This forum is no longer open and is for reading/searching only.

Please use our new MachForm Community Forum instead.

MachForm Community Forums » MachForm 3

Authentication - Issues with multiple instances on the same server.

Started 11 years ago by holtbakk | 2 posts |


  1. holtbakk
    Member

    Hi!

    As always I have to start by saying how much I appreciate this software! :)

    Than to my issue. I have one server with multiple installed instances of machform. Some are modified, some are running old licenses, some are purchased by others, and so on. Checking session authentication only with a true/false value seems to allow access to all admin interfaces by authenticating on one of them. Maybe this is an issue only to me, but I'd thought I should let you know and supply a suggestion for a fix:

    This could be solved with only a few lines of code by checking against an per-site-dynamic key set in config.php. Either an manually set key:

    $_SESSION['local_key'] = “myvalue”;

    Or an automated that is unique to each instance using its path:

    $_SESSION['local_key'] = md5(dirname(__FILE__));

    And after the authentication (on line 55 & 108 in index,php and line 36 in includes/check-session.php) add:

    $_SESSION['mf_logged_in_key'] = $_SESSION['local_key'];

    And finally add this check to the authentication-checkers (12 instances?)

    if( … && $_SESSION['mf_logged_in_key'] === $_SESSION['local_key'] ){ .. }

    Regards, Bard

    Posted 11 years ago #

  2. yuniar

    Hi Bard,

    Thank you for sharing this.
    MachForm wasn't designed to be installed multiple times under the same domain/sub domain indeed.

    These won't work:
    http://example.com/machform1
    http://example.com/machform2
    http://example.com/machform3

    However, these should work just fine:
    http://machform1.example.com
    http://machform2.example.com
    http://machform3.example.com

    So if you need to install multiple instance of MachForm, I suggest to install each of them using separate sub domains.
    Using separate subdomain for each instance, you won't need to do any modification.

    However, if it's not possible to have subdomains, then the solution you provide above should be working just fine :)

    MachForm Founder

    Posted 11 years ago #

RSS feed for this topic

Reply