@tsteur opened this Pull Request on September 10th 2020 Member

What happened is that every time an anonymous user would view a widget or report in the Matomo UI it would log a failed authentication (for brute force check) and eventually the anonymous user would be blocked. This is because of the code here: https://github.com/matomo-org/matomo/blob/4.0.0-a1/core/Access.php#L171-L174

The session auth always thinks that the session is expired because for anonymous user we had actually never started a session. When someone logs in, we would start the session in the login controller in https://github.com/matomo-org/matomo/blob/4.0.0-a1/plugins/Login/Controller.php#L309 but for anonymous users there is no log in.

Therefore initialising the session now when needed in the frontcontroller.

@diosmosis commented on September 11th 2020 Member

Will this be an issue if multiple people end up using the same session simultaneously? (Or will they not actually use the same session simultaneously?)

EDIT: Actually I think the PHPSESSID would be different so should be fine.

This Pull Request was closed on September 11th 2020
Powered by GitHub Issue Mirror