Last active
August 5, 2016 23:22
-
-
Save mmccall10/954136838f2b0908a73e to your computer and use it in GitHub Desktop.
Prevent session invalidation behind c9.io proxies for concrete5.7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /************ | |
| concrete/src/Session/Session.php | |
| session validation starts at line 52 end at line 69 | |
| comment out $session->invalidate(); | |
| behind c9 proxies we know the ip and agent change each request | |
| leave comment for c9.io development only | |
| *************/ | |
| namespace Concrete\Core\Session; | |
| use Concrete\Core\Session\Storage\Handler\NativeFileSessionHandler; | |
| use Concrete\Core\Utility\IPAddress; | |
| use Config; | |
| use \Symfony\Component\HttpFoundation\Session\Session as SymfonySession; | |
| use \Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage; | |
| use \Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage; | |
| use Symfony\Component\HttpFoundation\Session\Storage\Handler\PdoSessionHandler; | |
| use Core; | |
| class Session | |
| { | |
| public static function start() | |
| { | |
| $app = Core::make('app'); | |
| if ($app->isRunThroughCommandLineInterface()) { | |
| $storage = new MockArraySessionStorage(); | |
| } else { | |
| if (Config::get('concrete.session.handler') == 'database') { | |
| $db = \Database::get(); | |
| $storage = new NativeSessionStorage(array(), | |
| new PdoSessionHandler($db->getWrappedConnection(), array( | |
| 'db_table' => 'Sessions', | |
| 'db_id_col' => 'sessionID', | |
| 'db_data_col' => 'sessionValue', | |
| 'db_time_col' => 'sessionTime' | |
| ) | |
| ) | |
| ); | |
| } else { | |
| $savePath = Config::get('concrete.session.save_path') ?: null; | |
| $storage = new NativeSessionStorage(array(), new NativeFileSessionHandler($savePath)); | |
| } | |
| $options = Config::get('concrete.session.cookie'); | |
| if ($options['cookie_path'] === false) { | |
| $options['cookie_path'] = $app['app_relative_path'] . '/'; | |
| } | |
| $options['gc_max_lifetime'] = Config::get('concrete.session.max_lifetime'); | |
| $storage->setOptions($options); | |
| } | |
| $session = new SymfonySession($storage); | |
| $session->setName(Config::get('concrete.session.name')); | |
| static::testSessionFixation($session); | |
| return $session; | |
| } | |
| protected static function testSessionFixation(SymfonySession $session) | |
| { | |
| $iph = Core::make('helper/validation/ip'); | |
| $currentIp = $iph->getRequestIP(); | |
| $ip = $session->get('CLIENT_REMOTE_ADDR'); | |
| $agent = $session->get('CLIENT_HTTP_USER_AGENT'); | |
| if ($ip && $ip != $currentIp->getIp(IPAddress::FORMAT_IP_STRING) || $agent && $agent != $_SERVER['HTTP_USER_AGENT']) { | |
| //c9.io development session fix | |
| //$session->invalidate(); | |
| } | |
| if (!$ip && $currentIp !== false) { | |
| $session->set('CLIENT_REMOTE_ADDR', $currentIp->getIp(IPAddress::FORMAT_IP_STRING)); | |
| } | |
| if (!$agent && isset($_SERVER['HTTP_USER_AGENT'])) { | |
| $session->set('CLIENT_HTTP_USER_AGENT', $_SERVER['HTTP_USER_AGENT']); | |
| } | |
| } | |
| } |
Solved using config please see:
https://www.concrete5.org/community/forums/installation/concrete5-on-cloud9
/application/config/concrete.php
<?php
// Get remote address
$remoteIp = $_SERVER['REMOTE_ADDR'];
return array(
'security' => array(
'trusted_proxies' => array(
'ips' => [$remoteIp],
),
),
);
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm guessing one of the c7 updates rewrote the session area, because I'm not seeing what you saying to comment out in any of the files. How can this be fixed today?