Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
4.0.6 Cookie behaviour with symbolic links to "textpattern" directory
As a matter of course I set new sites up with an “edit” symbolic link back to the textpattern directory.It’s easier for clients to remember “edit” than “textpattern”. And regardless of whether they logged into the former or latter, plugins just worked and there were no hiccups.
Now with 4.06 if you are logged in under “edit” and something requests “textpattern” you go back to the login page. Lots of plugins use “textpattern” so the situation is now unworkable. Lost functionality.
Can we have the cookie written for “/” rather than “/textpattern/” or “/edit/”?
Or could anyone possible advise a better way to get back the symbolic link functionality?
Offline
Re: 4.0.6 Cookie behaviour with symbolic links to "textpattern" directory
Neither TXP 4.0.6 nor TXP 4.0.5 set an explicit path for the txp_login cookie, so the PHP setcookie function uses the current directory. I wonder if this was caused by a change in TXP or a change elsewhere. What happens if you now install TXP 4.0.5 instead of 4.0.6 on such a website?
Using / instead of the /textpattern directory is not an option (less secure).
If you let /edit redirect to /textpattern instead of using a symlink, your users can enter /edit, but they’ll login on /textpattern.
Last edited by ruud (2008-03-03 20:13:16)
Offline
Re: 4.0.6 Cookie behaviour with symbolic links to "textpattern" directory
This is definitely related to the 4.06 upgrade. I usually run late svns, and only started experiencing this behavior when I upgraded.
I run many txp sites on the same hosting setup and the only sites with problems are 4.0.6.
Offline
Re: 4.0.6 Cookie behaviour with symbolic links to "textpattern" directory
Hmm… I have a fresh 4.0.6 install here, did ln -s textpattern edit to create the symlink so I can now login using /edit instead of /textpattern. That seems to work okay, so the cookie is set correctly.
You mention plugins. Can you give an example of a plugin (preferably a small simple one) that causes the redirect to /textpattern and give exact steps to reproduce this?
Offline
Re: 4.0.6 Cookie behaviour with symbolic links to "textpattern" directory
You are correct, login in will work just fine. But…
any plugin that specifies a /textpattern directory or creates a /textpattern link will redirect you to a login page, whereas perviously this was not the case
Offline
Re: 4.0.6 Cookie behaviour with symbolic links to "textpattern" directory
Ah, I think I know what happens. In both cases, 4.0.5 and 4.0.6, you have to login again if the plugin redirects to /textpattern while you previously logged in using /edit.
The difference is that in 4.0.6 you cannot stay logged in twice, both on /textpattern and /edit. This is the result of a security fix. The only real solution, is not to symlink, but to redirect, so the user can enter /edit, but is redirected to /textpattern and logs in there… or do the opposite, and use mod_rewrite to redirect /textpattern to /edit.
Offline
Re: 4.0.6 Cookie behaviour with symbolic links to "textpattern" directory
ruud wrote:
The only real solution, is not to symlink, but to redirect, so the user can enter /edit, but is redirected to /textpattern and logs in there… or do the opposite, and use mod_rewrite to redirect /textpattern to /edit.
So how exactly would the rewrite rule for “/edit” look in .htacces (and where too?)
Offline
Re: 4.0.6 Cookie behaviour with symbolic links to "textpattern" directory
I have this:
RewriteEngine On
RewriteRule ^edit$ /edit/ [R=301,L]
RewriteRule ^edit/?(.*)$ /textpattern/$1 [NC,L]then it continues with the RewriteCond … rules.
TXP Builders – finely-crafted code, design and txp
Offline
Re: 4.0.6 Cookie behaviour with symbolic links to "textpattern" directory
Thanks, here’s what I found.
.htaccess rewrite rules work, but have the same limitation as the symbolic link, ie. Invalid cookies (and the resulting login panel) when you switch between “/textpattern” and “/edit”
>Ruud, how about a setting to allow multiple logins? What is the big security issue with that, in the real world? That is… what does it solve?
Offline
Re: 4.0.6 Cookie behaviour with symbolic links to "textpattern" directory
It requires an extra table and probably a non-trivial rewrite of the authentication code.
Disabling multiple logins is a side effect of a security fix that was implemented in 4.0.6.
Redirect, not rewrite, perhaps something like this:
RewriteEngine On
RewriteRule ^edit/?(.*)$ /textpattern/$1 [R=301,L]Offline
Re: 4.0.6 Cookie behaviour with symbolic links to "textpattern" directory
OK, that works, and it’s pretty simple. Thanks.
Offline