User tests: Successful: Unsuccessful:
The "remember-me" cookie is deletion request is sent even when the cookie was never set - e.g. if the "Remember me" functionality is disabled in the Joomla configuration.
4.. The session cookie sent on the request is requested to be deleted in the response.
4.. Additionally to the session cookie, another cookie (the "remember-me" cookie) which had not been present in the request is also deleted in the response.
PHP 5.3.6 on Apache on Linux
This seems to be Joomla 2.5.x specific (and 1.5.x before that). On Joomla 3.x the "remember-me" functionality has been rewritten and the issue does not seem to occur (checked on the demo site http://joomla32.cloudaccess.net/administrator/index.php?autologin=1&passwd=demo&username=demo).
Also: added the HTTPS and HttpOnly cookie flags, as "Cookies must be deleted with the same parameters as they were set with" according to https://php.net/manual/en/function.setcookie.php. And that is how the cookie is set - see lines 739 - 740.
Status | Pending | ⇒ | New |
Labels |
Added:
?
|
Status | New | ⇒ | Pending |
Category | ⇒ | Authentication |
You're using the superglobals ($_COOKIE
, $_SERVER
) directly in your PR. That's not a good idea and should be avoided. Please use the Joomla API (JInput class) for those things.
You can probably use the Joomla 3.3 code as a reference how you can use the API. See https://github.com/joomla/joomla-cms/blob/staging/plugins/authentication/cookie/cookie.php#L278 for how it is done there.
he only reused the (ssl) code from the login method.
Ouch, that's some messy code in there
I would still try to use JInput for the cookie handling. You should be able to check the presence with it.
why not just use "if ($this->isSite()) {" for the check? It's shorter and easier to read.
The solution you provided addresses a different issue. The one I describe refers to the cookie deletion request being sent when the cookie had never been set - e.g. if the "Remember me" functionality is disabled in the Joomla configuration and one logs out of the front-end. I only used a back-end log-out example to be able to drop the test step which disables the "Remember me" in the Joomla configuration. I'm going to make that clearer in the original description. I'm sorry about the confusion.
So, to address the issue you describe, one would need to add your check additionally, such as:
if (isset($_COOKIE[self::getHash('JLOGIN_REMEMBER')]) && ($this->isSite()))
But that, again, is a different issue.
@Bakual:
I would still try to use JInput for the cookie handling. You should be able to check the presence with it.
According to http://docs.joomla.org/Retrieving_request_data_using_JInput, "there are known issues with JInput and Magic Quotes" and "for this reason all core components in Joomla 2.5.x still use JRequest". And don't know if it's good to break usage consistency on Joomla 2.5 just before it gets end-of-life. I did indeed just reuse the code from the login method.
Ah sorry, you're right of course. In 2.5 we don't use JInput yet for this reason.
Thanks for working on this. Unfortunately this did not make it into the final release of Joomla 2.5, or it was handled elsewhere, so this is being closed. If you feel this is still a valid issue in Joomla 3 please create a new issue.
Status | Pending | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-01-01 13:05:34 |
Closed_By | ⇒ | brianteeman |
Closed_Date | 2015-01-01 13:05:34 | ⇒ | 2015-01-01 13:05:35 |
Hi, please see http://forum.joomla.org/viewtopic.php?f=579&t=859020
I've provided a solution for the remember me cookie deletion.
Sorry, I'm new to this tracker and not familiar with the toolbox on the right. Any help page for it available?
The "Importance of issue to me" is not so clear - lower number higher importance or the other way?
This comment was created with the J!Tracker Application at http://issues.joomla.org/.