[ic] one catalog, one session id, multiple domains, one secure domains
Frederic Steinfels
interchange-users@interchange.redhat.com
Mon Dec 17 20:41:00 2001
After reading the whole mailinglist about cookies, I came to the
conclusion that all suggestions are not working and that some of you might
be interesting in a solution for the problem described in the subject. I
am also posting this to get some feedback about potential security holes
I have created. My fix is for ic 4.8.1 but I think the surrounding code
should not have changed...
in bin/interchange, look for
if(! $compare_host) {
new_session($seed) unless $CGI::secure;
init_session();
$Vend::Session->{shost} = $CGI::remote_addr;
}
elsif ($compare_host ne $CGI::remote_addr) {
new_session($seed);
init_session();
}
replace with
if ($sessionid eq "")
{
if(! $compare_host) {
new_session($seed) unless $CGI::secure;
init_session();
$Vend::Session->{shost} = $CGI::remote_addr;
}
elsif ($compare_host ne $CGI::remote_addr) {
new_session($seed);
init_session();
}
}
# this first patch should make sure that changing the url will not destroy
# the current session
in lib/Vend/Session.pm init_session
look for
$::Values->{mv_shipmode} = $Vend::Cfg->{DefaultShipping}
if ! defined $::Values->{mv_shipmode};
and append
$_ = $Vend::Cfg->{VendURL};
/(.{0,})http:\/\/[\w\d\.]*?\/(.{0,})/i;
$::Scratch->{VendURL} = "http://" . $1 . ::http()->{env}->{HTTP_HOST} . "/" . $2;
# this patch will make sure that the initial domain will be stored and ...
In lib/Vend/Util.pm vendUrl
replace
$r = $Vend::Cfg->{VendURL} unless defined $r;
with
if ($::Scratch->{VendURL} eq "")
{
$r = $Vend::Cfg->{VendURL} unless defined $r;
}
else
{
$r = $::Scratch->{VendURL} unless defined $r;
}
# ... used in all [area ] and [page ] tags.
--
Frederic Steinfels