New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix session timeouts in overlay session #18648
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense now that the sequence of the multiple API calls was the race condition combined with different same site values eventually affecting iframe cookie availability, great spot! 🤯 👍
This is a much cleaner fix than my approach of knobbling the new session cookie.
I've been doing all testing with a separate vhost/domain - with this fix applied I did 100 page overlay link clicks without issue, then switched the the 4.x-dev branch and got a session expired error within three clicks, back to the fix branch and another 50 link clicks without issue. So looks like it solves the issue well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added another comment to check. Will also create an issue that we document how Overlay
works technically as it's always a bit confusing and this might help understand things better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Be great though to add some tests to make sure eg when passing the Overlay parameter twice in the URL, that it behaves correctly as this is something that could break again in the future. Be great to add a few tests for isOverlayRequest
(eg could make it isOverlayRequest($module, $action, $method, $referrer)
for better testability )
plugins/Overlay/Overlay.php
Outdated
|
||
$isOverlay = $module == 'Overlay'; | ||
$referrerUrlQuery = parse_url(Url::getReferrer() ?? '', PHP_URL_QUERY); | ||
parse_str($referrerUrlQuery, $referrerUrlQueryParams); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure if it makes sense to use UrlHelper::getArrayFromQueryString()
which we also use in other places? Probably not too important as it might do the same, just wondering for consistency
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it doesn't do the exactly same for parameter arrays, but should be fine to use that one as well. will change that
@tsteur I've added a bunch of tests for the new method. |
@sgiehl seems various other commits are included here? As the release might be today have to maybe target 4.x-dev after all? |
9ed704f
to
78b45fb
Compare
@tsteur Sorry I merged in 4.x-dev without thinking much about it. Rebased the branch so the changes aren't included anymore. Feel free to merge if needed or change the milestone and I can rebase to 4.x-dev again |
@sgiehl I'll change the milestone 👍 |
… from overlay session
78b45fb
to
2e9148a
Compare
@tsteur changed the base to 4.x-dev. Should be ready for a last review now.... |
Looks good to me from a code perspective. @bx80 not sure if you can still easily reproduce the issue locally. If so, could you maybe also confirm it works? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I retested clicking around the overlay repeatedly without encountering the original issue which is quickly apparent on 4.x-dev. The unit tests all pass.
Might be outside the scope of this change, but on PHP8.1 the tests show a deprecation warning PHP Deprecated: strlen(): Passing null to parameter #1 ($string) of type string is deprecated in /var/www/matomo/core/UrlHelper.php on line 205
which is easily fixed by adding a null check to that line in UrlHelper:
if ($urlQuery === null || strlen($urlQuery) == 0) {
Description:
As commented in #18569:
This fix actually checks if the referrer contains
module=Overlay
to set thesamesite=none
for those requests as well. This should properly work unless the referrer gets blocked for some reason.An alternative would be to send some kind of magic parameter with all requests that are sent by the overlay, so we can check for that parameter.
While testing that I also saw, that the Overlay was sending a request to
API.getPagesComparisonsDisabledFor
, which is not needed, so I added the Overlay module to the exclude list for that.@tsteur I have targeted the
next_release
branch as it might be nice to include that fix maybe. If you think it's to risky, feel free to change the milestone and I'll rebase the branch to4.x-dev
instead.fixes #18538
replaces #18569
Review