@anonymous-piwik-user opened this Issue on March 4th 2014

We use Piwik on a Server with Zend-Server 6.0.3 and PHP 5.5. We noticed that login does not work, despite correct user credentials the Session gets reset and the login screen reappears without message.

We debugged it and found out that Session::regenerateId() is programmed such to destroy the old session, so the login authentication is lost on the browser cookie and a valid login attempt to fail.

A fix for this is:

/* core/Session.php */

    public static function regenerateId()
        /*--PHP 5.5--*/

Also whenever sending the Header("Location:..."winking smiley to redirect the browser to a different URL, please use "session_write_close()" before to write the session data. Because the same effect may appear that on redirection the browser session is lost:

/* core/Plugin/Cntroller.php */

    public function redirectToIndex($moduleToRedirect, $actionToRedirect, $websiteId = null, $defaultPeriod = null,
                                    $defaultDate = null, $parameters = array())


        if ($websiteId) {
            $url = "Location: index.php?module=" . $moduleToRedirect
                . "&action=" . $actionToRedirect
                . "&idSite=" . $websiteId
                . "&period=" . $defaultPeriod
                . "&date=" . $defaultDate
                . $parametersString;

            /*--PHP 5.5--*/
/* core/Url.php */

    static public function redirectToUrl($url)
        if (UrlHelper::isLookLikeUrl($url)
            || strpos($url, 'index.php') === 0
        ) {
            /*--PHP 5.5--*/
            <a class='mention' href='https://github.com/header'>@header</a>("Location: $url");
        } else {
            echo "Invalid URL to redirect to.";

On a PHP 5.4 based system Piwik works without these changes for us, but on 2 separate PHP 5.5 based systems (where we are able to confirm that session management works as many other PHP applications work nicely there) Piwik only will keep the current browser session with the above changes applied.

Please check for yourself, and include these changes into the main code if possible (or any other solution to make Piwik work on PHP 5.5).

Keywords: php-5.5

@robocoder commented on March 4th 2014 Contributor

This sounds like a bug with session.use_strict_mode enabled. Try disabling it or upgrading to php 5.5.9.

@anonymous-piwik-user commented on March 7th 2014

We use Zend-Server 6.3 with PHP 5.5.7 currently. [session.use_strict_mode] is disabled.
And I disagree to change the PHP.ini which does work for other applications that use sessions heavily (like Wordpress or Magento), especially if there is a easy correction on the apps code that corrects it.

As the server also runs eCommerce applications, we will run with [session.use_strict_mode] in the future to prevent session fixation and have the highest server side security in place.

Also upgrading to PHP 5.5.9 is not an viable option as it is not available for Zend-Server yet. Also here, I disagree to "fix" the server side when there is a code correction the viable option.

I do not understand the comment, why not simply improve the code?

Other applications like Magento work perfectly without change in this environment.

@robocoder commented on March 7th 2014 Contributor

My comment was meant to diagnose the condition(s) reqd to replicate the problem.

You are the first to report a problem with 5.5.x.

@mattab commented on March 9th 2014 Member

Btw the problem was also reported by pisc.software in this forum post

@pisc.software would you mind doing a pull request for your change? If the builds pass, it should be safe to merge and for sure, we'd like to fix it if possible. Btw would be interesting to know if you can replicate on 5.5.9 as well, in case you can easily test it.

@robocoder commented on March 9th 2014 Contributor

Note: the regenerateId() change weakens Piwik against session hijacking attack.

@mattab commented on March 10th 2014 Member

If it has security implications, let's decrease priority again until we understand what's happening & consequences of the proposed patch.

@anonymous-piwik-user commented on March 18th 2014

Replying to matt:
Yes, thats true. If it has security implications lets just not allow login to anyone using Piwik on Zend-Server with PHP-5.5

Anyway, we invested our time and have a working correction that also does regenerate the Session-ID. Basically the Session-ID is required to be regenerated before the authentication cookie is being sent. Currently that is done afterwards.

We will make a Push-Request, however we do not have access privileges to push the corrected branch to Github.

@anonymous-piwik-user commented on March 20th 2014

Pull request is on GitHub:


@mattab commented on May 5th 2014 Member

@pisc.software do you have session.auto_start=1 maybe?

could you please print the content of:

$ cat /etc/php5/apache2/php.ini | grep 'session.'

so I can check your session settings and try to reproduce the error?

@mattab commented on May 5th 2014 Member

Also, are you using php-fpm ?

@mattab commented on May 5th 2014 Member

Maybe this is now working after my two commits in:

@pisc.sofware could you please test the latest Piwik RC release, and confirm whether it works or not? if it's not working, what parts of your patch is missing?

Thanks for your help tracking down this bug!

@anonymous-piwik-user commented on May 13th 2014

Tested with the most recent Zend-Server 6.3.0 with PHP 5.5.7 and looks like that it works. Login works and the "Open Source Web Analytics" slogan shows again also.

@mattab commented on May 14th 2014 Member

Nice to hear it's fixed! :)

And cheers for the original pull request, this was really helpful

This Issue was closed on May 14th 2014
Powered by GitHub Issue Mirror