Upgrade to 3.8.0b4 triggered failure to login without 'session_save_handler = ' #13852
Comments
GreenReaper
changed the title
|
Incidentally, if you have database sessions enabled and intentionally corrupt the data field by removing the
|
that might be just some old comment. Needs to be updated / removed. Created a PR: #13857 as for the other sessions I'm not sure this is related to the DB handler being changed as it seems to work in general when the DB handler is used. not sure if @diosmosis has any idea? |
* Tweak message when an error in session happens refs #13852 (comment) * fix version number see 332f42c#r31671044
|
@tsteur only thing I can think of is 'files' is may be used somewhere else in the code even after https://github.com/matomo-org/matomo/blob/3.x-dev/core/Session.php#L97. Maybe that causes a problem |
|
Could it relate to use of igbinary as session.serialize_handler in PHP's global configuration? (Changing this globally is something I can't test in production, though I could if it's possible to modify just piwik sessions.) If there's special handling on your end (it's a custom save_handler?), it might not be binary-safe, or it might assume a certain format - though I appreciate you base64 stuff before storing it in the [As for #13857, that change didn't seem to address the minor secondary issue raised; it still assumes that if there's a session error, you must not be using the database handler, so it should recommend it if installed. It doesn't envisage the possibility that an error was thrown by the already-enabled database session handler.] |
see eg #13852 (comment) We use db sessions by default anyway so there is no point in recommending it. During the installer we cannot really recommend DB sessions either as they won't work yet (when tables not installed yet)
|
created another PR #13864 for the message. Looking at the code when you set I presume you also get the problem when setting Any chance you could try this patch in production? https://github.com/matomo-org/matomo/pull/13865/files |
#13864) see eg #13852 (comment) We use db sessions by default anyway so there is no point in recommending it. During the installer we cannot really recommend DB sessions either as they won't work yet (when tables not installed yet)
|
I tried that and I no longer get a form error - and inside the database, it is now storing the typical JSON format. The data within the session data decodes to (with own censoring):
Initially I still couldn't login, because - as before - the login form set the new cookie only on the path '/' even though I was accessing /piwik/index.php. But I already had a '/piwik/' cookie from when I was logged in with 'files', so the Firefox presented the '/piwik/' cookie first in requests, and that was not a valid session in the database, so your code set a new cookie (again on '/') and asked me to login again.... After I manually removed my previous cookie on /piwik/ and reloaded /piwik/index.php it found that I was suddenly already logged in from the previous attempt. To sum up: the pull request would work if you wished to force database usage (though some may still want files?), but you need to be careful because end-users might get caught in the trap above - especially because they would presumably be switching from file-based sessions that already have cookies set. Note that the issue does not occur in a clean state but only after you sign out (should have tests?): Load login page /piwik/index.php with no PIWIK_SESSION cookies:
Login:
Logout:
Login:
Arguably the issue is "really" that path is not consistently set for cookies, either when set or when deleted. So when you log out it deletes the '/' cookie but there is a '/piwik/' one to replace it (since a path is not set and the file accessed is /piwik/index.php?...,) and that one isn't removed or replaced when you try to login - instead, only a '/' cookie is set, which is sent as well, but after the '/piwik/' one. Another option: make sure you test all PIWIK_SESSION cookies; if one isn't logged in, try the next. In case it matters (almost certainly not for this), I also ran into a warning:
This is the 'continue' after |
|
@GreenReaper can you test #13869? I believe it is the cause of cookie path change |
|
Yes, it is. I changed that and flushed the file from the opcache. I still could not login, but once I'd removed the existing '/piwik/' cookie, I was able to login, and no more '/piwik/' cookies were created when accessing the dashboard. Subsequently I could logout, the '/' cookie was removed, and I could login again correctly. So the clean state seems fixed, but you may have an issue with people who already have '/piwik/' cookies. |
|
@GreenReaper Updated the PR again this time to respect the login_cookie_path INI config option, which means in your case I think it'll switch the cookie path back to '/piwik/' (which is better, but apologies for for making you clear the cookies again). Unfortunately I'm not too sure how to clear the cookies for users that would be affected by this since we'd have to know what the incorrect cookie path is and clear it once for every user. Would you have an idea @tsteur? Can't think of anything that would be simple to implement... |
|
@diosmosis when the |
|
That would work, though seems a bit dirty to do that on every request. I suppose if this is the only reported case of this being an issue, perhaps a real edge case... |
|
👍 to not do it for now |
|
For what it's worth: I tried the additional change in the PR. I (still) only got '/' cookies (which works in a clean-field environment). That makes sense, since I was not using Once I set |
332f42c (#13540) deprecates the files session hander, setting dbtable as default.
This, or this in combination with some other change, appears to have broken my setup - after upgrading using automatic update from 3.8.0b2, I received continuous 'form security failed' errors when attempting to login with the superuser (the only user, other than anonymous), after submitting to apply database changes (having also run into #13836).
I was only able to login correctly after changing to the file save handler by setting in config.ini.php:
Looking at the table
piwik_sessionthere are seemingly valid Base64 serialized strings decoding as e.g.:I'm guessing this is the partially-logged-in-session as the ID matches the cookie.
But there are also strange, seemingly corrupted entries that don't even have the "data?" at the front of the data column and presumably aren't going to decode right either, like this:
I also saw errors like this pop up in the debug log:
I think #13823 was intended to fix this, but maybe it did not work, or caused more problems than it solved.
In case it matters
/piwik/index.php, the site tracked being at/(but for some reason it seems to be setting a cookie on the '/' path when logging in, and also on '/piwik' once it gets in).The text was updated successfully, but these errors were encountered: