ILIAS icon indicating copy to clipboard operation
ILIAS copied to clipboard

Published 20 hours ago verified publisher icon ILIAS-eLearning

Bugfix Authentication:0041779 add a session max idle set objective

Open daniwe4 opened this issue 1 year ago • 3 comments

https://mantis.ilias.de/view.php?id=41779

Hello everyone, this PR ensures that the PHP ini variable 'session_max_idle' is controlled via our setup. The current values ​​are obtained from a phpinfo file that has currently been added to the repo. This process could also be made dynamic by creating the file on the fly and deleting it again after reading it. This would also prevent the .htaccess file from being adjusted. Please let me know what you think about it.

Greetings Daniel

daniwe4 avatar Sep 12 '24 06:09 daniwe4

@mjansen: "The use of file_get_contents requires that allow_url_fopen is enabled—at least in the CLI context. In my opinion, this setting should remain disabled for security reasons."

Passing "localhost" to wget will lead to incorrect results if there is no vhost configuration - which is not unusual - for localhost or if different PHP versions are used for different host headers (e.g., for testx-ilias.de). It might be possible to use the ILIAS HTTP path instead of localhost. However, in that case, the IP restriction from secure.md might no longer apply (in a reverse proxy scenario). Maybe a sort of maintenance mode is enabled while performing the setup. In this case the info.php will not be accessible.

For these reasons, among others, I am wondering whether this feature would be better placed in the trunk."

smeyer-ilias avatar Sep 25 '24 15:09 smeyer-ilias

Hi @ all,

a big "Thank you" for the advice, @smeyer-ilias .

The use of file_get_contents requires that allow_url_fopen is enabled

Yes, that's what I meant with:

Of course, fetching URLs with file_get_contents could be disabled, and other exceptions might occur as well (SSL-related, Proxy, etc.).

For these reasons, among others, I am wondering whether this feature would be better placed in the trunk."

To be honest, I hadn't really noticed the “target release” of the PR :eyeglasses: .

And you are right, we should not put this into a stable release.

@daniwe4 Would it be possible to switch the target branch to trunk for the reasons mentioned in the discussions?

Passing "localhost" to wget will lead to incorrect results if there is no vhost configuration - which is not unusual - for localhost or if different PHP versions are used for different host headers (e.g., for testx-ilias.de). It might be possible to use the ILIAS HTTP path instead of localhost. However, in that case, the IP restriction from secure.md might no longer apply (in a reverse proxy scenario).

I will spend some time thinking about this once more and also consult with colleagues, if there are any alternative solutions.

Best regards, Michael

mjansenDatabay avatar Sep 26 '24 10:09 mjansenDatabay

Hello, I moved this PR to Trunk. We are welcome to continue the discussion there about how we read the Apache-PHP.ini from the CLI. New PR https://github.com/ILIAS-eLearning/ILIAS/pull/8114 Greetings Daniel

daniwe4 avatar Sep 27 '24 07:09 daniwe4

The trunk version has been merged, I close this for release_9 due to the reasons above.

mjansenDatabay avatar Oct 25 '24 13:10 mjansenDatabay