Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
User gets "You need to be logged in to view this page" after succesful login (Trac #2677) #2677
Original ticket http://trac.elgg.org/ticket/2677 on 40896361-08-10 by trac user coldtrick, assigned to unknown.
Elgg version: 1.7
After a succesful login some users got the gatekeeper message "You need to be logged in to view this page". So no wrong username or password.
After days of digging and logging this resulted in the following conclusion.
On some browsers (mostly IE8 in our case) the session cookie was too late (or not at all) updated on the client side. When arriving on the page (after a succesfull login) the session id of Elgg is not matching the session id in the cookie and therefore you are not logged in.
This behaviour is caused by the session_regenerate_id function in the login function. You can read about these issues in the comments on this function ([http://php.net/manual/en/function.session-regenerate-id.php]).
I don't consider this a bug as it prevents Session Fixation (http://en.wikipedia.org/wiki/Session_fixation). I just report this here so it may benefit others.
Our client decided to drop this extra security feature so all users had no issues logging in. There were extra security measures in place that should prevent unwanted site usage.
If you decided to disable this session_regenerate_id function in the elgg login function i strongly advice to add the following to your htaccess (or php.ini)
This also makes session fixation harder [http://www.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies]
cash wrote on 40897000-07-07
trac user coldtrick wrote on 40897030-02-22
cash wrote on 40897196-09-12
trac user coldtrick wrote on 40897223-07-28
Ok i will try to enable some logging to track down the issues.
I've seen the situation of IE8 and IE9 going in and out of compatibility mode, but could not relate it to this particular problem. As user_agent is not related to the session (other than the fingerprint) as far as i know.
All ideas still do not lead to a constructive solution for this "bug";