Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-23169

eZ Publish allows invalid session name (not eZSESSID*)

    XMLWordPrintable

Details

    • Icon: Bug Bug
    • Resolution: Invalid
    • Icon: High High
    • None
    • 5.3, 5.3.1, 5.3.2
    • Platform stack
    • None

    Description

      In eZ Publish 5.3 some changes have been made to the session mechanism, namely:

      * Session name is now always prefixed by `eZSESSID`.

* `is_logged_in` cookie is not sent or used any more by Symfony stack (it is still used by legacy though).
  Anonymous state is now checked by the presence of a session cookie (prefixed by `eZSESSID`).

      The code implementation reflects this, and in multiple places expects the session name to be prefixed this way.

      However, there are multiple issues:

      • The default session name for a new siteaccess is eZSESSID<siteaccess_hash>, so it won't be shared with others
      • The default configuration in ezpublish.yml is 'eZSESSID' (for SAs created during setup), but this value can be modified to "whatever" (without the needed prefix)
      • ezpublish.yml.example does not document this limitation, and actually uses an incorrect example: 
        frontend_group:
    # Session name will be common for all siteaccesses members of this group
    # It means that session will be shared for frontend siteaccesses, but not with backoffice
    session:
        name: MyFrontendSessionName

      Attachments

        Activity

          People

            Unassigned Unassigned
            joao.inacio-obsolete@ez.no Joao Inacio (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: