login/logout browserfenster schliessen und neu öffnen
Eingetragen von Peer (8)am 26.11.2009 - 11:41 Uhr in
Hallo,
ich komme einfach nicht klar mit folgendem Problem:
Wenn ich eingeloggt bin, das Browserfenster schliesse und dann wieder öffne und auf die Seite gehe, bin ich weiterhin eingeloggt. Auch wenn ich über Stunden den Rechner schlummern lasse und eingeloggt auf der Seite verbleibe, kann ich munter weiter auf der Seite eingeloggt weitermachen.
Und ich muss zugeben, daß mir das mit Blick auf die Sicherheit Sorgen bereitet.
Ich weiss nicht, ob es eine Rolle spielt: node_access ist installiert.
Den code der .htacceess und settings.php habe ich angefügt.
Bitte nicht gleich schimpfen, weil die Lösung so einfach ist oder ich zu wenig Ahnung habe, oder ich zu viel code gepostet habe.
Danke und Gruss,
Peer
#
# Apache/PHP/Drupal settings:
#
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$">
Order allow,deny
</FilesMatch>
# Don't show directory listings for URLs which map to a directory.
Options -Indexes
# Follow symbolic links in this directory.
Options +FollowSymLinks
# Make Drupal handle any 404 errors.
ErrorDocument 404 /index.php
# Force simple error message for requests for non-existent favicon.ico.
<Files favicon.ico>
# There is no end quote below, for compatibility with Apache 1.3.
ErrorDocument 404 "The requested file favicon.ico was not found.
</Files>
# Set the default handler.
DirectoryIndex index.php
# Override PHP settings. More in sites/default/settings.php
# but the following cannot be changed at runtime.
# PHP 4, Apache 1.
<IfModule mod_php4.c>
php_value magic_quotes_gpc 0
php_value register_globals 0
php_value session.auto_start 0
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_value mbstring.encoding_translation 0
</IfModule>
# PHP 4, Apache 2.
<IfModule sapi_apache2.c>
php_value magic_quotes_gpc 0
php_value register_globals 0
php_value session.auto_start 0
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_value mbstring.encoding_translation 0
</IfModule>
# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
php_value magic_quotes_gpc 0
php_value register_globals 0
php_value session.auto_start 0
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_value mbstring.encoding_translation 0
</IfModule>
# Requires mod_expires to be enabled.
<IfModule mod_expires.c>
# Enable expirations.
ExpiresActive On
# Cache all files for 2 weeks after access (A).
ExpiresDefault A1209600
# Do not cache dynamically generated pages.
ExpiresByType text/html A1
</IfModule>
# Various rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine on
# If your site can be accessed both with and without the 'www.' prefix, you
# can use one of the following settings to redirect users to your preferred
# URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
#
# To redirect all users to access the site WITH the 'www.' prefix,
# (http://example.com/... will be redirected to http://www.example.com/...)
# adapt and uncomment the following:
# RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
# RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]
#
# To redirect all users to access the site WITHOUT the 'www.' prefix,
# (http://www.example.com/... will be redirected to http://example.com/...)
# uncomment and adapt the following:
# RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]
# RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]
# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
# For example if your site is at http://example.com/drupal uncomment and
# modify the following line:
# RewriteBase /drupal
#
# If your site is running in a VirtualDocumentRoot at http://example.com/,
# uncomment the following line:
# RewriteBase /
# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
</IfModule>
# $Id: .htaccess,v 1.90.2.3 2008/12/10 20:04:08 goba Exp $sowie die settings.php:
<?php
// $Id: default.settings.php,v 1.8.2.4 2009/09/14 12:59:18 goba Exp $
/**
* @file
* Drupal site-specific configuration file.
*
* IMPORTANT NOTE:
* This file may have been set to read-only by the Drupal installation
* program. If you make changes to this file, be sure to protect it again
* after making your modifications. Failure to remove write permissions
* to this file is a security risk.
*
* The configuration file to be loaded is based upon the rules below.
*
* The configuration directory will be discovered by stripping the
* website's hostname from left to right and pathname from right to
* left. The first configuration file found will be used and any
* others will be ignored. If no other configuration file is found
* then the default configuration file at 'sites/default' will be used.
