Undefined index: samesite

[escopecz]

I got used to Grav updates being so seamless that this one surprised me a lot. Right after I clicked upgrade from version 1.6.28 to 1.6.29 it threw this error:

Server Error
Sorry, something went terribly wrong!

E_NOTICE - Undefined index: samesite
For further details please review your logs/ folder, or enable displaying of errors in your system configuration.

This is in the logs:

[2020-12-04 07:34:21] grav.CRITICAL: Undefined index: samesite - Trace: #0 system/src/Grav/Common/Debugger.php(352): Whoops\Run->handleError(8, 'Undefined index...', '/var/www/johnli...', 221) #1 system/src/Grav/Framework/Session/Session.php(221): Grav\Common\Debugger->deprecatedErrorHandler(8, 'Undefined index...', '/var/www/johnli...', 221, Array) #2 system/src/Grav/Common/Session.php(38): Grav\Framework\Session\Session->start() #3 system/src/Grav/Common/Processors/InitializeProcessor.php(69): Grav\Common\Session->init() #4 system/src/Grav/Framework/RequestHandler/Traits/RequestHandlerTrait.php(45): Grav\Common\Processors\InitializeProcessor->process(Object(Nyholm\Psr7\ServerRequest), Object(Grav\Framework\RequestHandler\RequestHandler)) #5 system/src/Grav/Framework/RequestHandler/Traits/RequestHandlerTrait.php(57): Grav\Framework\RequestHandler\RequestHandler->handle(Object(Nyholm\Psr7\ServerRequest)) #6 system/src/Grav/Common/Processors/DebuggerProcessor.php(27): Grav\Framework\RequestHandler\RequestHandler->handle(Object(Nyholm\Psr7\ServerRequest)) #7 system/src/Grav/Framework/RequestHandler/Traits/RequestHandlerTrait.php(45): Grav\Common\Processors\DebuggerProcessor->process(Object(Nyholm\Psr7\ServerRequest), Object(Grav\Framework\RequestHandler\RequestHandler)) #8 system/src/Grav/Framework/RequestHandler/Traits/RequestHandlerTrait.php(57): Grav\Framework\RequestHandler\RequestHandler->handle(Object(Nyholm\Psr7\ServerRequest)) #9 system/src/Grav/Common/Processors/ErrorsProcessor.php(27): Grav\Framework\RequestHandler\RequestHandler->handle(Object(Nyholm\Psr7\ServerRequest)) #10 system/src/Grav/Framework/RequestHandler/Traits/RequestHandlerTrait.php(45): Grav\Common\Processors\ErrorsProcessor->process(Object(Nyholm\Psr7\ServerRequest), Object(Grav\Framework\RequestHandler\RequestHandler)) #11 system/src/Grav/Framework/RequestHandler/Traits/RequestHandlerTrait.php(57): Grav\Framework\RequestHandler\RequestHandler->handle(Object(Nyholm\Psr7\ServerRequest)) #12 system/src/Grav/Common/Processors/LoggerProcessor.php(48): Grav\Framework\RequestHandler\RequestHandler->handle(Object(Nyholm\Psr7\ServerRequest)) #13 system/src/Grav/Framework/RequestHandler/Traits/RequestHandlerTrait.php(45): Grav\Common\Processors\LoggerProcessor->process(Object(Nyholm\Psr7\ServerRequest), Object(Grav\Framework\RequestHandler\RequestHandler)) #14 system/src/Grav/Framework/RequestHandler/Traits/RequestHandlerTrait.php(57): Grav\Framework\RequestHandler\RequestHandler->handle(Object(Nyholm\Psr7\ServerRequest)) #15 system/src/Grav/Common/Processors/ConfigurationProcessor.php(49): Grav\Framework\RequestHandler\RequestHandler->handle(Object(Nyholm\Psr7\ServerRequest)) #16 system/src/Grav/Framework/RequestHandler/Traits/RequestHandlerTrait.php(45): Grav\Common\Processors\ConfigurationProcessor->process(Object(Nyholm\Psr7\ServerRequest), Object(Grav\Framework\RequestHandler\RequestHandler)) #17 system/src/Grav/Framework/RequestHandler/Traits/RequestHandlerTrait.php(57): Grav\Framework\RequestHandler\RequestHandler->handle(Object(Nyholm\Psr7\ServerRequest)) #18 system/src/Grav/Common/Grav.php(272): Grav\Framework\RequestHandler\RequestHandler->handle(Object(Nyholm\Psr7\ServerRequest)) #19 index.php(54): Grav\Common\Grav->process() #20 {main} [] []

It's related to https://github.com/getgrav/grav/pull/3063/files#diff-8395517ec427cbc98337890b3f77e0e6ddb3c2f34c6f03ecea9dccffacaee108R221

I can load the frontend of my page when I clear cookies. But if I click on some link I get the error again. Administration is not usable. My site is down. 🔥

[escopecz]

This is weird. Based on https://www.php.net/manual/en/function.session-get-cookie-params.php it should return the 'samesite' array key. But if I execute this on my server it's not there:

$ php -r "var_dump(session_get_cookie_params());"
array(5) {
  ["lifetime"]=>
  int(0)
  ["path"]=>
  string(1) "/"
  ["domain"]=>
  string(0) ""
  ["secure"]=>
  bool(false)
  ["httponly"]=>
  bool(false)
}

[escopecz]

So it seems the samesite key is there only since PHP 7.3. But Grav 1.6 have minimal requirement on PHP 7.1.3. So #3063 is a break. I run PHP 7.2 on my server.

