User tests: Successful: Unsuccessful:
This PR fixes the "You are not authorized to.." issue we are experiencing this days
This is a VERY weird issue, given some randomness introduced by the way we flush sessions (check this code in ApplicationCms )
So long story short:
The session is flagged as expired and its updated value won't be stored inside the database. This leads to the user having an "invalid" session but still logged in.
By always saving the data inside the database, we are 100% that even if the session wasn't flushed the user will be logged out at the next page load.
For what is worth, such code is VERY bad, since on very loaded sites it introduces a race condition.
We should really improve such code (maybe moving it inside a system plugin triggered on timely basis?)
Status | New | ⇒ | Pending |
Labels |
Added:
?
|
This is a very nasty issue to debug, however you can do that following these instructions:
if(false)
. This means that the sessions are never flushed from the database.Manually logout from the admin area
if(false)
. This means that the sessions are never flushed from the database.Somethings still not quite right after the patch. Although much improved.
I set the line to false (i'm running postgres for what it's worth). I waited my time for the session to expire. I'm logged out. So far so good. However I log in and I get taken back to the login page again with a session expired notification. So I basically have to log back in twice before I'm actually back into Joomla. Other than having to log back in twice this seems to work as expected. I tried logging in and waiting my time several times and everything seemed to work ok.
What's your session lifetime? Did you were debugging it or simply running
it?
Could you please try with mysql? Postresql is completely broken
Il 24/dic/2015 00:50, "George Wilson" notifications@github.com ha scritto:
Somethings still not quite right after the patch. Although much improved.
I set the line to false (i'm running postgres for what it's worth). I
waited my time for the session to expire. I'm logged out. So far so good.
However I log in and I get taken back to the login page again with a
session expired notification. So I basically have to log back in twice
before I'm actually back into Joomla. Other than having to log back in
twice this seems to work as expected. I tried logging in and waiting my
time several times and everything seemed to work ok.—
Reply to this email directly or view it on GitHub
#8775 (comment).
2 minutes. I was waiting 5'ish minutes (then immediately logging back in). I can increase it back to 15 and try again if you want?
Please try with mysql
yeah, it's happening to me too.
however seems to be "random": sometimes it works, sometimes not
I get the double login 100% of the time (both mysql and postgres based on 3 attempts on each). However I always log in successfully on the second attempt. I mean this is still an massive improvement on what we have now. But would be nice if we could get it "right"
got an hunch of what is going on.
the session token is stored inside the session, but since the session is invalid we destroy it.
so we generate a new session (on form login) and the new token, but then it's not "stored" somewhere, hence the double page.
Due the timing, I can't vouch that what I said has any sense
I think that's handled here no? https://github.com/joomla/joomla-cms/blob/staging/plugins/user/joomla/joomla.php#L218-L224
No. The token is part of the "real" session data and in the serialized contents. That's only updating all that extra metadata that has no bearing on the session.
Yah the word update should have made me think. Ughh
Status | Pending | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-12-24 10:32:58 |
Closed_By | ⇒ | wilsonge |
Code style
if(!$this->_validate())
=> if (!$this->_validate())
Yah going to go through and correct all that in a little with the spaces => tabs etc
Two thoughts (not related to this PR specifically but action points going forward):
1) A 4.0 RFC should be removing of state tracking in the session API. Something like this line should truthfully suffice for an isActive check in
JSession
. What value does the extended state tracking in Joomla provide that cannot be met with PHP's native API?2) The
JApplicationCms::checkToken()
check should probably be moved to theonAfterSessionStart
event handler from the session API. If one really wanted to get brave, maybe more event triggers in the session API to better handle this extended session metadata, especially as long as the metadata shares a table record with the "real" PHP session data.