search

middlebury / coursecatalog

This Course-Catalog is a project to develop a web front-end for searching and browsing course information stored in Banner.
https://github.com/middlebury/coursecatalog/wiki
GNU General Public License v3.0
9 stars 2 forks source link

PHP8: Session cookies being set on anonymous requests #51

Closed adamfranco closed 1 year ago

adamfranco commented 1 year ago

In PHP 7.4 we are successfully preventing PHPSESSID cookies from being set when there is no attempt at login.

[afranco@toboggan catalog (master)]$ curl -I https://saw.middlebury.edu/~afranco/catalog/
HTTP/1.1 200 OK
Date: Thu, 01 Dec 2022 15:29:02 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33
X-Powered-By: PHP/7.4.33
Expires: Thu, 01 Dec 2022 16:29:02 GMT
Cache-Control: public
Pragma: 
X-Runtime: 0.323407
Cache-Control: max-age=3600
Vary: Cookie,Accept-Encoding
X-Runtime: 0.327753
Content-Type: text/html; charset=UTF-8

In PHP8 we're seeing sessions being started even in the first page load, which will prevent Varnish from doing any useful caching.

[afranco@toboggan catalog (master)]$ curl -I https://toboggan.middlebury.edu/~afranco/catalog/
HTTP/1.1 200 OK
Date: Thu, 01 Dec 2022 15:30:39 GMT
Server: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1k
X-Powered-By: PHP/8.1.13
X-Runtime: 0.022981, 0.024046
Expires: Thu, 01 Dec 2022 16:30:39 GMT
Cache-Control: public, max-age=3600
Pragma: 
Vary: Cookie,Accept-Encoding
Set-Cookie: PHPSESSID=6dda8da1ad5254c9e5e1f8d25e49c1c3; path=/
Content-Type: text/html; charset=UTF-8

Looking at that actual session data it seems that this might be caused by phpCAS creating an session key with an empty array:

[root@toboggan afranco]# cat /var/lib/php/session/sess_6dda8da1ad5254c9e5e1f8d25e49c1c3 
phpCAS|a:0:{}
adamfranco commented 1 year ago

Fixed in 422dd5fbe783f5c08c6af34aef5807135d45813b