-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move ini_set calls before a new session is started #32298
Conversation
32eb385
to
80d496a
Compare
Codecov Report
@@ Coverage Diff @@
## master #32298 +/- ##
============================================
- Coverage 64.01% 63.99% -0.02%
- Complexity 18560 18564 +4
============================================
Files 1171 1171
Lines 69837 69857 +20
Branches 1267 1267
============================================
Hits 44706 44706
- Misses 24761 24781 +20
Partials 370 370
Continue to review full report at Codecov.
|
80d496a
to
178f78f
Compare
I don't quite understand why you move non-session related ini_set methods also into the session part Wondering about the https://symfony.com/doc/current/components/http_foundation.html#request Example: https://github.com/Sylius/Sylius/blob/master/web/app.php#L23-L27 |
I was a bit overmotivated as it seems ... 🤕
Our request object is already too big and has too much dependencies - initializing the request object at the wrong point in time leads to severe issues ..... |
178f78f
to
194b9c5
Compare
@patrickjahns please review once more - thx |
Hence the idea to have a slim If we think about a Middleware Handler approach, with each Middleware the request object could be either extended or wrapped to be passend down the line with more information. So we get rid of the request object dependencies and have a clear request -> response cycle |
|
||
private function start(): void { | ||
if (@\session_id() === '') { | ||
// prevents javascript from accessing php session cookies |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know this is just a code move - but do we have more information why this is? Wondering if this still holds true today
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment is basically just copied over from the php docs - http://php.net/manual/en/session.security.ini.php
fully understood the concept - no need to explain - question is how to do the transition. We basically need to remove the csrf check from IRequest - then the dependency cylce issue is gone. Not that critical ... we need to double check -> different PR |
👍 So for this PR to merge - I wonder if can get ui tests to run with https. That way the cookie change to move to https would be tested in the sessions. Needs some investigation @phil-davis @individual-it |
@patrickjahns there are ways to auto accept self signed SSL certificates in selenium, would need a practical try to see if they work for us |
opened issue for running tests with SSL: owncloud/QA#581 |
@DeepDiver1975 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works for me.
@patrickjahns merge for master but block backport until acceptance tests are there ? having it in master will at least have this run on developers envs which might confirm further that it works |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Merging for master 👍
@PVince81 - lets go ahead |
stable10: #32538 |
Description
Alternative approach to #31525
Inspired by https://github.com/joomla/joomla-cms/pull/15742/files
Related Issue
How Has This Been Tested?
Types of changes
Checklist:
Open tasks: