Don't start session for visitors

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
Post Reply
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Don't start session for visitors

Post by cmb » Wed Oct 01, 2014 3:33 pm

Hello Community,

recently I became aware that since CMSimple_XH 1.6 a session is started for each request -- even for visitors. It seems that we better avoid that (it might not be complying to the EU "cookie law"). I suggest that we try (I'm not sure if that's possible without breaking some plugins, because of XH_CSRFProtection) to start a session only, when the user logs in resp. is already logged in.

If nobody beats me to it, I'll come up with an analysis and a patch later.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

svasti
Posts: 1651
Joined: Wed Dec 17, 2008 5:08 pm

Re: Don't start session for visitors

Post by svasti » Wed Oct 01, 2014 9:57 pm

Ah, you mean, we are getting 1.6.5 next weekend? :shock:
Well, some kind of auto-update would be welcome if the patch frequency stays this high. :geek:
cmb wrote:a session is started for each request -- even for visitors.
you mean, every visitor visiting the page? and moving to another page of the site will start a new session? What happens if 100 visitors visit at the same time...? Or maybe such sites don't use XH :-(, so if 10 visitors visit together?

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Don't start session for visitors

Post by cmb » Wed Oct 01, 2014 10:58 pm

svasti wrote:Ah, you mean, we are getting 1.6.5 next weekend? :shock:
No. :) Actually, I don't consider this issue to be a big problem, even if it might violate the "cookie law", because "nobody" cares about it. Just visit "any" major website, and you'll get cookies without explicitely having agreed (and often these cookies are third party cookies, what may be much worse).
svasti wrote:Well, some kind of auto-update would be welcome if the patch frequency stays this high. :geek:
I don't intend to release a new version every week, or even every month. :)
svasti wrote:you mean, every visitor visiting the page?
Yes. You can watch the cookies to see that. And you may have a look inside your XAMPP's tmp/ folder, where the sess_* files are stored (use multiple browser to simulate multiple visitors).
svasti wrote:and moving to another page of the site will start a new session?
No. Once a session is started its ID is usually stored in a cookie. When another page is requested, the cookie is sent back, and PHP opens the session for the respective session ID again.
svasti wrote:What happens if 100 visitors visit at the same time...? Or maybe such sites don't use XH :(, so if 10 visitors visit together?
Every visitor gets his own session. No problem. (Unless the website is distributed across multiple servers, what's "rather uncommon" for CMSimple websites.)
Christoph M. Becker – Plugins for CMSimple_XH

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Don't start session for visitors

Post by cmb » Sun Nov 16, 2014 2:38 pm

cmb wrote:I suggest that we try (I'm not sure if that's possible without breaking some plugins, because of XH_CSRFProtection) to start a session only, when the user logs in resp. is already logged in.

If nobody beats me to it, I'll come up with an analysis and a patch later.
Starting the session (i.e. instantiating the CSRF protector) only when the user might already be logged in resp. when actually trying to log in, should be fine. So I suggest the following patch:

Code: Select all

Index: cmsimple/cms.php
===================================================================
--- cmsimple/cms.php	(revision 1402)
+++ cmsimple/cms.php	(working copy)
@@ -906,7 +906,11 @@
  *
  * @tutorial XH_CSRFProtection.cls
  */
-$_XH_csrfProtection = new XH_CSRFProtection();
+if (isset($_COOKIE['status']) && $_COOKIE['status'] == 'adm'
+    || isset($_POST['keycut'])
+) {
+    $_XH_csrfProtection = new XH_CSRFProtection();
+}
 
 $_XH_controller->handleLoginAndLogout();
 
@@ -1408,6 +1412,8 @@
     XH_emergencyTemplate();
 }
 
-$_XH_csrfProtection->store();
+if (isset($_XH_csrfProtection)) {
+    $_XH_csrfProtection->store();
+}
 
 ?>
Index: cmsimple/functions.php
===================================================================
--- cmsimple/functions.php	(revision 1402)
+++ cmsimple/functions.php	(working copy)
@@ -2124,7 +2124,9 @@
         tag('meta name="robots" content="noindex"'), "\n",
         '</head>', "\n", '<body class="', $bodyClass,'"', onload(), '>', "\n",
         $content, '</body>', "\n", '</html>', "\n";
-    $_XH_csrfProtection->store();
+    if (isset($_XH_csrfProtection)) {
+        $_XH_csrfProtection->store();
+    }
     exit;
 }
Christoph M. Becker – Plugins for CMSimple_XH

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Don't start session for visitors

Post by cmb » Sat Dec 27, 2014 6:35 pm

Done (r1410).
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply