Investigate Login does not work & Browser Session lost on PHP 5.5 #4806
Comments
|
This sounds like a bug with session.use_strict_mode enabled. Try disabling it or upgrading to php 5.5.9. |
|
We use Zend-Server 6.3 with PHP 5.5.7 currently. [session.use_strict_mode] is disabled. As the server also runs eCommerce applications, we will run with [session.use_strict_mode] in the future to prevent session fixation and have the highest server side security in place. Also upgrading to PHP 5.5.9 is not an viable option as it is not available for Zend-Server yet. Also here, I disagree to "fix" the server side when there is a code correction the viable option. I do not understand the comment, why not simply improve the code? Other applications like Magento work perfectly without change in this environment. |
|
My comment was meant to diagnose the condition(s) reqd to replicate the problem. You are the first to report a problem with 5.5.x. |
|
Btw the problem was also reported by pisc.software in this forum post @pisc.software would you mind doing a pull request for your change? If the builds pass, it should be safe to merge and for sure, we'd like to fix it if possible. Btw would be interesting to know if you can replicate on 5.5.9 as well, in case you can easily test it. |
|
Note: the regenerateId() change weakens Piwik against session hijacking attack. |
|
If it has security implications, let's decrease priority again until we understand what's happening & consequences of the proposed patch. |
|
Replying to matt: Anyway, we invested our time and have a working correction that also does regenerate the Session-ID. Basically the Session-ID is required to be regenerated before the authentication cookie is being sent. Currently that is done afterwards. We will make a Push-Request, however we do not have access privileges to push the corrected branch to Github. |
|
Pull request is on GitHub: |
|
@pisc.software do you have session.auto_start=1 maybe? could you please print the content of: $ cat /etc/php5/apache2/php.ini | grep 'session.' so I can check your session settings and try to reproduce the error? |
|
Also, are you using php-fpm ? |
|
Tested with the most recent Zend-Server 6.3.0 with PHP 5.5.7 and looks like that it works. Login works and the "Open Source Web Analytics" slogan shows again also. |
|
Nice to hear it's fixed! :) And cheers for the original pull request, this was really helpful |
We use Piwik on a Server with Zend-Server 6.0.3 and PHP 5.5. We noticed that login does not work, despite correct user credentials the Session gets reset and the login screen reappears without message.
We debugged it and found out that Session::regenerateId() is programmed such to destroy the old session, so the login authentication is lost on the browser cookie and a valid login attempt to fail.
A fix for this is:
Also whenever sending the Header("Location:..."winking smiley to redirect the browser to a different URL, please use "session_write_close()" before to write the session data. Because the same effect may appear that on redirection the browser session is lost:
On a PHP 5.4 based system Piwik works without these changes for us, but on 2 separate PHP 5.5 based systems (where we are able to confirm that session management works as many other PHP applications work nicely there) Piwik only will keep the current browser session with the above changes applied.
Please check for yourself, and include these changes into the main code if possible (or any other solution to make Piwik work on PHP 5.5).
Thanks.
Keywords: php-5.5
The text was updated successfully, but these errors were encountered: