From 8e72e521d48ca04fd8db7d05318e2c55b9b2d278 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Fri, 6 Sep 2013 15:12:48 +0000
Subject: [PATCH] Fix cookie domain for localhost

Web browsers don't appreciate a cookie domain without any dots. This patch
detects the originally-requested domain for the request. If the domain does
not contain dots (such as 'localhost' or the name of a local server on your
network defined in your hosts file), no cookie domain is sent.

The greatest symptom of this issue what the illustrious 'Invalid CSRF token'
seen repeatedly on the scp login page. The reason is that the browser was
rejecting the cookie from the server.

Fixes #677, #672, #653
---
 include/class.ostsession.php | 39 ++++++++++++++++++++++++------------
 main.inc.php                 |  4 ----
 2 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/include/class.ostsession.php b/include/class.ostsession.php
index 7541e19ec..b99e5c991 100644
--- a/include/class.ostsession.php
+++ b/include/class.ostsession.php
@@ -25,19 +25,32 @@ class osTicketSession {
         if(!$this->ttl)
             $this->ttl=SESSION_TTL;
 
-        if (!defined('DISABLE_SESSION') && !OsticketConfig::getDBVersion()) {
-            //Set handlers.
-            session_set_save_handler(
-                array(&$this, 'open'),
-                array(&$this, 'close'),
-                array(&$this, 'read'),
-                array(&$this, 'write'),
-                array(&$this, 'destroy'),
-                array(&$this, 'gc')
-            );
-            //Forced cleanup.
-            register_shutdown_function('session_write_close');
-        }
+        if (defined('DISABLE_SESSION') || OsticketConfig::getDBVersion())
+            return;
+
+        # Cookies
+        // Avoid setting a cookie domain without a dot, thanks
+        // http://stackoverflow.com/a/1188145
+        $domain = null;
+        if (isset($_SERVER['HTTP_HOST'])
+                && strpos($_SERVER['HTTP_HOST'], '.') !== false
+                && !Validator::is_ip($_SERVER['HTTP_HOST']))
+            $domain = $_SERVER['HTTP_HOST'];
+        session_set_cookie_params(86400, ROOT_PATH, $domain,
+            osTicket::is_https());
+
+        //Set handlers.
+        session_set_save_handler(
+            array(&$this, 'open'),
+            array(&$this, 'close'),
+            array(&$this, 'read'),
+            array(&$this, 'write'),
+            array(&$this, 'destroy'),
+            array(&$this, 'gc')
+        );
+        //Forced cleanup.
+        register_shutdown_function('session_write_close');
+
         //Start the session.
         session_name('OSTSESSID');
         session_start();
diff --git a/main.inc.php b/main.inc.php
index 428a33e4a..323a0a455 100644
--- a/main.inc.php
+++ b/main.inc.php
@@ -130,10 +130,6 @@
     else
         require(INCLUDE_DIR.'mysql.php');
 
-    #Cookies
-    session_set_cookie_params(86400, ROOT_PATH, $_SERVER['HTTP_HOST'],
-        osTicket::is_https());
-
     #CURRENT EXECUTING SCRIPT.
     define('THISPAGE', Misc::currentURL());
     define('THISURI', $_SERVER['REQUEST_URI']);
-- 
GitLab