Use ezstarrating for anonymous in 4.4 or 4.5
You need to be logged in to post messages in the forums. New users may register here.
|
Francisca Hernández
Member since:
09 January 2008
Posts: 3
|
Thursday 22 September 2011 2:51:17 pm
Hi,
we use this extension for 2 big projects, we want to update these projects to 4.5 but they use ezstarrating extension for anonymous, the clients don't want to change to registration requirement.
As i see we can not run ezpublish with file system-based user session if we use this functionality.
Anyone have a solution for this problem?
Thanks, Fran
|
|
|
Carlos Revillo
Member since:
09 January 2008
Posts: 53
|
Thursday 22 September 2011 3:37:22 pm
+1 for this. same problem here. it seems this piece of code
// Provide extra session protection on 4.1 (not possible on 4.0) by expecting user
// to have an existing session (new session = mostlikely a spammer / hacker trying to manipulate rating)
if ( class_exists( 'eZSession' ) && eZSession::userHasSessionCookie() !== true )
return $ret;
specially the userHasSessionCookie check...
EDIT. Corrected the code cause i left brackets there...
|
|
|
Carlos Revillo
Member since:
09 January 2008
Posts: 53
|
Thursday 22 September 2011 3:49:26 pm
Quick workaround can be enable ForceStart variable in Session group. like this
[Session]
ForceStart=enabled
it has worked in my test. but as doc says, this a "bc setting" and shouldn't be needed... so probably this can have a better fix.
Cheers.
|
|
|
Gaetano Giunta
Member since:
09 January 2008
Posts: 241
|
Saturday 15 October 2011 2:29:30 am
I was going to suggest using ForceStart for sessions, too. This should work with both filesystem-based and db-based session storage.
I do not see it really as a "hack", even though it can have some performance consequences, of course.
One workaround could be to have a separate session-starting view to call just before the rating is executed. This way we still could have no sessions for most users but still use one for preventing rating abuse and to show to users the items they have rated on (a very hackish solution: send user to a page that starts a session and redirects him to original page, where rating is triggered... Slightly better: recover session cookie via js call and inject it into browser).
Otoh, when we set up sessions for anon users, I do not really see how there is any benefit in security / spam abuse. The rating spammer just has to execute 2 separate GET calls instead of one, passing the cookie he got from the 1st to the 2nd.
Maybe we could just add an extra ini parameter that allows rating with no sessions at all...
Principal Consultant International Business
Member of the Community Project Board
|
|
You need to be logged in to post messages in the forums. New users may register here.
