Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.6.4

Bug #12112 Allow control of domain and path for cookies
Submitted: 2007-09-25 15:04 UTC
From: spoutnik Assigned: aashley
Status: Closed Package: Auth (version 1.5.4)
PHP Version: 4.3.10 OS: Windows XP pro
Roadmaps: 1.6.0    
Subscription  


 [2007-09-25 15:04 UTC] spoutnik (Cedric Billiet)
Description: ------------ Firefox adds the current working dir by default for setcookie(). In Auth.php (L.838 & 916) the setcookie does not add a path. the cookie is available only in the working dir that was in effect during the setcookie process. I made a hotfix for me but this let the cookie be available for the entire domain: setcookie('authchallenge', $this->session['challengecookie'],time()+$this->idle,"/"); Test script: --------------- Must have an Auth powered Application with advanced security enabled and an Auth check. Then, change dir and re-check Expected result: ---------------- no mismatch between $this->session['challengecookieold'] and $this->cookie['authchallenge'] Actual result: -------------- Security Breach. Challenge Cookie mismatch. (there is no cookie for the new working dir)

Comments

 [2008-02-25 22:36 UTC] mortoray (Ed Mort)
I second this request. If I am to use Auth on an entire system, it is logical that I will have several pages spread through sub-directories (as I do), any of which could trigger the login dialog.
 [2008-04-04 02:46 UTC] aashley (Adam Ashley)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. The advanced security cookie now uses the same settings as the PHP Session cookie.