? Failure

User tests: Successful: Unsuccessful:

avatar tampe125
tampe125
23 Dec 2015

This PR fixes the "You are not authorized to.." issue we are experiencing this days

This is a VERY weird issue, given some randomness introduced by the way we flush sessions (check this code in ApplicationCms )
So long story short:

  • if the session is expired
  • if the session flushing is not triggered

The session is flagged as expired and its updated value won't be stored inside the database. This leads to the user having an "invalid" session but still logged in.
By always saving the data inside the database, we are 100% that even if the session wasn't flushed the user will be logged out at the next page load.

For what is worth, such code is VERY bad, since on very loaded sites it introduces a race condition.
We should really improve such code (maybe moving it inside a system plugin triggered on timely basis?)

avatar tampe125 tampe125 - open - 23 Dec 2015
avatar tampe125 tampe125 - change - 23 Dec 2015
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 23 Dec 2015
Labels Added: ?
avatar mbabker
mbabker - comment - 23 Dec 2015

Two thoughts (not related to this PR specifically but action points going forward):

1) A 4.0 RFC should be removing of state tracking in the session API. Something like this line should truthfully suffice for an isActive check in JSession. What value does the extended state tracking in Joomla provide that cannot be met with PHP's native API?
2) The JApplicationCms::checkToken() check should probably be moved to the onAfterSessionStart event handler from the session API. If one really wanted to get brave, maybe more event triggers in the session API to better handle this extended session metadata, especially as long as the metadata shares a table record with the "real" PHP session data.

avatar tampe125
tampe125 - comment - 23 Dec 2015

Testing instructions

This is a very nasty issue to debug, however you can do that following these instructions:

  1. Login inside the administrator area
  2. Inside Global Configuration page, set the session lifetime to 2 minutes
  3. Surf to the Articles page
  4. Manually hack the core changing this line to if(false). This means that the sessions are never flushed from the database.
  5. Wait until the session expires (maybe 4 minutes to be on the safe site)
  6. Try to click on any article title
  7. You should be redirected to the article list, with the article you clicked on it checked out. You can surf in the backend, but you can't do anything that requires the session

Manually logout from the admin area

Apply this patch

  1. Login inside the administrator area
  2. Inside Global Configuration page, set the session lifetime to 2 minutes
  3. Surf to the Articles page
  4. Manually hack the core changing this line to if(false). This means that the sessions are never flushed from the database.
  5. Wait until the session expires (maybe 4 minutes to be on the safe site)
  6. Try to click on any article title
  7. You should be logged out from the admin area
avatar wilsonge
wilsonge - comment - 23 Dec 2015

Somethings still not quite right after the patch. Although much improved.

I set the line to false (i'm running postgres for what it's worth). I waited my time for the session to expire. I'm logged out. So far so good. However I log in and I get taken back to the login page again with a session expired notification. So I basically have to log back in twice before I'm actually back into Joomla. Other than having to log back in twice this seems to work as expected. I tried logging in and waiting my time several times and everything seemed to work ok.

avatar tampe125
tampe125 - comment - 24 Dec 2015

What's your session lifetime? Did you were debugging it or simply running
it?
Could you please try with mysql? Postresql is completely broken
Il 24/dic/2015 00:50, "George Wilson" notifications@github.com ha scritto:

Somethings still not quite right after the patch. Although much improved.

I set the line to false (i'm running postgres for what it's worth). I
waited my time for the session to expire. I'm logged out. So far so good.
However I log in and I get taken back to the login page again with a
session expired notification. So I basically have to log back in twice
before I'm actually back into Joomla. Other than having to log back in
twice this seems to work as expected. I tried logging in and waiting my
time several times and everything seemed to work ok.


Reply to this email directly or view it on GitHub
#8775 (comment).

avatar wilsonge
wilsonge - comment - 24 Dec 2015

2 minutes. I was waiting 5'ish minutes (then immediately logging back in). I can increase it back to 15 and try again if you want?

avatar tampe125
tampe125 - comment - 24 Dec 2015

Please try with mysql

avatar wilsonge
wilsonge - comment - 24 Dec 2015

Same result. First time I just get a regular login screen.

image

When I enter my credentials I then get this

image

When I enter again on this page then I log in successfully

avatar tampe125
tampe125 - comment - 24 Dec 2015

yeah, it's happening to me too.
however seems to be "random": sometimes it works, sometimes not

avatar wilsonge
wilsonge - comment - 24 Dec 2015

I get the double login 100% of the time (both mysql and postgres based on 3 attempts on each). However I always log in successfully on the second attempt. I mean this is still an massive improvement on what we have now. But would be nice if we could get it "right"

avatar tampe125
tampe125 - comment - 24 Dec 2015

got an hunch of what is going on.
the session token is stored inside the session, but since the session is invalid we destroy it.
so we generate a new session (on form login) and the new token, but then it's not "stored" somewhere, hence the double page.
Due the timing, I can't vouch that what I said has any sense

avatar mbabker
mbabker - comment - 24 Dec 2015

No. The token is part of the "real" session data and in the serialized contents. That's only updating all that extra metadata that has no bearing on the session.

avatar wilsonge
wilsonge - comment - 24 Dec 2015

Yah the word update should have made me think. Ughh

avatar wilsonge wilsonge - change - 24 Dec 2015
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2015-12-24 10:32:58
Closed_By wilsonge
avatar wilsonge wilsonge - close - 24 Dec 2015
avatar wilsonge wilsonge - reference | 7751414 - 24 Dec 15
avatar wilsonge wilsonge - merge - 24 Dec 2015
avatar wilsonge wilsonge - close - 24 Dec 2015
avatar infograf768
infograf768 - comment - 24 Dec 2015

Code style
if(!$this->_validate()) => if (!$this->_validate())

avatar wilsonge
wilsonge - comment - 24 Dec 2015

Yah going to go through and correct all that in a little with the spaces => tabs etc

avatar tampe125 tampe125 - head_ref_deleted - 28 Dec 2015

Add a Comment

Login with GitHub to post a comment