netcarver

Ok, so my hunch with what was going on in the SessionDB handler was wrong - thank you for trying it anyway.

Great - thank you for trying it! I'll see if I can get some changes into a PR for Ryan - hopefully this weekend.

@gebeer Could you try my spin on the SessionHandlerDB module that I posted here, and let me know if that makes any difference?

@d'Hinnisdaël Thanks for the post - is your integration available on github at all?

Thanks for the link, Bernhard, I've been trying blade in Laravel recently, but think I need to try out Latte as well.

Ditto what teppo said. Either the translation has too many percent markers in it, or not enough.

Quick thought - could you check your server has a time sync service enabled (ntpd, chronyd or systemd) and that the time is accurate on the server. Perhaps you could update the ProcessLogin.js code to console.log(startTime) as well, and post the results here? Maybe compare it with console.log(new Date().getTime()) from your browser console. Then we can get a feel for how far out of step the server and browser times might be?

Hi all, I'm trying out an EC2 instance with Ubuntu 22.04 server and the default user ("ubuntu") is configured to allow passwordless sudo for everything. This is different to other ubuntu server installs I've done, primarily on Digital Ocean or Hetzner, which require the default user to use their installation password to use sudo, and potentially a security concern (for me at least). I can turn it off easily enough by editing the /etc/sudoers.d/90... rule file - but as I'm a total noob to using EC2 I wonder if this will impact anything on the system which might actually require un-restricted, passwordless, sudo. Can any experienced EC2 admins let me know their thoughts on this?

Yup, I missed the full return value in my header(''); call. Just glancing at your code allowed me to spot the issue - thank you.

@flydev Thanks for jumping in - can you post your URL hook for me to take a look at?

@ryan I've got a situation where I want to have my URL hook return a 403 in some circumstances (basically, I want to have a particular URL hook act as a webhook destination for Pusher's authentication callback.) I've been trying to return a 403 by setting the header in the URL hook function and returning bool true from the hook. However, this always seems to send a 200 response to the caller, despite me trying to set the header myself. Is there a way to set the status code returned to the caller? If not, would it be possible to allow integer return values to be taken as the status code to send back to the caller?

Hello Ivan, thanks for trying that out - the session-errors log is only created if there's an issue obtaining a lock. If there are no issues, you won't see an entry there.

Here's a newer version of my spin on SessionHandlerDB that should handle a couple of edge cases. Please let me know if this is an improvement for you. SessionHandlerDB.module

@bernhard Not sure if this will do it but,... If the source of the Umami CSP rule is in code you are self-hosting then it sounds like you need to edit the CSP settings to expand the frame-ancestors option from 'self' to include the domain hosting the iframe. Looking at the Umami demo site here, it looks like the CSP is being served as a header - so I suggest you take a look in the .htaccess file for the Content-Security-Policy header and expand the frame-ancestor part to include your hosting domain straight after the 'self' part. Header set Content-Security-Policy "...; frame-ancestors 'self' yourdomain.com; ..." If you aren't self hosting then you won't be able to alter the policy.

@heldercervantes Do you have an estimate of the number of emails you expect to send in a month? Also, does the organisation have any budget for sending? If it does, then one of the more reputable transactional email services would be a good place to look. I've had excellent service from Postmark, at a reasonable price (~$15/10k emails) and their deliverability is very good and very fast.

Great talk - thank you for sharing it with the community, Bernhard!

Looks like the ajax upload is leading to the 403 page being returned - html where json was expected. Question is why. Do you have any custom (non standard PW) directives in your .htaccess file? What version of PW are you running there? Other things - is this running on a platform with a WAF/Modsecurity or other front-end?

@Ivan Gretsky If you do have a reliable reproduction process, can you try replacing the SessionHandlerDB.module file with this one (everyone will be logged out when you try it) - and keep an eye out for any new entries in the "session-errors" log file. SessionHandlerDB.module

Just speculating about the SessionHandlerDB link: could this be caused by locking on the session table if there's a long running process holding a connection open somehow?

Nice :)

The selector documentation page of the API docs could probably do with an update to include the array-format selector upgrades that came fairly early on in 3.0.13.

@wbmnfktr Have you given Jeffrey Star's 7g firewall a try? Very simple install straight into your .htaccess file.

@ryan Are you using this in your tool chain? If so, could you update the repo with any additional tests you've added, like the subfield test you mentioned above? Thanks.

Looks like the default country ISO was not being used when the country inputfield only had a single option. I've pushed version 1.1.3 with a workaround in the output that should allow you to remove your changes.

@Ralf Please would you try out the new, ng branch, and let me know how it goes. The ng branch on github. Direct download link for the ng branch zip. Not for production sites at the moment. Thank you.