Path

ez projects / ezstarrating / forum / general / use ezstarrating for anonym... / re: use ezstarrating for an...

Attention please: Due to restructuring legacy services, the eZ Projects service is going to be discontinued. All the current repositories will be migrated to a new platform. More details will be announced soon.

Use ezstarrating for anonymous in 4.4 or 4.5

You need to be logged in to post messages in the forums. New users may register here.

Francisca Hernández

Member since:
22 April 2004

Posts: 6

Thursday 22 September 2011 2:51:17 pm

Hi,

we use this extension for 2 big projects, we want to update these projects to 4.5 but they use ezstarrating extension for anonymous, the clients don't want to change to registration requirement.
As i see we can not run ezpublish with file system-based user session if we use this functionality.

Anyone have a solution for this problem?

Thanks, Fran

Iguana IT, SL - http://www.iguanait.com

Up

Carlos Revillo

Member since:
31 January 2007

Posts: 53

Thursday 22 September 2011 3:37:22 pm

+1 for this. same problem here. it seems this piece of code




// Provide extra session protection on 4.1 (not possible on 4.0) by expecting user


// to have an existing session (new session = mostlikely a spammer / hacker trying to manipulate rating)


if ( class_exists( 'eZSession' ) && eZSession::userHasSessionCookie() !== true )


   return $ret;




specially the userHasSessionCookie check...

EDIT. Corrected the code cause i left brackets there...

Twitter: @crevillo
Skype ID: crevillo1976
http://www.tantacom.com
eZ Diff Squad member

Up

Carlos Revillo

Member since:
31 January 2007

Posts: 53

Thursday 22 September 2011 3:49:26 pm

Quick workaround can be enable ForceStart variable in Session group. like this



[Session]


ForceStart=enabled




it has worked in my test. but as doc says, this a "bc setting" and shouldn't be needed... so probably this can have a better fix.

Cheers.

Twitter: @crevillo
Skype ID: crevillo1976
http://www.tantacom.com
eZ Diff Squad member

Up

Gaetano Giunta

Member since:
30 November 1999

Posts: 269

Saturday 15 October 2011 2:29:30 am

I was going to suggest using ForceStart for sessions, too. This should work with both filesystem-based and db-based session storage.

I do not see it really as a "hack", even though it can have some performance consequences, of course.

One workaround could be to have a separate session-starting view to call just before the rating is executed. This way we still could have no sessions for most users but still use one for preventing rating abuse and to show to users the items they have rated on (a very hackish solution: send user to a page that starts a session and redirects him to original page, where rating is triggered... Slightly better: recover session cookie via js call and inject it into browser).

Otoh, when we set up sessions for anon users, I do not really see how there is any benefit in security / spam abuse. The rating spammer just has to execute 2 separate GET calls instead of one, passing the cookie he got from the 1st to the 2nd.

Maybe we could just add an extra ini parameter that allows rating with no sessions at all...

Principal Consultant International Business
Member of the Community Project Board

Up

You need to be logged in to post messages in the forums. New users may register here.