Fix cookie domain for localhost

Web browsers don't appreciate a cookie domain without any dots. This patch detects the originally-requested domain for the request. If the domain does not contain dots (such as 'localhost' or the name of a local server on your network defined in your hosts file), no cookie domain is sent. The greatest symptom of this issue what the illustrious 'Invalid CSRF token' seen repeatedly on the scp login page. The reason is that the browser was rejecting the cookie from the server. Fixes #677, #672, #653

Fix cookie domain for localhost
Web browsers don't appreciate a cookie domain without any dots. This patch detects the originally-requested domain for the request. If the domain does not contain dots (such as 'localhost' or the name of a local server on your network defined in your hosts file), no cookie domain is sent. The greatest symptom of this issue what the illustrious 'Invalid CSRF token' seen repeatedly on the scp login page. The reason is that the browser was rejecting the cookie from the server. Fixes #677, #672, #653
faeed43c · Jared Hancock · f574da55 · faeed43c · faeed43c
Commit faeed43c authored 11 years ago by Jared Hancock
--- a/include/class.ostsession.php
+++ b/include/class.ostsession.php
@@ -25,19 +25,32 @@ class osTicketSession {
        if(!$this->ttl)
            $this->ttl=SESSION_TTL;

-        if (!defined('DISABLE_SESSION') && !OsticketConfig::getDBVersion()) {
-            //Set handlers.
-            session_set_save_handler(
-                array(&$this, 'open'),
-                array(&$this, 'close'),
-                array(&$this, 'read'),
-                array(&$this, 'write'),
-                array(&$this, 'destroy'),
-                array(&$this, 'gc')
-            );
-            //Forced cleanup.
-            register_shutdown_function('session_write_close');
-        }
+        if (defined('DISABLE_SESSION') || OsticketConfig::getDBVersion())
+            return;
+
+        # Cookies
+        // Avoid setting a cookie domain without a dot, thanks
+        // http://stackoverflow.com/a/1188145
+        $domain = null;
+        if (isset($_SERVER['HTTP_HOST'])
+                && strpos($_SERVER['HTTP_HOST'], '.') !== false
+                && !Validator::is_ip($_SERVER['HTTP_HOST']))
+            $domain = $_SERVER['HTTP_HOST'];
+        session_set_cookie_params(86400, ROOT_PATH, $domain,
+            osTicket::is_https());
+
+        //Set handlers.
+        session_set_save_handler(
+            array(&$this, 'open'),
+            array(&$this, 'close'),
+            array(&$this, 'read'),
+            array(&$this, 'write'),
+            array(&$this, 'destroy'),
+            array(&$this, 'gc')
+        );
+        //Forced cleanup.
+        register_shutdown_function('session_write_close');
+
        //Start the session.
        session_name('OSTSESSID');
        session_start();

--- a/main.inc.php
+++ b/main.inc.php
@@ -130,10 +130,6 @@
    else
        require(INCLUDE_DIR.'mysql.php');

-    #Cookies
-    session_set_cookie_params(86400, ROOT_PATH, $_SERVER['HTTP_HOST'],
-        osTicket::is_https());
-
    #CURRENT EXECUTING SCRIPT.
    define('THISPAGE', Misc::currentURL());
    define('THISURI', $_SERVER['REQUEST_URI']);