*
* For example, for a fictitious site installed at
* http://www.drupal.org/mysite/test/, the 'settings.php'
* is searched in the following directories:
*
* 1. sites/www.drupal.org.mysite.test
* 2. sites/drupal.org.mysite.test
* 3. sites/org.mysite.test
*
* 4. sites/www.drupal.org.mysite
* 5. sites/drupal.org.mysite
* 6. sites/org.mysite
*
* 7. sites/www.drupal.org
* 8. sites/drupal.org
* 9. sites/org
*
* 10. sites/default
*
* If you are installing on a non-standard port number, prefix the
* hostname with that number. For example,
* http://www.drupal.org:8080/mysite/test/ could be loaded from
* sites/8080.www.drupal.org.mysite.test/.
*/
/**
* Database settings:
*
* Note that the $db_url variable gets parsed using PHP's built-in
* URL parser (i.e. using the "parse_url()" function) so make sure
* not to confuse the parser. If your username, password
* or database name contain characters used to delineate
* $db_url parts, you can escape them via URI hex encodings:
*
* : = %3a / = %2f @ = %40
* + = %2b ( = %28 ) = %29
* ? = %3f = = %3d & = %26
*
* To specify multiple connections to be used in your site (i.e. for
* complex custom modules) you can also specify an associative array
* of $db_url variables with the 'default' element used until otherwise
* requested.
*
* You can optionally set prefixes for some or all database table names
* by using the $db_prefix setting. If a prefix is specified, the table
* name will be prepended with its value. Be sure to use valid database
* characters only, usually alphanumeric and underscore. If no prefixes
* are desired, leave it as an empty string ''.
*
* To have all database names prefixed, set $db_prefix as a string:
*
* $db_prefix = 'main_';
*
* To provide prefixes for specific tables, set $db_prefix as an array.
* The array's keys are the table names and the values are the prefixes.
* The 'default' element holds the prefix for any tables not specified
* elsewhere in the array. Example:
*
* $db_prefix = array(
* 'default' => 'main_',
* 'users' => 'shared_',
* 'sessions' => 'shared_',
* 'role' => 'shared_',
* 'authmap' => 'shared_',
* );
*
* Database URL format:
* $db_url = 'mysql://username:password@localhost/databasename';
* $db_url = 'mysqli://username:password@localhost/databasename';
* $db_url = 'pgsql://username:password@localhost/databasename';
*/
$db_url = 'mysql://mein_username:mein_password@localhost/mein_databasename';
$db_prefix = '';
/**
* Access control for update.php script
*
* If you are updating your Drupal installation using the update.php script
* being not logged in as administrator, you will need to modify the access
* check statement below. Change the FALSE to a TRUE to disable the access
* check. After finishing the upgrade, be sure to open this file again
* and change the TRUE back to a FALSE!
*/
$update_free_access = FALSE;
/**
* Base URL (optional).
*
* If you are experiencing issues with different site domains,
* uncomment the Base URL statement below (remove the leading hash sign)
* and fill in the absolute URL to your Drupal installation.
*
* You might also want to force users to use a given domain.
* See the .htaccess file for more information.
*
* Examples:
* $base_url = 'http://www.example.com';
* $base_url = 'http://www.example.com:8888';
* $base_url = 'http://www.example.com/drupal';
* $base_url = 'https://www.example.com:8888/drupal';
*
* It is not allowed to have a trailing slash; Drupal will add it
* for you.
*/
# $base_url = 'http://www.example.com'; // NO trailing slash!
/**
* PHP settings:
*
* To see what PHP settings are possible, including whether they can
* be set at runtime (ie., when ini_set() occurs), read the PHP
* documentation at http://www.php.net/manual/en/ini.php#ini.list
* and take a look at the .htaccess file to see which non-runtime
* settings are used there. Settings defined here should not be
* duplicated there so as to avoid conflict issues.
*/
ini_set('arg_separator.output', '&');
ini_set('magic_quotes_runtime', 0);
ini_set('magic_quotes_sybase', 0);
ini_set('session.cache_expire', 0);
ini_set('session.cache_limiter', 'none');
ini_set('session.cookie_lifetime', 0);
ini_set('session.gc_maxlifetime', 12000);
ini_set('session.save_handler', 'user');
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
ini_set('session.use_trans_sid', 0);
ini_set('url_rewriter.tags', '');
/**
* If you encounter a situation where users post a large amount of text, and
* the result is stripped out upon viewing but can still be edited, Drupal's
* output filter may not have sufficient memory to process it. If you
* experience this issue, you may wish to uncomment the following two lines
* and increase the limits of these variables. For more information, see
* http://php.net/manual/en/pcre.configuration.php.
