Fix session timeouts in overlay session #18648
Conversation
sgiehl
added
not-in-changelog
There was a problem hiding this comment.
Makes sense now that the sequence of the multiple API calls was the race condition combined with different same site values eventually affecting iframe cookie availability, great spot! 🤯 👍
This is a much cleaner fix than my approach of knobbling the new session cookie.
I've been doing all testing with a separate vhost/domain - with this fix applied I did 100 page overlay link clicks without issue, then switched the the 4.x-dev branch and got a session expired error within three clicks, back to the fix branch and another 50 link clicks without issue. So looks like it solves the issue well.
There was a problem hiding this comment.
Looks good. Be great though to add some tests to make sure eg when passing the Overlay parameter twice in the URL, that it behaves correctly as this is something that could break again in the future. Be great to add a few tests for isOverlayRequest (eg could make it isOverlayRequest($module, $action, $method, $referrer) for better testability )
plugins/Overlay/Overlay.php
Outdated
|
|
||
| $isOverlay = $module == 'Overlay'; | ||
| $referrerUrlQuery = parse_url(Url::getReferrer() ?? '', PHP_URL_QUERY); | ||
| parse_str($referrerUrlQuery, $referrerUrlQueryParams); |
There was a problem hiding this comment.
not sure if it makes sense to use UrlHelper::getArrayFromQueryString() which we also use in other places? Probably not too important as it might do the same, just wondering for consistency
There was a problem hiding this comment.
I guess it doesn't do the exactly same for parameter arrays, but should be fine to use that one as well. will change that
|
@tsteur I've added a bunch of tests for the new method. |
|
@sgiehl seems various other commits are included here? As the release might be today have to maybe target 4.x-dev after all? |
sgiehl
force-pushed
the
fixoverlaysession
branch
from
9ed704f
to
78b45fb
Compare
|
@tsteur Sorry I merged in 4.x-dev without thinking much about it. Rebased the branch so the changes aren't included anymore. Feel free to merge if needed or change the milestone and I can rebase to 4.x-dev again |
|
@sgiehl I'll change the milestone 👍 |
… from overlay session
sgiehl
force-pushed
the
fixoverlaysession
branch
from
78b45fb
to
2e9148a
Compare
|
@tsteur changed the base to 4.x-dev. Should be ready for a last review now.... |
|
Looks good to me from a code perspective. @bx80 not sure if you can still easily reproduce the issue locally. If so, could you maybe also confirm it works? |
There was a problem hiding this comment.
I retested clicking around the overlay repeatedly without encountering the original issue which is quickly apparent on 4.x-dev. The unit tests all pass.
Might be outside the scope of this change, but on PHP8.1 the tests show a deprecation warning PHP Deprecated: strlen(): Passing null to parameter #1 ($string) of type string is deprecated in /var/www/matomo/core/UrlHelper.php on line 205 which is easily fixed by adding a null check to that line in UrlHelper:
if ($urlQuery === null || strlen($urlQuery) == 0) {
Description:
As commented in #18569:
This fix actually checks if the referrer contains
module=Overlayto set thesamesite=nonefor those requests as well. This should properly work unless the referrer gets blocked for some reason.An alternative would be to send some kind of magic parameter with all requests that are sent by the overlay, so we can check for that parameter.
While testing that I also saw, that the Overlay was sending a request to
API.getPagesComparisonsDisabledFor, which is not needed, so I added the Overlay module to the exclude list for that.@tsteur I have targeted the
next_releasebranch as it might be nice to include that fix maybe. If you think it's to risky, feel free to change the milestone and I'll rebase the branch to4.x-devinstead.fixes #18538
replaces #18569
Review