Don't start session for visitors

[cmb]

Hello Community,

recently I became aware that since CMSimple_XH 1.6 a session is started for each request -- even for visitors. It seems that we better avoid that (it might not be complying to the EU "cookie law"). I suggest that we try (I'm not sure if that's possible without breaking some plugins, because of XH_CSRFProtection) to start a session only, when the user logs in resp. is already logged in.

If nobody beats me to it, I'll come up with an analysis and a patch later.

Christoph

[svasti]

Ah, you mean, we are getting 1.6.5 next weekend?
Well, some kind of auto-update would be welcome if the patch frequency stays this high.

a session is started for each request -- even for visitors.

you mean, every visitor visiting the page? and moving to another page of the site will start a new session? What happens if 100 visitors visit at the same time...? Or maybe such sites don't use XH , so if 10 visitors visit together?

[cmb]

Ah, you mean, we are getting 1.6.5 next weekend?

No. Actually, I don't consider this issue to be a big problem, even if it might violate the "cookie law", because "nobody" cares about it. Just visit "any" major website, and you'll get cookies without explicitely having agreed (and often these cookies are third party cookies, what may be much worse).

Well, some kind of auto-update would be welcome if the patch frequency stays this high.

I don't intend to release a new version every week, or even every month.

you mean, every visitor visiting the page?

Yes. You can watch the cookies to see that. And you may have a look inside your XAMPP's tmp/ folder, where the sess_* files are stored (use multiple browser to simulate multiple visitors).

and moving to another page of the site will start a new session?

No. Once a session is started its ID is usually stored in a cookie. When another page is requested, the cookie is sent back, and PHP opens the session for the respective session ID again.

What happens if 100 visitors visit at the same time...? Or maybe such sites don't use XH , so if 10 visitors visit together?

Every visitor gets his own session. No problem. (Unless the website is distributed across multiple servers, what's "rather uncommon" for CMSimple websites.)

[cmb]

I suggest that we try (I'm not sure if that's possible without breaking some plugins, because of XH_CSRFProtection) to start a session only, when the user logs in resp. is already logged in.

If nobody beats me to it, I'll come up with an analysis and a patch later.

Starting the session (i.e. instantiating the CSRF protector) only when the user might already be logged in resp. when actually trying to log in, should be fine. So I suggest the following patch:

Code: Select all

Index: cmsimple/cms.php
===================================================================
--- cmsimple/cms.php	(revision 1402)
+++ cmsimple/cms.php	(working copy)
@@ -906,7 +906,11 @@
  *
  * @tutorial XH_CSRFProtection.cls
  */
-$_XH_csrfProtection = new XH_CSRFProtection();
+if (isset($_COOKIE['status']) && $_COOKIE['status'] == 'adm'
+    || isset($_POST['keycut'])
+) {
+    $_XH_csrfProtection = new XH_CSRFProtection();
+}
 
 $_XH_controller->handleLoginAndLogout();
 
@@ -1408,6 +1412,8 @@
     XH_emergencyTemplate();
 }
 
-$_XH_csrfProtection->store();
+if (isset($_XH_csrfProtection)) {
+    $_XH_csrfProtection->store();
+}
 
 ?>
Index: cmsimple/functions.php
===================================================================
--- cmsimple/functions.php	(revision 1402)
+++ cmsimple/functions.php	(working copy)
@@ -2124,7 +2124,9 @@
         tag('meta name="robots" content="noindex"'), "\n",
         '</head>', "\n", '<body class="', $bodyClass,'"', onload(), '>', "\n",
         $content, '</body>', "\n", '</html>', "\n";
-    $_XH_csrfProtection->store();
+    if (isset($_XH_csrfProtection)) {
+        $_XH_csrfProtection->store();
+    }
     exit;
 }

[cmb]

Done (r1410).