Suhosin is a (somewhat) commonly installed PHP module used by shared hosting providers to prevent (to some degree) malicious PHP code from compromising a shared environment.  Sounds great, but the problem is it spreads its tentacles into areas where, if unaware of its presence, can cause some very unexpected results.

This was the case in Blesta, until recently.

The issue experienced in Blesta was related to session handling.  Blesta uses a database to maintain session information, for added security and to permit load balancing.  Normally, a session ends when the user closes their browser, however it can be revive if a cookie is stored on the user’s machine and is then read when they revist the site.  But because Suhosin encrypts session data by default, our revival code had access to only encrypted data.  Essentially, the session couldn’t be revived.  The only way to decrypt the data is to have Suhosin do it.  So what we did was rename the session prior to starting it, which tricks PHP into thinking the session never ended, and so Suhosin takes over and decrypts the Session just in time.

The psuedo code looks something like this:

$session_id = $_COOKIE['session_id'];

session_name($session_id);

session_start();

For those familiar with C, PHP seems strikingly similar. From the syntax to the function calls. It’s almost as if you could replace a couple asterisks (*) with dollar signs ($) and add a PHP-tag or two, and you could run your C source raw. Continue »

Encoding and encryption are both routines performed on data, however the end results are quite different. In the case of encryption the purpose is to disguise the data such that it can’t be read, except by the intended recipient. On the other hand, encoding is used merely to work the data into a more suitable format. Continue »

As Paul recently announced on our forums, multi-currency support is coming in version 2.2. This is a major change and affects just about every aspect of Blesta. For this reason a few minor changes have been made to the way gateways are written to accommodate multi-currency support. Continue »

We’ve been hard at work on the next installment of Blesta (version 2.1) lately, which is looking to be our most feature rich update to date. One thing we’ve worked hard on is adding support for Windows machines. Continue »

Tags: Blesta 2.1 | Windows

In an effort to increase future compatability with both browsers and PHP environments we’ve introduced two new standards in the Blesta 2.0 release. Continue »

Tags: short tags | standards | xhtml

I recently received an email from GoDaddy.com that I thought was hilarious. Apparently users with mobile devices can only visit .mobi domain names? Continue »

While we crank away on version 1.4 (scheduled for release next month), I wanted to give a quick update on a couple of the big features we’ve gotten excited about. Continue »

Last week I introduced the Blesta import library, discussed why this is an important feature of Blesta and touched a little bit on how to work with the library. This week we get a little more technical and dive a bit deeper into the import library, but first a little history on the topic. Continue »

Tags: documentation | import documentation | importing

Switching from one application to another can be a painful experience, so we’ve attempted to make it as simple as possible. What we’ve done is develop a custom import library specifically for Blesta, to make writing import scripts fast and easy. Continue »

Tags: import | importing

Wouldn’t it be great to create portable graphic files on the fly, without the need for library extensions or any necessary computation on the part of the server machine? If you think so, I’ve got news for you: you already can. Continue »

Tags: CAPTCHA | SVG | XML