Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#12306] - Cookies Review

? Success

User tests: Successful: Unsuccessful:

avatar andrepereiradasilva
andrepereiradasilva
4 Oct 2016

Summary of Changes

This PR does a cookies review across the cms.

  1. Use epoch + 1 to delete the cookie. I think it's not necessary time() - xxxx. Epoch + 1 should be enough. Also we can have problems with timezones if not putting time() less a full day.
  2. Use always '' (empty) when deleting a cookie.
  3. Use the Api when deleting the session cookie.
  4. Always use HTTPOnly for cookies so they can't be accessed through JS.
  5. If HTTPS is forced in the client (Site/Admin) always use only secure cookies
  6. Don't use app->isSSLConnection() for checking if the cookie should be secure. We could have problem setting a secure cookie in a dual HTTP/HTTPS site. Use the new $app->isHttpsForced() instead.
  7. Don't use a new language cookie if the cookie language is defined in the language filter plugin to be only session. Use the session instead (we already have a cookie...).

And minor code and code style improvements.

Testing Instructions

Since this impacts the users/admin sessions the tests must be made with special attention.

  1. First do a code review.
  2. Apply this patch in latest 3.7.x branch
  3. Watch the cookies that are created in the developer console (Resources -> Cookies) in the following processes:
    • site login/logout process
    • backend login/logout process
    • the remember me process in site authentication
    • in a multilanguage site, the remember of the user language (aka the language cookie)

Observations

I checked all the cookies in joomla core (i think i'm not missing none), one i don't know what it does (banner tracks), but i also updated that one.

avatar andrepereiradasilva andrepereiradasilva - open - 4 Oct 2016
avatar andrepereiradasilva andrepereiradasilva - change - 4 Oct 2016
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 4 Oct 2016
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - change - 4 Oct 2016
Category Administration Components Libraries Front End Plugins
avatar wilsonge wilsonge - change - 5 Oct 2016
Labels Added: ?
avatar wilsonge
wilsonge - comment - 5 Oct 2016

This is actually very important. Adding release blocker tag

avatar Bakual Bakual - change - 26 Oct 2016
Labels Added: ?
Removed: ?
avatar andrepereiradasilva andrepereiradasilva - change - 29 Oct 2016
Title
Cookies Review (3.7.x)
Cookies Review
avatar andrepereiradasilva andrepereiradasilva - edited - 29 Oct 2016
avatar andrepereiradasilva andrepereiradasilva - change - 8 Dec 2016
The description was changed
avatar joomla-cms-bot joomla-cms-bot - change - 8 Dec 2016
Category Administration Components Libraries Front End Plugins Administration com_banners Libraries Front End Plugins Components
avatar dgt41
dgt41 - comment - 18 Dec 2016

@andrepereiradasilva can you fix the conflicts here?

avatar andrepereiradasilva
andrepereiradasilva - comment - 2 Jan 2017

@dgt41 done

avatar qrem
qrem - comment - 27 Jan 2017

is it solved now, or still needs testing?

avatar wilsonge
wilsonge - comment - 27 Jan 2017

This needs testing for sure

avatar qrem
qrem - comment - 29 Jan 2017

What we should test?

avatar photodude
photodude - comment - 9 Feb 2017

@andrepereiradasilva Can we get another conflicts fix so testing can proceed?

avatar wilsonge
wilsonge - comment - 9 Feb 2017

I have fixed conflicts

avatar JoshuaLewis
JoshuaLewis - comment - 11 Feb 2017

I have tested this item successfully on b0da245

Tested both the front end and backend, works great.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12306.

avatar JoshuaLewis JoshuaLewis - test_item - 11 Feb 2017 - Tested successfully
avatar JoshuaLewis
JoshuaLewis - comment - 11 Feb 2017

@wilsonge Are you willing to test this PR now that fixes are made?

avatar kalemanzi
kalemanzi - comment - 22 Mar 2017

Hi.
I just tried to test this, but after I removed all patches and applied patch 12306 it logged me out from administrator and now when I try to login it gives me:

"The most recent request was denied because it contained an invalid security token. Please refresh the page and try again."

No matter if I refresh the page, I still get this. My current setup is Nginx on Mac with php 7. This was in FF. I also tried it in Chrome to be sure, getting the same error.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12306.

avatar franz-wohlkoenig franz-wohlkoenig - change - 2 Apr 2017
The description was changed
Priority Medium Critical
avatar joomla-cms-bot joomla-cms-bot - edited - 2 Apr 2017
avatar richard67
richard67 - comment - 23 Apr 2017

I have tested this item successfully on b0da245

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12306.

avatar richard67 richard67 - test_item - 23 Apr 2017 - Tested successfully
avatar franz-wohlkoenig franz-wohlkoenig - change - 23 Apr 2017
Status Pending Ready to Commit
avatar franz-wohlkoenig
franz-wohlkoenig - comment - 23 Apr 2017

RTC after two successful tests.

avatar richard67
richard67 - comment - 23 Apr 2017

I tested frontend and backend and force ssl for admin only and for the entire site, and shared sessions no and yes, and language filter cookie for session and for year. Works like a charm, this PR does not introduce new bugs but saves 1 cookie in case if language filter cookie is session only, and the language filter still remembers the previously selected site language as before.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12306.

avatar richard67
richard67 - comment - 23 Apr 2017

@kalemanzi This PR requires to be tested on latest staging + this patch applied (which can be done with patchtester latest stable release after having installed a clean staging with multilingual option). If you applied the patch on a 3.6.5 or something else not being latest staging, it can have caused your problems because other patches might have been missing. Can you check and if possible test again with latest staging?

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12306.

avatar rdeutz rdeutz - change - 22 May 2017
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2017-05-22 18:08:11
Closed_By rdeutz
Labels Added: ?
Removed: ?
avatar rdeutz rdeutz - close - 22 May 2017
avatar rdeutz rdeutz - merge - 22 May 2017
avatar mino182
mino182 - comment - 10 Jul 2017

Hi, this cookies changes in plugins/system/languagefilter/languagefilter.php cause problem with "com_tags" in single tag view, if tags option "language filter" is set to "Current".

In my case in tag view I have only EN articles, no matter what language I set in frontend...

If I replace these lines with code from j 3.7.2, there is no problem.

Thanks.

avatar franz-wohlkoenig
franz-wohlkoenig - comment - 10 Jul 2017

@mino182 can you please open a Issue?

avatar mino182
mino182 - comment - 10 Jul 2017

Ok

avatar infograf768
infograf768 - comment - 11 Jul 2017

Regression.
#17053

@andrepereiradasilva

Add a Comment

Login with GitHub to post a comment