Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Session set issue after user login action #1932
I created a login page for customers. Like sample:
I just want to set session message like "You logged successfully!" after login action, like following and you can reproduce with that:
I have tested on several different scenarios.
Scenario 1. Failed: Same page access
If you try to access the same page, both data and user sessions do not come.
Scenario 2. Failed: Access after redirect
If access is provided on the redirected page, only the session set after the login action
Scenario 3. Success: Run codes with no session created
This scenario is a little different.
Same codes work with both senario as access on same page and redirected page.
Also I'm going to ask you a question about something I'm curious about:
Why new session created after the user
Session files (/site/sessions)
One session file before login as guest
Two session files after login:
Three session files after logout:
Four session files after re-login.. as it goes stretching
That's a security measure to make so-called session fixation attacks harder to pull off. Each login and logout is a privilege level change, which require a clear separation of the sessions used. You can read more about this in the OWASP recommendations for session management.
Don't worry about the session files though: They are automatically garbage-collected once they have expired. The reason why they are still kept is to ensure that requests that are sent around the session token regeneration don't fail. The old session tokens stop working 30 seconds after the token regeneration, but are kept until their regular expiry time (two hours by default) has passed. After that, they are deleted by Kirby on the next run of the garbage collector.
About the issue: Thanks for the detailed information!
This bug occurred because you retrieved the session instance in the same request where the session token was regenerated. Because the cookie was already updated by the session token regeneration, our code that retrieves the session instance then already tried to find the session instance with the new token, which failed in the same request. I have fixed this issue with #1934. Please test if it works for you. :)