Serendipity 1.1: Login/Session Cookie Bug in Windows IIS

Some users have reported on the forums that they had login problems to their Serendipity Admin suite since the upgrade to version 1.1.

Thanks to the help of Shadowin it was discovered that a problematic $_SERVER['HTTPS'] variable setting by the Windows IIS Server caused this. According to the PHP documentation, $_SERVER['HTTPS'] should only contain a non-empty value in case of enabled SSL/HTTPS connections, in which case Serendipity would issue a "secure" cookie.

To fix this odd behaviour in Serendipity 1.1 you need to open the file include/functions_config.inc.php and replace the line

$secure = !empty($_SERVER['HTTPS']) ? true : false;

with

$secure = (strtolower($_SERVER['HTTPS']) == 'on') ? true : false;. Also replace this line in the file serendipity_config.inc.php:

if ($_SERVER['HTTPS'])) {
  @ini_set('session.name', 'SSLSID');
  @ini_set('session.cookie_secure', '1');
}

with

if (strtolower($_SERVER['HTTPS']) == 'on') {
  @ini_set('session.name', 'SSLSID');
  @ini_set('session.cookie_secure', '1');
}

This will use a more stricter check. For people who are afraid to edit that file, simply download this file and replace it with your current include/functions_config.inc.php file. Also please download this file and replace it with the 'serendiptiy_config.inc.php' file.

A fully patched 1.1.1 version will be made available later, when we have made sure that there are no other bugs left. So far, the 1.1 version has been received very stable by the public! Thanks for improving Serendipity through your reports and help!

Trackbacks

Trackback-URL für diesen Eintrag

  • Keine Trackbacks

Kommentare

Ansicht der Kommentare: (Linear | Verschachtelt)

Laura am um :

That does not function

Dag Ole am um :

I changed the functionsconfig.inc.php but I can't find the section I'm supposed to change in serendipityconfig.inc.php?

Kevin am um :

If you go to http://board.s9y.org/viewtopic.php?t=8205 the last post on the page explains everything needed.

Leroy Tomlin am um :

I have a development server currently Powered by Serendipity 1.1.2, PHP 5.2.1, IIS and Windows Server 2000 SP4, and I am having the same problem. I thought this problem was fix in version 1.1.1, I have reviewed all the fixes recommended here and on the forum http://board.s9y.org/viewtopic.php?t=8205, so far no success. Guys let us join hands togather. Please let me have your comments or suggestions. Much appretiated

Garvin am um :

Hi Leroy!

Please come to the forums, where we will try to help you.

Do PHP sessions generally work on your server, have you made sure of that with another application that requires cookies? Like phpMyAdmin with "cookie" authentication? Please reply on the forums.

To be it sounds as if it's a server issue, not with S9y - the bug that had been there should really be fixed. :)

Best regards, Garvin

Leroy Tomlin am um :

In my humblest of opinion is think it may definately a problem with Serendipity, simply because I am using another PHP Application (Powered by phpBB 2.0.22 © 2001 phpBB Group) on the same machine and it is working fine (I can login their admin system and use it without any problems)

Thanks for your response it was very quick!

Garvin am um :

Hi!

Replying here: http://board.s9y.org/viewtopic.php?t=9235

Kommentar schreiben

Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.
CAPTCHA

BBCode-Formatierung erlaubt
Markdown-Formatierung erlaubt