Session - Cookie Issue - Two Installations of PHPList

Discuss, research, share, find, and solve bugs

Session - Cookie Issue - Two Installations of PHPList

Postby Antonimo » 3:07pm, Tue 27 May, 2008

I have two installations of PHPList on the same domain. The first installation is in a sub-directory of the root called "lists" and the second is in a sub-directory called "subscribe".

Each installation uses its own database.

Each installation has different log on details for the admin.

I have tried to log in to each installation using the other's username and password and I cannot log in.

However, once I am logged in, I can substitute the word "lists" for "subscribe" in the URL and get in to the other installation.

As the login is stored in a cookie on my browser, I suspect that this is were the problem is. In fact, I cleared out all cookies then logged in to the first installation - then I opened another browser window to access the second installation. Monitoring the cookies I see that there is only one. When I delete this cookie, I am logged out of both installations.

The serious problem is that logging in to one installation should not give access to the second installation.

The cookie name is PHPSESSID (the default session name) - Where can this be changed? How can I prevent logging in to one installation giving access to the second?
Antonimo
PL Geek
 
Posts: 53
Joined: 10:53am, Tue 13 Feb, 2007

Postby Antonimo » 5:48am, Wed 11 Jun, 2008

Isn't this a serious security issue? Doesn't anybody have any ideas?
Antonimo
PL Geek
 
Posts: 53
Joined: 10:53am, Tue 13 Feb, 2007

Postby H2B2 » 12:53pm, Wed 11 Jun, 2008

Yes, this could be problematic if you have multiple installations and multiple administrators.

Could you file a bug report at www.mantis.phplist.com ?

In the mean time you could use the htaccess files to password protect the admin directories of both installs, as suggested in the security documentation: http://docs.phplist.com/Security

I'll move this thread to the bug discussion forum.
H2B2
Moderator
 
Posts: 7188
Joined: 1:51am, Wed 15 Mar, 2006

Postby Antonimo » 2:46pm, Wed 11 Jun, 2008

Thanks H2B2,

I have filed a bug report at Mantis.

In the meantime, the .htaccess works but is a nuisance to the users who are logging in.
Antonimo
PL Geek
 
Posts: 53
Joined: 10:53am, Tue 13 Feb, 2007

Re: Session - Cookie Issue - Two Installations of PHPList

Postby H2B2 » 3:02am, Thu 29 Oct, 2009

Storing administrator sessions in a database table should solve this issue. To do so you need to enable the $SessionTableName option in config.php:
Code: Select all
# you can store sessions in the database instead of the default place by assigning
# a tablename to this value. The table will be created and will not use any prefixes
# this only works when using mysql and only for administrator sessions
# $SessionTableName = "phplistsessions";


See also:
viewtopic.php?f=24&t=28812&p=69478#p69355
viewtopic.php?p=61369#61369
http://mantis.phplist.com/view.php?id=15029
H2B2
Moderator
 
Posts: 7188
Joined: 1:51am, Wed 15 Mar, 2006


Return to Bug Discussion

Who is online

Users browsing this forum: No registered users and 0 guests

cron