[ic] Patch: Remove REMOTE_USER From Session Name

Mark Johnson mark at endpoint.com
Mon Apr 6 19:10:19 UTC 2020 

On 4/6/20 1:23 PM, Mike Heins wrote:
> On Mon, Apr 6, 2020 at 10:46 AM Jon Jensen <jon at endpoint.com> wrote:
> 
>> On Sun, 5 Apr 2020, Mike Heins wrote:
>>
>>> Certainly could put
>>>
>>> if($Pragma->{session_remote_user} and defined $CGI::user and $CGI::user)
>>> {
>>>        $host = escape_chars($CGI::user);
>>>    }
>>>    elsif($Pragma->{session_remote_user} and $CGI::cookieuser) {
>>>        $host = $CGI::cookieuser;
>>>    }
>>>    elsif($CGI::cookiehost) {
>>>        $host = $CGI::cookiehost;
>>>    }
>>>
>>> and allow for any users where this would break them. Though I doubt there
>>> would be any.
>>
>> I like that idea if anyone reports breakage, but since
>> "session_remote_user" isn't an existing pragma, someone who needs it
>> probably wouldn't notice it in our release notes and wouldn't use it, so
>> would get breakage anyway. 😊 Might as well just wait till that happens
>> and add it then, and avoid supporting a likely unused feature.
>>
>> The only purpose of this behavior that I can think of is that users
>> authenticated with HTTP basic auth can move between IP addresses *and*
>> without a cookie, and not lose their session. Anyone know otherwise?
>>
>> Maybe the biggest question is when the last time was that anyone used HTTP
>> basic auth for user authentication at all, much less depended on the
>> session sticking without cookies ...
>
> Well, I did use it for a bifurcated admin server that required HTTP Basic
> authorization, but I am guessing that was 2005 or so. :) As I said,
> probably affects no one. I just have always put a workaround in anytime I
> break something instead of leaving it high and dry, but at this point I
> doubt it matters.

So prospective patches based on both approaches. I'm inclined to full
removal, but am satisfied with either approach since the pragma approach
disables by default.

Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vend_session.diff
Type: text/x-patch
Size: 484 bytes
Desc: not available
URL: <https://www.interchangecommerce.org/pipermail/interchange-users/attachments/20200406/ee8a4031/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vend_session_pragma.diff
Type: text/x-patch
Size: 562 bytes
Desc: not available
URL: <https://www.interchangecommerce.org/pipermail/interchange-users/attachments/20200406/ee8a4031/attachment-0001.bin>

More information about the interchange-users mailing list