Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#6436] - Remember me does not work properly

?
avatar enesbil
enesbil
15 Mar 2015

I faced issues, in which the remember me plugin did not work properly.

Steps to reproduce the issue

Login in Joomla Site, check "remember me" checkbox. Wait until the session expires.

Expected result

User is logged in independent of port (SSL/no-SSL).

Actual result

If you log in in SSL and switch over to non-SSL, you are not logged in after the expiration of the session.

System information (as much as possible)

PHP-Version 5.4.36-0+deb7u3
Webserver nginx/1.2.1
PHP-Interface for the webserver fpm-fcgi
Joomla!-Version Joomla! 3.4.0 Stable [ Ember ] 24-February-2015 23:00 GMT
Joomla!-Plattform-Version Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT

Additional comments

I worked out a patch, which works independently of the server port.

Open: /plugins/authentication/cookie/cookie.php
Function to edit: onUserAfterLogout
Before:

    $this->app->input->cookie->set(
        $cookieName, $cookieValue,
        time() + $lifetime,
        $this->app->get('cookie_path', '/'),
        $this->app->get('cookie_domain'),
        $this->app->isSSLConnection()
    );

After: 

    $this->app->input->cookie->set(
        $cookieName, $cookieValue,
        time() + $lifetime,
        $this->app->get('cookie_path', '/'),
        $this->app->get('cookie_domain'),
        false
    );

Open: /libraries/joomla/user/helper.php
Function to edit: getShortHashedUserAgent
Before:

    return md5(JUri::base() . $uaShort);

After:

    return md5($_SERVER['SERVER_NAME'] . $uaShort);

This solution works independent of using http/https. I can do a PR if you think this change is reasonable.

avatar enesbil enesbil - open - 15 Mar 2015
avatar enesbil enesbil - change - 15 Mar 2015
Labels Removed: ?
avatar Bakual
Bakual - comment - 15 Mar 2015

Imho, it's actually correct that a login cookie which is set using https doesn't work when using http only.

avatar brianteeman brianteeman - change - 15 Mar 2015
Labels Added: ?
avatar SniperSister
SniperSister - comment - 15 Mar 2015

I agree with @Bakual - for me this is expected behavior. Why? Because it has a security impact:
If a site uses SSL, an attackers is unable to extract the remember-me cookie from the traffic and login as the victim because the traffic is encrypted.
But if an attackers forces the victim to use HTTP instead of HTTPS, the cookie is transferred in plain text and therefore can be extracted and misused.

So, I would consider this a feature, not a bug ;)

avatar zero-24 zero-24 - change - 15 Mar 2015
Status New Expected Behaviour
Closed_Date 0000-00-00 00:00:00 2015-03-15 15:31:18
Closed_By zero-24
avatar joomla-cms-bot joomla-cms-bot - change - 15 Mar 2015
Status New Closed
Closed_Date 0000-00-00 00:00:00 2015-03-15 15:31:19
avatar joomla-cms-bot joomla-cms-bot - close - 15 Mar 2015
avatar joomla-cms-bot
joomla-cms-bot - comment - 15 Mar 2015

Set to "closed" on behalf of @zero-24 by The JTracker Application at issues.joomla.org/joomla-cms/6436

avatar zero-24
zero-24 - comment - 15 Mar 2015

Closing based on feedback by @Bakual and @SniperSister

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/6436.

Add a Comment

Login with GitHub to post a comment