Commit Graph

23 Commits

Author SHA1 Message Date
Lukas Reschke 5588c5f262 Delete cookie instead of emptying value
PHP will handle session cookies with an empty values as an E_WARNING error. ([php/#68063](https://bugs.php.net/bug.php?id=68063))

ownCloud sets the cookie to an empty value in case the session expires, it however after this starts a new session. Due to potential race conditions this can in unlikely cases lead to the fact that the session never gets restarted and the user is left with an empty cookie. PHP tries then to use the empty cookie which makes the instance not usable.

To work around any race condition we now tell PHP to explicitly delete the value which can be done by using `null` as value, PHP will then send a cookie with the value "deleted". Also theepiration has been set to -1.
2015-10-19 19:54:12 +02:00
Morris Jobke b945d71384 update licence headers via script 2015-10-05 21:15:52 +02:00
Phil Davis 7940a3fb65 Session closed exception wording
and a small comment typo
2015-09-29 12:17:47 +05:45
Lukas Reschke 3adbfbfd69 Use / instead of an empty string as cookie path
When an empty string is used as cookie path PHP will assign the current directory as cookie path.

This means when an user had installed an ownCloud under "/", which is mapped to an empty string in \OC::$WEBROOT, and accessed it the cookie was set to values such as "/index.php/apps/files" since the web browser assumed this to be a directory. This means that multiple encryption cookies were set for the same domain resulting in potential havoc.

With this patch the path will be set to "/" in case an empty web root is installed which makes the cookie accessible to the whole domain.

To test this setup multiple ownCloud instances on the same domain under different ports and have both installed under "/", then try to login in both of it and previously this can in some cases lead to a lockout of the user.

Note that this affects the cookies that the browsers do sent and thus to test this you need to clear all cookies from your browser previously. I consider this an acceptable behaviour for now since this code is only in master.

Fixes https://github.com/owncloud/core/issues/18919
2015-09-14 11:22:34 +02:00
Lukas Reschke 0b91087489 Write to session in batch at the end of the request 2015-09-09 12:48:37 +02:00
Lukas Reschke e579dd62fd Write session data to single key
This prevents decrypting values multiple times.
2015-09-09 12:48:08 +02:00
Lukas Reschke 6a3fb0d3b3 Handle failures gracefully, remove switch 2015-08-21 19:16:28 +02:00
Joas Schilling 36eef2ddab Add a session wrapper to encrypt the data before storing it on disk 2015-08-21 17:59:23 +02:00
Jenkins for ownCloud b585d87d9d Update license headers 2015-03-26 11:44:36 +01:00
Thomas Müller 843fef0490 Handle session initialization errors and display error page - fixes #15053 2015-03-20 12:21:03 +01:00
Morris Jobke 06aef4e8b1 Revert "Updating license headers"
This reverts commit 6a1a4880f0.
2015-02-26 11:37:37 +01:00
Jenkins for ownCloud 6a1a4880f0 Updating license headers 2015-02-23 12:13:59 +01:00
cetra3 6b24aa5224 Refactor internal session to write directly to $_SESSION 2014-08-30 08:48:13 +00:00
Thomas Müller effea790c7 redefine reopen() in class \OC\Session\Internal to avoid accidental calls in productive code 2014-03-18 11:44:22 +01:00
Thomas Müller 6bbbf8536f introduce reopen() method to be used for unit test execution only - right after a unit test has been executed the session will be reopened 2014-03-17 21:57:10 +01:00
Thomas Müller 9fe5033f1e PHPDoc updated 2014-03-10 17:15:19 +01:00
Thomas Müller a074adb2af fix close() implementation in \OC\Session\Internal 2014-03-10 15:36:20 +01:00
Thomas Müller 73a1ece753 adding an explicit close method to class session - write operations (set and remove) being called after close() will throw an exception 2014-03-10 14:21:12 +01:00
Jörn Friedrich Dreyer 2a6a9a8cef polish documentation based on scrutinizer patches 2014-02-06 17:02:21 +01:00
Robin Appelman 5c7a08aab4 check if a $_SESSION entry exists before we try to remove it 2013-12-11 12:59:48 +01:00
Robin Appelman a36bf5c2b5 preserve 3rd party values in in the Session destructor 2013-12-09 12:38:27 +01:00
Thomas Müller 6f3c49dabb fixing php 5.3 compatibility
PHP Fatal error: Can't inherit abstract function OCP\ISession::set() (previously declared abstract in OC\Session\Session)
2013-10-08 21:52:54 +02:00
Thomas Müller 9c9dc276b7 move the private namespace OC into lib/private - OCP will stay in lib/public
Conflicts:
	lib/private/vcategories.php
2013-09-30 16:36:59 +02:00