Session management about securimage HOT 6 CLOSED

Upcoming version 4.0 has defined the concept of a "StorageAdapter" to do just this. I've written adapters for standard PHP sessions, PDO (MySQL, Sqlite, Postgres), Mysqli, Memcached, and Redis.

This new functionality will allow for a custom session adapter to be written as requested in the original issue.

from securimage.

The software (Flyspray) in which I want integrate (using composer.json) securimage uses her own session_name.
So with 3.6.5 need to insert a config.inc.php with setting the session_name.

So I forked securimage just to be able to hardcode a config.inc.php there.
Any better solution? Should I write my own securimage_play.php and securimage_show.php outside the vendor/ directory?
Because securimage_play.php and securimage_play.php do a new Securimage() without passing any parameter array.

The software is using ADOdb, but I don't think at the moment it is necessary to use db tables and should be ok with just $_SESSION.

from securimage.

Making your own custom securimage_show and securimage_play files is certainly an option. A lot of framework integrations do this (by having certain routes for captcha image and audio go through the front controller) so the captcha code can have custom settings passed. My WordPress plugin uses custom files for both (e.g. https://plugins.trac.wordpress.org/browser/securimage-wp/tags/3.6.7/lib/siwp_captcha.php).

I realized lately that it's necessary to have an alternate way to specify a config file if it's not in the securimage directory but not sure the best way. Maybe something like ini_set('securimage.config_file', '/path/to/config.inc.php'); but this would have to be set at the vhost or server level, or by middleware/service that runs on all requests.

As the new version is getting closer to beta / release I want to make this available. If you have any thoughts I'm open to suggestions.

from securimage.

I learned from your Roundcube-Plugin-login_security about 'post-update-cmd' and
added there:

"scripts": {
  "post-update-cmd": [
    "rm -rf vendor/dapphp/securimage/captcha.html .....",
    "echo '<?php return array(\"session_name\"=>\"customsessionname\"); ?>' > vendor/dapphp/securimage/config.inc.php"
  ]
}

from securimage.

Good solution but now I realize requiring the config.inc.php file to be in the securimage directory might not always be possible/desirable. The upcoming version (currently in branch nextgen) allows you to pass a config_file key to Securimage::__construct() so you can specify a path to the config.

When using some kind of MVC where the captcha image is served through a controller, rather than securimage_show.php and then checked by the application, this approach seems to work well.

Thanks for the suggestion, and good use of the post-update-cmd!

from securimage.

The config_file parameter is now available in 3.6.7.

from securimage.