Multiple session/cookies for user on many user agent browser

[emiliosa]

Hi everyone, im not sure if this is a bug, issue, or is a common behaviour.
Im still using kohana v3, auth/orm/many others modules.
Everything works fine since 4~5 years ago, but i always have the same issue:
After any user logs in, it gets redirect to home page. Later if i change the broswer mobile view, and useragent attr changes (some browser do not change like firefox, but chrome does), a new session is created and user gots redirect to login page:

Auth::instance()->logged_in() is FALSE
Auth::instance()->get_user() is NULL

My config:
Im using database driver Session::$default = 'database'

Anyone with same problem?
Thanks.

[jstrobel]

Hi @emiliosa - I am not sure if i get the problem right, what do you mean with:

change the broswer mobile view

What do you change in detail?
Ev. you can check at the _read-function:
https://github.com/kohana/core/blob/bdbe81afb5a09cee4269d2e2210a0d293265231a/classes/Kohana/Session/Native.php#L25
Which does session-cookie-params. Eventual you have something which forces the recreate.

[emiliosa]

@jstrobel thanks for your response.
I will start from begin:
Im using database driver config, session is based on cookie (name attr).
After user logs in (using Chrome), a cookie session is created based on agentUser (you can see here)

On desktop mode:

Switch to mobile view mode (from DevTools button):

You can see UserAgent have been changed, user session that were based on this cookie is not the same and the user gets kickoff (Auth::instance()->get_user() is NULL).

This behaviour does not happen using Firefox.

Possible solutions:

1. Change salt method and stop using HTTP_AGENT_USER, but this could make user session more insecure.
2. Find a way to "auto-login" user with previous valid session?
3. Spoofing cookie?

I hope i made myself clear.
Thanks!

[toitzi]

I'll have a look at it tomorrow, may be a bug...

[jstrobel]

No i don‘t think that.
Like @emiliosa mentioned there is a user agent check in the session class. and it changes in his case.
i will have a look if my app has the same behavoir these days.

[toitzi]

@emiliosa and @jstrobel Sorry for my late reply...
After a bit research in this topic, it became clear.....no matter which driver you use for sessions they get stored in a Cookie. The cookie get's salted with:

Salt in bootsrap
Name
Value
User-Agent

Cookie Class Line 123
return hash_hmac('sha1', $agent.$name.$value.Cookie::$salt, Cookie::$salt);

Whenever the user agent changes the cookie cannot be found and a new cookie/session is generated (the old one is no longer valid).

This is expected behavior BUT as of now i think we should change that.
There can be many reasons a user Agent changes:

Chrome Dev Tools (Your case)
Browser Extensions (Against tracking etc,..)
Browser Updates (Which - most of the time - happen automatically)
...

Every time something above happens the user will get logged out / the cookie will be invalid.
Since adding the User-Agent does not add an extra layer of security (If someone is able to steel your session...they most likely know your UA or have a way to find out / try out), i think we should remove it from the cookie generation.

What do you think @neo22s @jstrobel @svenbw @piotrbaczek

[toitzi]

It's probably what @emiliosa said here ..... 😅

[toitzi]

Merged, will be within the release of 4.0