[ic] CookieName directive fails
Kevin Walsh
kevin at cursor.biz
Thu Aug 11 18:43:19 EDT 2005
Davor Ocelic [docelic at mail.inet.hr] wrote:
> Interchange cookie is in the form:
>
> SessionID (8 to 32 characters), followed by a colon (:),
> followed by an IP address, username or domainname.
>
> When no CookieName is set, the code takes the default path
> and extracts session ID by using this hard-coded regex:
>
> MV_SESSION_ID=(\w{8,32})[:_]
>
> As you see, from the complete MV_SESSION_ID string, it only
> takes first 8 to 32 characters, before the colon or underscore.
>
> However, when CookieName *is* set, it tries to match this:
>
> $::Instance->{CookieName}=($Vend::Cfg->{CookiePattern})
>
> The problem is that CookiePattern is currently set to
> '[-\w:.]+', which is too liberal, and matches the whole cookie
> value instead of just the session part (8-32 chars) up to the first comma.
>
> I suppose the solution is to change the default CookiePattern
> value from [-\w:.]+ to \w{8,32}
>
>
> Otherwise, I've tested and CookieName works properly "out of the box".
>
To be honest, I can't see the point of the CookiePatern at all and,
given its problems, I'm wondering if anyone is actually making any
use of it at all in its current form.
I propose that we drop the CookiePatern altogether and use the CookieName
directly, which would allow the CookieName to be changed without losing
the cookieuser and cookiehost CGI values, and without losing the mv_pc
RESET facility.
A quickly knocked together, and untested, patch for that follows:
===================================================================
--- Dispatch.pm 9 Jun 2005 17:57:05 -0000 1.56
+++ Dispatch.pm 11 Aug 2005 22:37:11 -0000
@@ -1152,7 +1152,7 @@
$sessionid = $CGI::values{mv_session_id} || undef
and $sessionid =~ s/\0.*//s;
- $::Instance->{CookieName} = $Vend::Cfg->{CookieName};
+ $::Instance->{CookieName} = $Vend::Cfg->{CookieName} || 'MV_SESSION_ID';
if($CGI::values{mv_tmp_session}) {
#::logDebug("setting tmp_session");
@@ -1165,14 +1165,8 @@
elsif ($sessionid and $CGI::values{mv_force_session}) {
# do nothing
}
- elsif ($::Instance->{CookieName} and defined $CGI::cookie) {
- $CGI::cookie =~ m{$::Instance->{CookieName}=($Vend::Cfg->{CookiePattern})};
- $seed = $sessionid = $1;
- $::Instance->{ExternalCookie} = $sessionid || 1;
- $Vend::CookieID = $Vend::Cookie = 1;
- }
elsif (defined $CGI::cookie and
- $CGI::cookie =~ /\bMV_SESSION_ID=(\w{8,32})
+ $CGI::cookie =~ /\b$::Instance->{CookieName}=(\w{8,32})
[:_] (
( \d{1,3}\. # An IP ADDRESS
\d{1,3}\.
@@ -1188,8 +1182,6 @@
$CGI::cookieuser = $4;
$Vend::CookieID = $Vend::Cookie = 1;
}
-
- $::Instance->{CookieName} = 'MV_SESSION_ID' if ! $::Instance->{CookieName};
$CGI::host = 'nobody' if $Vend::Cfg->{WideOpen};
===================================================================
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin at cursor.biz
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/
More information about the interchange-users
mailing list