- May 26, 2014
-
-
Jared Hancock authored
ee91d179 introduced a slightly different tracking system for detecting sessions. Instead of completely disabling the session system for AJAX and cron requests, it detects if the session is new or not based on the session_id() and existing data in the session backend. However, the patch did not correctly determine if a session was new. Instead, it flagged all session as existing. This patch fixes the detection of existing session data so that AJAX and cron requests can operate without writing session data to the backend.
-
- Apr 25, 2014
-
-
Jared Hancock authored
DISABLE_SESSION define is changed so that existing session are continued but new sessions are not saved. This allows external auth backends to redirect to an external site and that site redirect back to a `/api` URL and the user's session will be continued.
-
- Feb 18, 2014
-
-
Peter Rotich authored
This is necessary to make sure session data is saved on redirect.
-
- Feb 13, 2014
-
-
Jared Hancock authored
-
- Jan 15, 2014
-
-
Jared Hancock authored
And deadband session token updates to 1 per 30 seconds
-
- Sep 23, 2013
-
-
Jared Hancock authored
8e72e521 (v1.7.1.2+) introduced a bug where osTicket version 1.6 would not send a cookie (by calling PHP session_start()) for the login page. Therefore, after unpacking the 1.7.1 source code, an upgrade would not be possible, because a login would never be processed correctly.
-
- Sep 13, 2013
-
-
Jared Hancock authored
if the domain given in HTTP_HOST variable happens to have a port specification. Technically, the port specification should not be included in the domain spec given in the cookie. (And for the record, that makes no sense to me, seeing as a cookie would otherwise be valid for all servers on any ports at a particular domain).
-
- Sep 06, 2013
-
-
Jared Hancock authored
Web browsers don't appreciate a cookie domain without any dots. This patch detects the originally-requested domain for the request. If the domain does not contain dots (such as 'localhost' or the name of a local server on your network defined in your hosts file), no cookie domain is sent. The greatest symptom of this issue what the illustrious 'Invalid CSRF token' seen repeatedly on the scp login page. The reason is that the browser was rejecting the cookie from the server. Fixes #677, #672, #653
-
Jared Hancock authored
Web browsers don't appreciate a cookie domain without any dots. This patch detects the originally-requested domain for the request. If the domain does not contain dots (such as 'localhost' or the name of a local server on your network defined in your hosts file), no cookie domain is sent. The greatest symptom of this issue what the illustrious 'Invalid CSRF token' seen repeatedly on the scp login page. The reason is that the browser was rejecting the cookie from the server. Fixes #677, #672, #653
-
- Aug 07, 2013
-
-
Jared Hancock authored
Which will help against clobbering session cookies against other PHP applications shared on a parent domain of the domain hosting osTicket or in a parent folder or virtual folder.
-
- Jul 12, 2013
-
-
Jared Hancock authored
Disable DB session storage. This chews up database space and processing time for a request that will never resume the same session (given the current API model anyway).
-
- May 28, 2013
-
-
Jared Hancock authored
- timezone_offset was dropped from the config table at 1.7-dpr1 - upgrader: only apply five patches in one request - upgrader: fix readPatchInfo to work correctly - session: support migrating from 1.6 (again) - config: support migrating from 1.6 (fallback) - config: no default for 'isonline' setting - config: fix SQL whitespace issue for schema signature fallbacks - config: hash 1.6 versions in the schema signature lookup - upgrader: fix logging bug in attachment migration
-
Jared Hancock authored
Allow (a subset of) the configuration to also be saved in the session to make session-backed data more consistent and compatible with up-and-coming multi-site setups.
-
- May 23, 2013
-
-
Jared Hancock authored
Drop required usage of MyISAM tables, and drop fulltext indexes as they are not used in the code currently anyway. Also, use a blob to store session data so as not to waste space with UTF-8 encoding. Lastly, fix session_id storage to use VARCHAR(255) which is required for versions of MySQL < 5.0.3, and use ascii for the storage model for the session_id as it will contain simple characters only.
-
- Feb 19, 2013
-
-
Peter Rotich authored
-
- Jun 28, 2012
-
-
Jared Hancock authored
Migrate the PHP session from disk to database live. To pull this off, the session contents are written to database under the current session id. When the `ostversion` column is dropped from the %config table, the system will automatically switch to database-backed sessions in osTicket 1.7 mode. This is sort-of hacked together by carefully calling a instance method of the osTicketSession class statically, and modify the instance method to support static invocation.
-
- May 13, 2012
-
-
Peter Rotich authored
-
- Mar 19, 2012
-
-
Jared Hancock authored
-