-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set session name to prevent collision when multiple applications are hosted on same domain #198
Conversation
…hosted on same domain
@BlackbitDevs @brusch WDYT? |
Not sure. The client asked us first ;-) Of course we can simply note it in the docs but then every project which runs multiple applications on same domain will get this error, then blames Pimcore and then (hopefully) finds the solution in the docs. And on the other hand we can simply set the session name and everything will just work. It is a matter of defensive programming / enhancing developer experience. |
@brusch what is your opinion on this? |
@fashxp what's your opinion about this? |
That's a good question, but I don’t really have a strong opinion on it. It probably doesn’t hurt, but why don’t other applications do it either? For example, Magento doesn’t, and Symfony doesn’t seem to recommend it. Could it be that dev-ops tools, monitoring systems, or firewalls might even get confused (or need additional configuration) by custom session names? The thing is: I’ve never encountered this as an issue so far. And running two different applications on the same domain seems like an edge case to me, where you'd need to know what you're doing anyway. So additional configuration in such cases is fine I would say. Any other opinions in the community? |
I also think that this is an edge case and that we don't need to change the default setting. |
@BlackbitDevs maybe we could adapt this PR, commented out this config and add a comment at the top to explain why and when you would need this. We should also then add this in the docs in the core as a hint as I suggested. Maybe in the https://github.com/pimcore/pimcore/blob/11.x/doc/21_Deployment/03_Configuration_Environments.md here for the enviroment or somewhere in the https://github.com/pimcore/pimcore/tree/11.x/doc/23_Installation_and_Upgrade/03_System_Setup_and_Hosting Hosting part? |
@mattamon Have commented the config out and described what it does. Will create another PR for updating https://github.com/pimcore/pimcore/tree/11.x/doc/23_Installation_and_Upgrade/03_System_Setup_and_Hosting |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! LGTM
Imagine you run a Magento app on http://example.org and Pimcore on http://pim.example.org. Then you will have 2 cookies with name
PHPSESSID
(ifsession.name
in php.ini is the same for both):First one is from Magento, second from Pimcore.
When trying to log in at http://example.org/admin you will get a 403 Forbidden error.
The reason why Magento sets the cookie for
.example.org
instead ofexample.org
probably is to also support subdomains.But of course Magento is only an example - the problem applies to all applications which run on same domain.
When we set the session name in Pimcore as proposed in this PR, such collisions will not happen.