*/
# ini_set('pcre.backtrack_limit', 200000);
# ini_set('pcre.recursion_limit', 200000);
/**
* Drupal automatically generates a unique session cookie name for each site
* based on on its full domain name. If you have multiple domains pointing at
* the same Drupal site, you can either redirect them all to a single domain
* (see comment in .htaccess), or uncomment the line below and specify their
* shared base domain. Doing so assures that users remain logged in as they
* cross between your various domains.
*/
# $cookie_domain = 'example.com';
/**
* Variable overrides:
*
* To override specific entries in the 'variable' table for this site,
* set them here. You usually don't need to use this feature. This is
* useful in a configuration file for a vhost or directory, rather than
* the default settings.php. Any configuration setting from the 'variable'
* table can be given a new value. Note that any values you provide in
* these variable overrides will not be modifiable from the Drupal
* administration interface.
*
* Remove the leading hash signs to enable.
*/
# $conf = array(
# 'site_name' => 'My Drupal site',
# 'theme_default' => 'minnelli',
# 'anonymous' => 'Visitor',
/**
* A custom theme can be set for the off-line page. This applies when the site
* is explicitly set to off-line mode through the administration page or when
* the database is inactive due to an error. It can be set through the
* 'maintenance_theme' key. The template file should also be copied into the
* theme. It is located inside 'modules/system/maintenance-page.tpl.php'.
* Note: This setting does not apply to installation and update pages.
*/
# 'maintenance_theme' => 'minnelli',
/**
* reverse_proxy accepts a boolean value.
*
* Enable this setting to determine the correct IP address of the remote
* client by examining information stored in the X-Forwarded-For headers.
* X-Forwarded-For headers are a standard mechanism for identifying client
* systems connecting through a reverse proxy server, such as Squid or
* Pound. Reverse proxy servers are often used to enhance the performance
* of heavily visited sites and may also provide other site caching,
* security or encryption benefits. If this Drupal installation operates
* behind a reverse proxy, this setting should be enabled so that correct
* IP address information is captured in Drupal's session management,
* logging, statistics and access management systems; if you are unsure
* about this setting, do not have a reverse proxy, or Drupal operates in
* a shared hosting environment, this setting should be set to disabled.
*/
# 'reverse_proxy' => TRUE,
/**
* reverse_proxy accepts an array of IP addresses.
*
* Each element of this array is the IP address of any of your reverse
* proxies. Filling this array Drupal will trust the information stored
* in the X-Forwarded-For headers only if Remote IP address is one of
* these, that is the request reaches the web server from one of your
* reverse proxies. Otherwise, the client could directly connect to
* your web server spoofing the X-Forwarded-For headers.
*/
# 'reverse_proxy_addresses' => array('a.b.c.d', ...),
# );
/**
* String overrides:
*
* To override specific strings on your site with or without enabling locale
* module, add an entry to this list. This functionality allows you to change
* a small number of your site's default English language interface strings.
*
* Remove the leading hash signs to enable.
*/
# $conf['locale_custom_strings_en'] = array(
# 'forum' => 'Discussion board',
# '@count min' => '@count minutes',
# );- Anmelden oder Registrieren um Kommentare zu schreiben
Zitat: Und ich muss
am 26.11.2009 - 11:49 Uhr
Und ich muss zugeben, daß mir das mit Blick auf die Sicherheit Sorgen bereitet.
Warum denn? Die Session wird, wenn ich mich recht entsinne, als Cookie auf dem Rechner des Clients gespeichert. Wenn die Session also offen bleibt, dann nur auf deinem Rechner und nur mit dem Browser, mit dem du dich eingeloggt hast. Zudem, glaubst du, dass ein derartig beliebtes CMS wie Drupal eine solche Sicherheitslücke solange offen lassen würde?
Was wirklich ein Sicherheitsrisiko ist, ist die Tatsache, dass du User-Name + Passwort deines Datenbank-Zugangs hier öffentlich postest :-)
danke stebeg ...
am 26.11.2009 - 12:17 Uhr
Dein Hinweis ist hilfreich. WIrklich nicht sehr schlau von mir.
Trotzdem: Wenn ich mich bei einem Internetportal wie gmx in meinen webaccount einlogge, das Fenster schliesse und wieder öffne, bin ich doch auch ausgeloggt.
Warum schliesst sich die Session nicht, wenn ich das bei drupal mache? Oder besser: was müsste ich tun, damit sie geschlossen wird.
Und zum zweiten Teil: Warum kann ich nicht die Dauer der Nutzung ( bzw. bei Nicht-Nutzung ) über diese Werte verändern?
ini_set('session.cache_expire', 0);
ini_set('session.cookie_lifetime', 0);
ini_set('session.gc_maxlifetime', 12000);
lgp