netcarver

The same origin policy has to match on the domain, port and protocol. So the host page and the iframe source need to be https, on port 443 (by default) on www.domain.com For reference: and only if you actually need to add an exception to the X-Frame-Options header, you'll probably need to edit the root .htaccess file in your pw install to allow it.

So it probably isn't this then, but for reference these are set either in headers returned by the server, or sometimes in HTML in the head section of your page. Headers come either from PHP or from the Apache2 set up - in the .htaccess or apache config files.

Have you adjusted the site's CSP or CORS settings?

@PhilR I can understand why LimitRequestBody 0 may solve this issue for you - but it sounds like you needed to also set the SSLRenegBufferSize for a file upload to work - is that right? If so, I wonder why that was needed. What kind of sizes were the files you were uploading?

@zx80 Check out the $sessionAllow options in the config.php file. The outline config.php in the wire/ directory documents all the options and outlines how to turn off guest-based session cookies using a callable. This isn't exactly what you asked about but might be a starting point. I use this method to create a cookie-free public interface on the site I posted about the contact form before. No cookie banner because there are no cookies at all unless you are an admin and know where the admin interface is.

@szabesz Nice. I think I prefer that to the maths Q approach as it requires less mental effort.

Sounds like a bug - could you raise an issue on processwire/processwire-issues?

Wild idea, but the little maths question system I wrote for this contact form is, as far as I know, GDPR complient and is used on a site that has no cookies or sessions on the front end interface. It therefore has no CSRF protection, yet has been 100% effective (several years so far) at preventing spam submissions. There are a few things I'd change if doing a v2, but overall, it's worked very well. Reload the page a few times to get a feel for how the question system works. If you are not worried by being GDPR complient and are willing to use sessions, then writing something like this would be even easier as there are no extra anonymisation hoops to jump through. Just stash a target answer in the session and re-generate a maths question that leads to that answer on each page render.

@gebeer Could you try this version of the session handler (if you want some more testing :) ) Could you also let me know what your value of $config->allowExceptions is set to?

Ok, so my hunch with what was going on in the SessionDB handler was wrong - thank you for trying it anyway.

Great - thank you for trying it! I'll see if I can get some changes into a PR for Ryan - hopefully this weekend.

@gebeer Could you try my spin on the SessionHandlerDB module that I posted here, and let me know if that makes any difference?

@d'Hinnisdaël Thanks for the post - is your integration available on github at all?

Thanks for the link, Bernhard, I've been trying blade in Laravel recently, but think I need to try out Latte as well.

Ditto what teppo said. Either the translation has too many percent markers in it, or not enough.

Quick thought - could you check your server has a time sync service enabled (ntpd, chronyd or systemd) and that the time is accurate on the server. Perhaps you could update the ProcessLogin.js code to console.log(startTime) as well, and post the results here? Maybe compare it with console.log(new Date().getTime()) from your browser console. Then we can get a feel for how far out of step the server and browser times might be?

Hi all, I'm trying out an EC2 instance with Ubuntu 22.04 server and the default user ("ubuntu") is configured to allow passwordless sudo for everything. This is different to other ubuntu server installs I've done, primarily on Digital Ocean or Hetzner, which require the default user to use their installation password to use sudo, and potentially a security concern (for me at least). I can turn it off easily enough by editing the /etc/sudoers.d/90... rule file - but as I'm a total noob to using EC2 I wonder if this will impact anything on the system which might actually require un-restricted, passwordless, sudo. Can any experienced EC2 admins let me know their thoughts on this?

Yup, I missed the full return value in my header(''); call. Just glancing at your code allowed me to spot the issue - thank you.

@flydev Thanks for jumping in - can you post your URL hook for me to take a look at?

@ryan I've got a situation where I want to have my URL hook return a 403 in some circumstances (basically, I want to have a particular URL hook act as a webhook destination for Pusher's authentication callback.) I've been trying to return a 403 by setting the header in the URL hook function and returning bool true from the hook. However, this always seems to send a 200 response to the caller, despite me trying to set the header myself. Is there a way to set the status code returned to the caller? If not, would it be possible to allow integer return values to be taken as the status code to send back to the caller?

Hello Ivan, thanks for trying that out - the session-errors log is only created if there's an issue obtaining a lock. If there are no issues, you won't see an entry there.

Here's a newer version of my spin on SessionHandlerDB that should handle a couple of edge cases. Please let me know if this is an improvement for you. SessionHandlerDB.module

@bernhard Not sure if this will do it but,... If the source of the Umami CSP rule is in code you are self-hosting then it sounds like you need to edit the CSP settings to expand the frame-ancestors option from 'self' to include the domain hosting the iframe. Looking at the Umami demo site here, it looks like the CSP is being served as a header - so I suggest you take a look in the .htaccess file for the Content-Security-Policy header and expand the frame-ancestor part to include your hosting domain straight after the 'self' part. Header set Content-Security-Policy "...; frame-ancestors 'self' yourdomain.com; ..." If you aren't self hosting then you won't be able to alter the policy.

@heldercervantes Do you have an estimate of the number of emails you expect to send in a month? Also, does the organisation have any budget for sending? If it does, then one of the more reputable transactional email services would be a good place to look. I've had excellent service from Postmark, at a reasonable price (~$15/10k emails) and their deliverability is very good and very fast.

Great talk - thank you for sharing it with the community, Bernhard!