concrete5 on Cloud9

Permalink
Has anyone worked with Cloud9 before?

I was able to get mine installed. But I somehow gets logged out immediately.
It must be something to do with the server config setting.

http://c9.io/

My sites

Plain Apache+PHP template
https://c5756test-katzueno.c9users.io/...

Using WordPress template
https://ide.c9.io/katzueno/c5756test...

I suspect something to do with php.ini or apache config...

katz515
 
katz515 replied on at Permalink Reply
katz515
katz515 replied on at Permalink Reply
katz515
FYI, I was able to get it work by commenting the line 80 of
/concrete/src/Session/SessionValidator.php

from

$session->invalidate();


to

//$session->invalidate();


But I feel like we should not do this.
Any better suggestion?

I feel like this is more for server config.
Mainio replied on at Permalink Reply
Mainio
Seems like at least in the latest version this should be configurable through the 'concrete.security.session.invalidate_on_ip_mismatch' config.

So, create /application/config/concrete.php and add this configuration block there:

// /application/config/concrete.php
return array(
    // ... other configs ...
    'security' => array(
        'session' => array(
            'invalidate_on_ip_mismatch' => false,
        ),
    ),
    // ... other configs ...
);


Have not tested this but just by checking the code, it should be possible.

Also, do not leave this setting on when you go live! Unless the production environment is behind a similar environment, too.
katz515 replied on at Permalink Reply
katz515
FYI, you should not modify anything under /generated_overrides/ folder.

You should create

/application/config/concrete.php

Then add this

<?php
return array(
    'security' => array(
        'session' => array(
            'invalidate_on_ip_mismatch' => false,
        )
    )
);


If you modify /generated_overrides/concrete.php, next time the admin change something on dashboard, your change gets overridden.

If you want to add some config option that will be added via FTP, you should write under /application/config/
Mainio replied on at Permalink Reply
Mainio
You should create
/application/config/concrete.php


Good point! I updated the answer so that no one would be misleaded.

Yeah, I'm still a bit new with the 5.7 core...
katz515 replied on at Permalink Reply
katz515
@Maino,

@Hissy found much better way to handle this by reading the following Symfony document (which 5.7 is using as a base framework)

http://symfony.com/doc/current/cookbook/request/load_balancer_rever...

So make a the /application/config/concrete.php text file, and paste the following code.

<?php
// Get remote address
$remoteIp = $_SERVER['REMOTE_ADDR'];
return array(
    'security' => array(
        'trusted_proxies' => array(
            'ips' => [$remoteIp],
        ),
    ),
);


This should do the trick.
Thanks.
Korvin replied on at Permalink Reply
Korvin
I wouldn't do it this way. You are circumventing the important session fixation validation. Instead, you should determine which IPs you trust and set those specifically.

By trusting every incoming server as a proxy you're opening yourself up to extremely easy IP spoofing.
katz515 replied on at Permalink Reply
katz515
Korvin, thanks!

For trusted proxy...
I was thinking about limiting IP address, too.

The IP address range of AWS was very large and almost impossible to determine...

Old Cloud9 uses AWS ELBs. And I know ELB keeps changing the IP address every 60 seconds.
& IP range could be changed over the years, so we will need to update those IP list, too.

We'll try to come up with the better solution for AWS ELB
Korvin replied on at Permalink Reply
Korvin
This is not true. You should feel free and encouraged to edit the generated_overrides config.
katz515 replied on at Permalink Reply
katz515
Oh ok.

concrete5 put the comment in header

DO NOT EDIT THIS FILE DIRECTLY


on every config file under generated_overrides.

If it's not already true, we should remove the comment.
katz515 replied on at Permalink Reply
katz515
@Mainio

Thanks!
I came across the same thing.

Now my cloud9 concrete5 site is working fine without modifying the core.
katz515 replied on at Permalink Reply
katz515
OK Folks, I've made the shell script to make is much easier to deploy concrete5 to Cloud9

Please check it out.
https://github.com/katzueno/concrete5-install-shell-scripts...