copying a site: modifying $site_sessionname and $site_id

Hello All,

I’m creating a generic version of a MODx site, with all of my favorite things in it, so that I can use it as a base for new clients.

I noted that the two values of $site_id and $site_sessionname seem to be created at install time, and I also got the impression that the session ids for the manager were based on the above two values, as well as the domain names.

So, I’ve managed to copy a site to a different domain (same server) and did NOT modify the site_id or site_sessionname, and I can log into both sites, and all seems to be well.
(I copied the files, and then exported and imported the database, into a new database, and then edited the paths in the system settings table.)

However, I would think it would be a much better idea if each new domain’s copy of this MODx install had it’s own site_id and site_sessionname. But, I can’t find the code, or method of manually creating a new set of these two values. I would think that copying a generic version to a client’s machine, with the same site_id and site_sessionname, would be a bad idea for security, but I’m not really sure about the impact.

Can it be done by hand? If not, I’m wondering where in the code I might be able to snip out a bit, and create a php routine to create a new matching site_id and site_sessionname.

And, do the two values have to match? Are they checked against each other? Or will any old values do?

Finally, besides normal things like paths, db names, etc, are there any other critical system variables that have to be changed?

Thanks!

Peter Brown

I have the same question. I have prepared a MODX Evo 1.0.5 pack, and when I duplicate the website I can log in in both website (at least locally) although the websites have same username but different password.

Does this mean that if I upload multiple websites with the value in these lines "$site_sessionname" and "$site_id" unchanged, a user can log in both websites knowing only one password?

If this is the case, can I change the number or that would break the system somehow?

Quote from: Peter at May 19, 2010, 03:36 AM

Can it be done by hand? If not, I’m wondering where in the code I might be able to snip out a bit, and create a php routine to create a new matching site_id and site_sessionname.

Yes, they’re just universally unique variables generated to prevent XSRF attacks. You can, technically, make them whatever you want.

And, do the two values have to match?

No.

Are they checked against each other?

No.

Finally, besides normal things like paths, db names, etc, are there any other critical system variables that have to be changed?

Make sure your config.core.php files are updated (usually done in setup if you run an upgrade after moving).

How about something like this, but for Evo: http://tracker.modx.com/issues/4073

Hi! I have a similar question. I have over 40 websites hacked recently (prior to Revo 2.6.5-pl attack).
In most cases recovery was as simple as deleting everything but /assets/ and config.inc, then reinstalling the newest version of MODX.
Unfortunately I lost config.inc for one website. So, I can take another one, modify db connection details, paths and...
Here is my question. We have:
$lastInstallTime = ***********; - doesn't matter?

$site_id = 'modx*********.*******'; - keep as in another site, change manually or maybe it is written in a database somewhere?
$site_sessionname = 'SN504********'; - same as above
$uuid = '***************'; - same as above

Is it important to modify these values or they can be left from another website? If modify, how to do it?

Please help !!!

A new topic may have been better given the age of this one, but I'm pretty sure you can set those variables to anything you'd like. May need to wipe sessions after changing the $site_id/$site_sessionname, but that's not much of a problem.