[msarris]

I have the same issue.

Also the setcookie() was edited (22 days ago) to this:

setcookie(
                $sessionName,
                session_id(),
                $cookie_options
            );

According to the PHP docs, this signature of setcookie was added in PHP 7.3. But the project composer.json still says it should support at least version 7.1.3. So this call shouldn't be used.

[msarris]

Temp fix is to manually patch the setcookie calls in Session to the following:

Session::start

            setcookie(
                $sessionName,
                session_id(),
                time() + $params['lifetime'],
                $params['path'],
                $params['domain'],
                $params['secure'],
                $params['httponly']
            );

Session::invalidate

        setcookie(
            session_name(),
            '',
            time() - 42000,
            $params['path'],
            $params['domain'],
            $params['secure'],
            $params['httponly']
        );

and to remove the $cookie_params variables.

[escopecz]

I upgraded my server to PHP 7.3 which fixed this issue, but it caused unplanned downtime to all websites on it. Not fun!

[ConteZero]

Same problem here, It looks like I need to find an alternative to Grav for the future, 1.7 will require PHP 7.3 and I do not want to upgrade php version only for Grav

[escopecz]

I wanted to suggest to run the PHPUNIT tests on all supported PHP versions but I just noticed that there is no CI configured on the PRs. Then I noticed there are no functional tests testing HTTP requests anyway. Well, that's upsetting...

[escopecz]

@ConteZero you should not want to upgrade PHP version only for Grav. The right reason is to upgrade to PHP 7.3 because 7.2 won't get any security fixes anymore. See https://www.php.net/supported-versions.php

[ConteZero]

@escopecz If you use a LTS linux distibution you can continue to use an old php version (security fixes are backported)

[escopecz]

I don't want to hijack this bug report for PHP version discussion, but who makes security fixes for unsupported PHP version? Linux distribution maintainers? Do you have some link to the source?

[rhukster]

Sorry about this! I'm going to revert this for 1.6 and leave it in 1.7 (which does require PHP 7.3) and rerelease

[rhukster]

it's released, unfortunately, we now have to wait for Travis CI to build. It's been taking ages lately.. used to be a matter of 5 minutes, but the last release (and all test builds) has taken nearly 2 hours over the past couple of days. We're already looking at moving to GitHub Actions, but the build process is quite complex and is not simple to move over quickly.

In the meantime, I've removed the packages from 1.6.29 so new people won't run into this, and as soon as the build finishes and the files are available 1.6.30 won't have this issue.

[rhukster]

Quick fix for those of you in broken state:

replace the system/src/Grav/Framework/Session/Session.php with this file:

https://raw.githubusercontent.com/getgrav/grav/develop/system/src/Grav/Framework/Session/Session.php

[ConteZero]

@escopecz
https://wiki.ubuntu.com/SecurityTeam/FAQ
https://askubuntu.com/questions/1275384/ubuntu-18-04-lts-and-php-7-2-security-support-eol
these are some link relative to Ubuntu LTS, but other Linux distributions have similar policies for their LTS versions.

[NicoHood]

I want to note, that the selfupgrade is not (yet) working:

$ bin/gpm selfupgrade

GPM Releases Configuration: Stable

Grav v1.6.30 is now available [release date: Fri Dec  4 11:43:05 2020].
You are currently using v1.6.29.
Would you like to read the changelog before proceeding? [y|N] n
Would you like to upgrade now? [y|N] y

Preparing to upgrade to v1.6.30..
  |- Downloading upgrade [NAN]...     0%
In Response.php line 317:
                                            
  Error while trying to download (code: ):  
                                            

self-upgrade [-f|--force] [-y|--all-yes] [-o|--overwrite] [-t|--timeout [TIMEOUT]]

[rhukster]

Yah Travis build failed due to a GitHub API deprecation, had to fix that and rebuild.. now have to wait another 1-2 hours for Travis to have a slot for us :(

[mahagr]

The new build should be there already and upgrade should be working again.

What comes to Grav, it will only support officially maintained versions of PHP. If you're not willing to upgrade our OS every couple of years, you shouldn't be using Grav. Upgrading Ubuntu to the latest stable is really easy and many service providers support installing multiple (and latest) versions of PHP out of the box. Some servers even give the possibility to choose the version of PHP per site. We are soon going to be updating the next development version of Grav 2.0 to require either PHP 7.4 or 8.0, depending what the estimated release cycle will be.

Also, it is really easy to just copy Grav to a new server...