"Stealing cookies?" problem
Closed this issue · 2 comments
i installed the actual version of the ldap-plugin and i still get the "Stealing cookies?" error. are there any hints how to solve that?
thanks a lot!
thomas
When I turn LDAPAUTH_ADD_NEW on, it works.
IMHO this is a bug in the core code, which I've raised as an issue. The code checks for the presence of an entry for the current user in the array $yourls_user_passwords defined in users\config.php. The LDAP plugin creates such an entry at login, but it doesn't persist across sessions and YOURLS immediately reloads. The plugin can't create a proper entry at any other time because it doesn't know what the password is at any time other than when it is processing the login form. However, it doesn't actually seem important that the password in this entry is valid, so the following hack seems to largely work.
--- yourls-ldap-plugin-master/plugin.php 2015-06-23 10:05:32.000000000 +0000
+++ yourls-ldap-plugin/plugin.php 2016-07-19 08:54:09.839308820 +0000
@@ -62,6 +62,7 @@
return $value;
@session_start();
+ global $yourls_user_passwords;
// Always check & set early
if ( !ldapauth_environment_check() ) {
@@ -71,6 +72,12 @@
if ( isset( $_SESSION['LDAPAUTH_AUTH_USER'] ) ) {
// already authenticated...
$username = $_SESSION['LDAPAUTH_AUTH_USER'];
+ if( !isset($yourls_user_passwords[$username]) ) {
+ // set a dummy password to work around the "Stealing cookies" problem
+ // we prepend with 'phpass:' to avoid YOURLS trying to auto-encrypt it and
+ // write it to user/config.php
+ $yourls_user_passwords[$username]='phpass:ThereIsNoPasswordButHey,WhoCares?';
+ }
if ( ldapauth_is_authorized_user( $username ) ) {
yourls_set_user( $_SESSION['LDAPAUTH_AUTH_USER'] );
return true;
@@ -125,7 +132,6 @@
$username = $searchResult[0][LDAPAUTH_USERNAME_FIELD][0];
yourls_set_user($username);
- global $yourls_user_passwords;
if (LDAPAUTH_ADD_NEW && !array_key_exists($username, $yourls_user_passwords)) {
ldapauth_create_user( $username, $_REQUEST['password'] );