[#8775] - Always save session data inside the database
- Closed
- 24 Dec 2015
- Medium
- Build: 3.4.x
- # 8775
- Diff
- tampe125:fix-3.4.x/fix-session-save
- Failure The Travis CI build failed Details
User tests: Successful: Unsuccessful:
This PR fixes the "You are not authorized to.." issue we are experiencing this days
This is a VERY weird issue, given some randomness introduced by the way we flush sessions (check this code in ApplicationCms )
So long story short:
- if the session is expired
- if the session flushing is not triggered
The session is flagged as expired and its updated value won't be stored inside the database. This leads to the user having an "invalid" session but still logged in.
By always saving the data inside the database, we are 100% that even if the session wasn't flushed the user will be logged out at the next page load.
For what is worth, such code is VERY bad, since on very loaded sites it introduces a race condition.
We should really improve such code (maybe moving it inside a system plugin triggered on timely basis?)
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Labels |
Added:
?
|
||
Testing instructions
This is a very nasty issue to debug, however you can do that following these instructions:
- Login inside the administrator area
- Inside Global Configuration page, set the session lifetime to 2 minutes
- Surf to the Articles page
- Manually hack the core changing this line to
if(false). This means that the sessions are never flushed from the database. - Wait until the session expires (maybe 4 minutes to be on the safe site)
- Try to click on any article title
- You should be redirected to the article list, with the article you clicked on it checked out. You can surf in the backend, but you can't do anything that requires the session
Manually logout from the admin area
Apply this patch
- Login inside the administrator area
- Inside Global Configuration page, set the session lifetime to 2 minutes
- Surf to the Articles page
- Manually hack the core changing this line to
if(false). This means that the sessions are never flushed from the database. - Wait until the session expires (maybe 4 minutes to be on the safe site)
- Try to click on any article title
- You should be logged out from the admin area
Somethings still not quite right after the patch. Although much improved.
I set the line to false (i'm running postgres for what it's worth). I waited my time for the session to expire. I'm logged out. So far so good. However I log in and I get taken back to the login page again with a session expired notification. So I basically have to log back in twice before I'm actually back into Joomla. Other than having to log back in twice this seems to work as expected. I tried logging in and waiting my time several times and everything seemed to work ok.
What's your session lifetime? Did you were debugging it or simply running
it?
Could you please try with mysql? Postresql is completely broken
Il 24/dic/2015 00:50, "George Wilson" notifications@github.com ha scritto:
Somethings still not quite right after the patch. Although much improved.
I set the line to false (i'm running postgres for what it's worth). I
waited my time for the session to expire. I'm logged out. So far so good.
However I log in and I get taken back to the login page again with a
session expired notification. So I basically have to log back in twice
before I'm actually back into Joomla. Other than having to log back in
twice this seems to work as expected. I tried logging in and waiting my
time several times and everything seemed to work ok.—
Reply to this email directly or view it on GitHub
#8775 (comment).
2 minutes. I was waiting 5'ish minutes (then immediately logging back in). I can increase it back to 15 and try again if you want?
Please try with mysql
Same result. First time I just get a regular login screen.
When I enter my credentials I then get this
When I enter again on this page then I log in successfully
yeah, it's happening to me too.
however seems to be "random": sometimes it works, sometimes not
I get the double login 100% of the time (both mysql and postgres based on 3 attempts on each). However I always log in successfully on the second attempt. I mean this is still an massive improvement on what we have now. But would be nice if we could get it "right"
got an hunch of what is going on.
the session token is stored inside the session, but since the session is invalid we destroy it.
so we generate a new session (on form login) and the new token, but then it's not "stored" somewhere, hence the double page.
Due the timing, I can't vouch that what I said has any sense
I think that's handled here no? https://github.com/joomla/joomla-cms/blob/staging/plugins/user/joomla/joomla.php#L218-L224
No. The token is part of the "real" session data and in the serialized contents. That's only updating all that extra metadata that has no bearing on the session.
Yah the word update should have made me think. Ughh
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-12-24 10:32:58 |
| Closed_By | ⇒ | wilsonge |
Code style
if(!$this->_validate()) => if (!$this->_validate())
Yah going to go through and correct all that in a little with the spaces => tabs etc
Two thoughts (not related to this PR specifically but action points going forward):
1) A 4.0 RFC should be removing of state tracking in the session API. Something like this line should truthfully suffice for an isActive check in
JSession. What value does the extended state tracking in Joomla provide that cannot be met with PHP's native API?2) The
JApplicationCms::checkToken()check should probably be moved to theonAfterSessionStartevent handler from the session API. If one really wanted to get brave, maybe more event triggers in the session API to better handle this extended session metadata, especially as long as the metadata shares a table record with the "real" PHP session data.