[Loris-dev] Multiple instances on single VM login bug

Dave MacFarlane david.macfarlane2 at mcgill.ca
Wed Sep 14 10:37:50 EDT 2016 



Hi Matthew,
Even if the cookies are shared between your multiple LORIS instances on a single VM, site-restrictionsshould still be applying based on the logged in user (unless they have the access all sites permission.)Which pages are you finding that they can get around this on?
As far as your solution goes, I don't think the filesystem path matters. Your suggestion is as good as any,but perhaps you should consider setting the session.cookie_path variable instead (or in addition to) the session.save_path.
It sounds to me like the real problem is that the browser is sending the cookie to instances that it shouldn't(because the cookie is set for the entire domain, but is only supposed to be valid for a sub-path of thatdomain), not the location that that server is saving the sessions on the filesystem. Changing it to saveto a different location fixes the problem incidentally (since the different instances aren't looking up theirsessions in the same place) but doesn't solve the root cause (that the different instances can read cookiesmeant for the other instance with your current configuration.)
- Dave
From: matthew at biospective.com
Date: Tue, 13 Sep 2016 15:31:36 -0400
To: loris-dev at bic.mni.mcgill.ca
Subject: [Loris-dev] Multiple instances on single VM login bug

Hi all,

I ran into an issue with running multiple instances of LORIS on one VM, and I found a fix, but I need advice.
To preface the problem, I should explain how it arose.  We want to access LORIS through one main url, but we also want to obscure what projects we're running if a user doesn't need to use that instance.  So, if we're running project ABC001, we don't want those users to see we have a project MNI007.  We have ended up configuring apache to map different directories to different urls.  i.e. /var/www/<project>/htdocs maps to loris.biospective.com/<project>
The problem we ran into was that logging on to MNI007 could grant access to ABC001 if they enter the different url.
The solution I found was to change the php session save path via ini_set().  What I need advice about is where to set this new save directory.  I initially set it to /var/www/<project>/user_sessions, but I don't have any attachment to that location.  
Does anyone have any suggestions or opinions?  I can expand on how the different instances are set up if that will help.
Thanks,
Matthew

_______________________________________________
Loris-dev mailing list
Loris-dev at bic.mni.mcgill.ca
http://www.bic.mni.mcgill.ca/mailman/listinfo/loris-dev
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.bic.mni.mcgill.ca/pipermail/loris-dev/attachments/20160914/690ac0c7/attachment.html>

More information about the Loris-dev mailing list