“#309 reintroduced (PHP session's cookie domain + port)” – Issues – Discuss

#309 reintroduced (PHP session's cookie domain + port)

A bug in 2.1.2, submitted by dushakov on 23 January 2011

Announcement

Symphony's issue tracker has been moved to Github.

Issues are displayed here for reference only and cannot be created or edited.

Browse

Closed#513: #309 reintroduced (PHP session's cookie domain + port)

- dushakov
- Comment #1
- 23 Jan 11, 12:27 am

Issue #309 reintroduced in 2.1.2, so i’ve just copy-pasted description from it.

However, workaround is a different now. Port could be removed with replacing line 45 (i’m not sure about other invocations of getDomain()) in symphony/lib/core/class.session.php with following:

session_set_cookie_params($lifetime, $path, ($domain ? $domain : substr(self::getDomain(), 0, strpos(self::getDomain().":", ":"))), false, $httpOnly);

Here is the original issue description:

PHP’s setcookie, sessionsetcookie_params, etc shouldn’t include port in the cookie domain parameter, since this would not be recognized correctly. Issue can be found with projects on multiple servers, when cookie will be rejected due to different ports on servers.

According to http://www.faqs.org/rfcs/rfc2965.html, set-cookie2 function supports the port parameter. However, i’m not sure about it’s current implementation in PHP, despite some patches in dev’s branch.

It would be good if symphony handled this either by using some set-cookie2 implementation or stripping it from the domain per some symphony configuration option at least.

Currently, in class.session.php, line 83, following code adds port to cookie domain parameter: $domain .= ‘:’ . $parsed[‘port’]. Simple commenting this code resolves the problem.

- brendo
- Comment #2
- 23 Jan 11, 11:46 am

I believe this issue has already been resolved in the Symphony 2.2 betas.

The getDomain function only works with PHP’s HTTP_HOST which does not include any port information.

As a sidenote, judging by the .git history, this issue should not be in Symphony 2.1.x branch as it was resolved July 2010.

Can you confirm you are using Symphony 2.1.2 and can recreate this issue?

- dushakov
- Comment #3
- 23 Jan 11, 6:22 pm

Yep, per my manifest/config.php: ‘useragent’ => ‘Symphony/2.1.2’ Actually, HTTP_HOST is taken from the “Host” HTTP request header, which is filled with port usually if port directly specified in url.

I’ve just double checked: accessing host:port cause filling HTTPHOST with the same “host:port” value, while SERVERNAME gives only hostname.

So, it’s seems like SERVER_NAME is more preferable here.

- brendo
- Comment #4
- 24 Jan 11, 9:55 pm

Interesting, what version of Apache are you running? What port did you use?

I can’t reproduce this locally, I’ve just tried http://symphony.local:80/ and the HTTP_HOST and SERVER_NAME are both the same, with the SERVER_PORT being 80.

- dushakov
- Comment #5
- 24 Jan 11, 10:56 pm

I need to double check apache version, but it should be 2.2.15. It’s configured for virtual host with port 801.

- dushakov
- Comment #6
- 25 Jan 11, 3:55 am

Yep, apache 2.2.15.

- brendo
- Comment #7
- 25 Jan 11, 8:40 am

Thanks, I’ll have a bit more of a poke around with this and see what I can come up with :)

- brendo
- Comment #8
- 30 Jan 11, 5:55 pm

Well this sent me down a bit of a rabbit hole!

In this end, Session’s is about maintaining a Cookie for the user andSERVER_NAME is read from the Apache virtual host config, so it may differ from what the URL the user is on, which would result in the cookie not sticking.

I’ve implemented a fix similar to what you have suggested, by stripping the port from the HTTP_HOST, which will hopefully solve your issues in this commit

This issue is closed.

Symphony.