Commit graph

20 commits

Author SHA1 Message Date
Lukas Reschke
3adbfbfd69 Use / instead of an empty string as cookie path
When an empty string is used as cookie path PHP will assign the current directory as cookie path.

This means when an user had installed an ownCloud under "/", which is mapped to an empty string in \OC::$WEBROOT, and accessed it the cookie was set to values such as "/index.php/apps/files" since the web browser assumed this to be a directory. This means that multiple encryption cookies were set for the same domain resulting in potential havoc.

With this patch the path will be set to "/" in case an empty web root is installed which makes the cookie accessible to the whole domain.

To test this setup multiple ownCloud instances on the same domain under different ports and have both installed under "/", then try to login in both of it and previously this can in some cases lead to a lockout of the user.

Note that this affects the cookies that the browsers do sent and thus to test this you need to clear all cookies from your browser previously. I consider this an acceptable behaviour for now since this code is only in master.

Fixes https://github.com/owncloud/core/issues/18919
2015-09-14 11:22:34 +02:00
Lukas Reschke
0b91087489 Write to session in batch at the end of the request 2015-09-09 12:48:37 +02:00
Lukas Reschke
e579dd62fd Write session data to single key
This prevents decrypting values multiple times.
2015-09-09 12:48:08 +02:00
Lukas Reschke
6a3fb0d3b3 Handle failures gracefully, remove switch 2015-08-21 19:16:28 +02:00
Joas Schilling
36eef2ddab Add a session wrapper to encrypt the data before storing it on disk 2015-08-21 17:59:23 +02:00
Jenkins for ownCloud
b585d87d9d Update license headers 2015-03-26 11:44:36 +01:00
Thomas Müller
843fef0490 Handle session initialization errors and display error page - fixes #15053 2015-03-20 12:21:03 +01:00
Morris Jobke
06aef4e8b1 Revert "Updating license headers"
This reverts commit 6a1a4880f0.
2015-02-26 11:37:37 +01:00
Jenkins for ownCloud
6a1a4880f0 Updating license headers 2015-02-23 12:13:59 +01:00
cetra3
6b24aa5224 Refactor internal session to write directly to $_SESSION 2014-08-30 08:48:13 +00:00
Thomas Müller
effea790c7 redefine reopen() in class \OC\Session\Internal to avoid accidental calls in productive code 2014-03-18 11:44:22 +01:00
Thomas Müller
6bbbf8536f introduce reopen() method to be used for unit test execution only - right after a unit test has been executed the session will be reopened 2014-03-17 21:57:10 +01:00
Thomas Müller
9fe5033f1e PHPDoc updated 2014-03-10 17:15:19 +01:00
Thomas Müller
a074adb2af fix close() implementation in \OC\Session\Internal 2014-03-10 15:36:20 +01:00
Thomas Müller
73a1ece753 adding an explicit close method to class session - write operations (set and remove) being called after close() will throw an exception 2014-03-10 14:21:12 +01:00
Jörn Friedrich Dreyer
2a6a9a8cef polish documentation based on scrutinizer patches 2014-02-06 17:02:21 +01:00
Robin Appelman
5c7a08aab4 check if a $_SESSION entry exists before we try to remove it 2013-12-11 12:59:48 +01:00
Robin Appelman
a36bf5c2b5 preserve 3rd party values in in the Session destructor 2013-12-09 12:38:27 +01:00
Thomas Müller
6f3c49dabb fixing php 5.3 compatibility
PHP Fatal error: Can't inherit abstract function OCP\ISession::set() (previously declared abstract in OC\Session\Session)
2013-10-08 21:52:54 +02:00
Thomas Müller
9c9dc276b7 move the private namespace OC into lib/private - OCP will stay in lib/public
Conflicts:
	lib/private/vcategories.php
2013-09-30 16:36:59 +02:00