Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#4151] - Prevent sending of "remember-me" cookie deletion request when cookie not set

?

User tests: Successful: Unsuccessful:

avatar Joey3000
Joey3000
22 Aug 2014

The "remember-me" cookie is deletion request is sent even when the cookie was never set - e.g. if the "Remember me" functionality is disabled in the Joomla configuration.

Steps to reproduce the issue

  1. Log into the back-end of Joomla (www.example.com/administrator/).
  2. Open browser tools for checking headers received with server response
  3. Log out of the back-end
  4. Check headers sent by browser and received with server response to GET www.example.com/administrator/index.php?option=com_login&task=logout&2048602984502834069720345=1 (the one with the "303 See other" response)

Expected result

4.. The session cookie sent on the request is requested to be deleted in the response.

Actual result

4.. Additionally to the session cookie, another cookie (the "remember-me" cookie) which had not been present in the request is also deleted in the response.

System information (as much as possible)

PHP 5.3.6 on Apache on Linux

Additional comments

This seems to be Joomla 2.5.x specific (and 1.5.x before that). On Joomla 3.x the "remember-me" functionality has been rewritten and the issue does not seem to occur (checked on the demo site http://joomla32.cloudaccess.net/administrator/index.php?autologin=1&passwd=demo&username=demo).

Also: added the HTTPS and HttpOnly cookie flags, as "Cookies must be deleted with the same parameters as they were set with" according to https://php.net/manual/en/function.setcookie.php. And that is how the cookie is set - see lines 739 - 740.

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
1.00
avatar Joey3000 Joey3000 - open - 22 Aug 2014
avatar jissues-bot jissues-bot - change - 22 Aug 2014
Status Pending New
Labels Added: ?
avatar brianteeman brianteeman - change - 23 Aug 2014
Status New Pending
avatar brianteeman brianteeman - change - 3 Sep 2014
Category Authentication
avatar philkom philkom - test_item - 22 Sep 2014 - Tested successfully
avatar philkom philkom - test_item - 22 Sep 2014 - Tested unsuccessfully
avatar philkom
philkom - comment - 22 Sep 2014

Hi, please see http://forum.joomla.org/viewtopic.php?f=579&t=859020
I've provided a solution for the remember me cookie deletion.

Sorry, I'm new to this tracker and not familiar with the toolbox on the right. Any help page for it available?
The "Importance of issue to me" is not so clear - lower number higher importance or the other way?

This comment was created with the J!Tracker Application at http://issues.joomla.org/.

avatar Bakual
Bakual - comment - 23 Sep 2014

You're using the superglobals ($_COOKIE, $_SERVER) directly in your PR. That's not a good idea and should be avoided. Please use the Joomla API (JInput class) for those things.
You can probably use the Joomla 3.3 code as a reference how you can use the API. See https://github.com/joomla/joomla-cms/blob/staging/plugins/authentication/cookie/cookie.php#L278 for how it is done there.

avatar philkom
philkom - comment - 23 Sep 2014

@Bakual: he only reused the (ssl) code from the login method.
@Joey3000: why not just use "if ($this->isSite()) {" for the check? It's shorter and easier to read.

avatar Bakual
Bakual - comment - 23 Sep 2014

he only reused the (ssl) code from the login method.

Ouch, that's some messy code in there :unamused:
I would still try to use JInput for the cookie handling. You should be able to check the presence with it.

avatar Joey3000
Joey3000 - comment - 2 Oct 2014

@philkom:

why not just use "if ($this->isSite()) {" for the check? It's shorter and easier to read.

The solution you provided addresses a different issue. The one I describe refers to the cookie deletion request being sent when the cookie had never been set - e.g. if the "Remember me" functionality is disabled in the Joomla configuration and one logs out of the front-end. I only used a back-end log-out example to be able to drop the test step which disables the "Remember me" in the Joomla configuration. I'm going to make that clearer in the original description. I'm sorry about the confusion.

So, to address the issue you describe, one would need to add your check additionally, such as:
if (isset($_COOKIE[self::getHash('JLOGIN_REMEMBER')]) && ($this->isSite()))

But that, again, is a different issue.

@Bakual:

I would still try to use JInput for the cookie handling. You should be able to check the presence with it.

According to http://docs.joomla.org/Retrieving_request_data_using_JInput, "there are known issues with JInput and Magic Quotes" and "for this reason all core components in Joomla 2.5.x still use JRequest". And don't know if it's good to break usage consistency on Joomla 2.5 just before it gets end-of-life. I did indeed just reuse the code from the login method.
avatar Bakual
Bakual - comment - 4 Oct 2014

Ah sorry, you're right of course. In 2.5 we don't use JInput yet for this reason.

avatar brianteeman
brianteeman - comment - 1 Jan 2015

Thanks for working on this. Unfortunately this did not make it into the final release of Joomla 2.5, or it was handled elsewhere, so this is being closed. If you feel this is still a valid issue in Joomla 3 please create a new issue.

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/4151.

avatar brianteeman brianteeman - change - 1 Jan 2015
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2015-01-01 13:05:34
Closed_By brianteeman
avatar brianteeman brianteeman - close - 1 Jan 2015
avatar brianteeman brianteeman - change - 1 Jan 2015
Closed_Date 2015-01-01 13:05:34 2015-01-01 13:05:35
avatar brianteeman brianteeman - close - 1 Jan 2015
avatar Joey3000 Joey3000 - head_ref_deleted - 10 Apr 2015

Add a Comment

Login with GitHub to post a comment