path']     : '/'),
-			(($arr['domain'])    ? $arr['domain']   : \App::get_hostname()),
+			(($arr['domain'])    ? $arr['domain']   : false),
 			((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),
 			((isset($arr['httponly']))  ? $arr['httponly'] : true)
 		);
@ -83,19 +88,7 @@ class Session {
 		if($this->handler && $this->session_started) {
-			// The session should be regenerated to prevent session fixation attacks.
+			session_regenerate_id(true);
 			// Traditionally this has been working well, but stopped working in Firefox
 			// recently (~46.0). It works well in other browsers. FF takes time for the
 			// new cookie to propagate and it appears to still use the old cookie for the
 			// next several requests. We don't have an easy way to flush the cookies and
 			// ensure the browser is using the right one. I've tried several methods including
 			// delayed cookie deletion and issuing a page reload just after authentication
 			// and none have been successful and all are hacks to work around what looks to be
 			// a browser issue. This is an important @FIXME. We should enable by default and let
 			// folks disable it if they have issues, except they can't login to change it if 
 			// their sessions aren't working.  
 			// session_regenerate_id(true);
 			// force SessionHandler record creation with the new session_id
 			// which occurs as a side effect of read()
@ -106,9 +99,9 @@ class Session {
 			logger('no session handler');
 		if (x($_COOKIE, 'jsdisabled')) {
-			setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime, '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly']))  ? $arr['httponly'] : true));
+			setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime, '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly']))  ? $arr['httponly'] : true));
 		}
-		setcookie(session_name(),session_id(),$newxtime, '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly']))  ? $arr['httponly'] : true));
+		setcookie(session_name(),session_id(),$newxtime, '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly']))  ? $arr['httponly'] : true));
 		$arr = array('expire' => $xtime);
 		call_hooks('new_cookie', $arr);
@ -124,7 +117,7 @@ class Session {
 		$xtime = (($_SESSION['remember_me']) ? (60 * 60 * 24 * 365) : 0 );
 		if($xtime)
-			setcookie(session_name(),session_id(),(time() + $xtime), '/', \App::get_hostname(),((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly']))  ? $arr['httponly'] : true));
+			setcookie(session_name(),session_id(),(time() + $xtime), '/', false,((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false),((isset($arr['httponly']))  ? $arr['httponly'] : true));
 		$arr = array('expire' => $xtime);
 		call_hooks('extend_cookie', $arr);