[Phpgroupware-developers] Re: phpgw's handling of cookies

[totschnig . michael]

"Patrick Walsh (mr_e)" <address@hidden> a écrit:

>     I can answer this question as it relates to sitemgr.  If phpgroupware
> were located in a /group1 subdirectory, but sitemgr were located in the root
> directory or in a /group1web subdirectory or something, then the cookies
> wouldn't persist between the two directories.  To resolve this, the cookie
> is put at the root of the directory tree so that a person can switch from
> sitemgr's site to phpgroupware without losing their session information.

This means that this was introduced for sitemgr, if I understand
right. Wouldn't it be possible to proceed differently so that when a
user goes from phpgroupware to sitemgr we set the same cookie a second
time, with the path set for the sitemgr installation, and if we want
to go from sitemgr to phpgroupware we do the same thing? There might
me two other advantages to this approach:
- You could even configure the sitemgr-site with a virtual host that
is in another domain than sitemgr.
- You could enforce that all switches between phpgroupware to sitemgr-site
are either by design (and than we share the same session) or
accidental (and than we create different sessions). What I mean is
that you might want to browse the public site as an anonymous user,
and in the same time be logged in as a user. And you might prefer to
prevent completely that anonymous visitors to the public website log
into phpgroupware.

>  
>     Indeed the cookies are set for the whole domain instead of the specific
> host.  I can't remember what the reason is for this, but I know it was to
> fix a bug.  I think it had something to do with using PHP4 sessions where
> the PHP4 cookies were being set differently or something.  Skeeter probably
> would remember the issue better than I do.  This was definitely a solution
> to a series of cookie-related bugs though.

So this seems a quite dangerous way to proceed since it means that
in larger institutions like mine if I have phpgroupware on
myhost.uqam.ca, I set a cookie which will be seen by any other host in
uqam.ca, hosts I have no responsibility for at all?

>
>     So the question becomes how to accommodate a setup like yours, where
> people concurrently use different phpgw installs on the same server, but
> with separate credentials and sessions.
>
>     Suppose each site on your machine could have a unique identifier.
> Suppose all of the cookies specific to a given install were named
> name-identifier, such as session-0, session-1, etc.  You would still share
> the PHP4 session, but the phpgw session info, credentials, etc., would be
> separated.  Does that sound like it could work?

This makes sense to me. Would it mean that in header.inc.php we add a
field domain_identifier to $GLOBALS['phpgw_domain']['default'] and use
this in the session classes when constructing the cookies?

Michael