Serendipity 1.1: Login/Session Cookie Bug in Windows IIS
Some users have reported on the forums that they had login problems to their Serendipity Admin suite since the upgrade to version 1.1.
Thanks to the help of Shadowin it was discovered that a problematic $_SERVER['HTTPS'] variable setting by the Windows IIS Server caused this. According to the PHP documentation, $_SERVER['HTTPS'] should only contain a non-empty value in case of enabled SSL/HTTPS connections, in which case Serendipity would issue a "secure" cookie.
To fix this odd behaviour in Serendipity 1.1 you need to open the file include/functions_config.inc.php and replace the line
$secure = !empty($_SERVER['HTTPS']) ? true : false;
with
$secure = (strtolower($_SERVER['HTTPS']) == 'on') ? true : false;. Also replace this line in the file serendipity_config.inc.php:
if ($_SERVER['HTTPS'])) {
@ini_set('session.name', 'SSLSID');
@ini_set('session.cookie_secure', '1');
}
with
if (strtolower($_SERVER['HTTPS']) == 'on') {
@ini_set('session.name', 'SSLSID');
@ini_set('session.cookie_secure', '1');
}
This will use a more stricter check. For people who are afraid to edit that file, simply download this file and replace it with your current include/functions_config.inc.php file. Also please download this file and replace it with the 'serendiptiy_config.inc.php' file.
A fully patched 1.1.1 version will be made available later, when we have made sure that there are no other bugs left. So far, the 1.1 version has been received very stable by the public! Thanks for improving Serendipity through your reports and help!
Trackbacks
Trackback-URL für diesen Eintrag
- Keine Trackbacks
Kommentare
Ansicht der Kommentare: (Linear | Verschachtelt)
Laura am um :
That does not function
Dag Ole am um :
I changed the functionsconfig.inc.php but I can't find the section I'm supposed to change in serendipityconfig.inc.php?
Kevin am um :
If you go to http://board.s9y.org/viewtopic.php?t=8205 the last post on the page explains everything needed.
Leroy Tomlin am um :
I have a development server currently Powered by Serendipity 1.1.2, PHP 5.2.1, IIS and Windows Server 2000 SP4, and I am having the same problem. I thought this problem was fix in version 1.1.1, I have reviewed all the fixes recommended here and on the forum http://board.s9y.org/viewtopic.php?t=8205, so far no success. Guys let us join hands togather. Please let me have your comments or suggestions. Much appretiated
Garvin am um :
Hi Leroy!
Please come to the forums, where we will try to help you.
Do PHP sessions generally work on your server, have you made sure of that with another application that requires cookies? Like phpMyAdmin with "cookie" authentication? Please reply on the forums.
To be it sounds as if it's a server issue, not with S9y - the bug that had been there should really be fixed. :)
Best regards, Garvin
Leroy Tomlin am um :
In my humblest of opinion is think it may definately a problem with Serendipity, simply because I am using another PHP Application (Powered by phpBB 2.0.22 © 2001 phpBB Group) on the same machine and it is working fine (I can login their admin system and use it without any problems)
Thanks for your response it was very quick!
Garvin am um :
Hi!
Replying here: http://board.s9y.org/viewtopic.php?t=9235