Investigate Login does not work & Browser Session lost on PHP 5.5 #4806
We use Piwik on a Server with Zend-Server 6.0.3 and PHP 5.5. We noticed that login does not work, despite correct user credentials the Session gets reset and the login screen reappears without message.
We debugged it and found out that Session::regenerateId() is programmed such to destroy the old session, so the login authentication is lost on the browser cookie and a valid login attempt to fail.
A fix for this is:
Also whenever sending the Header("Location:..."winking smiley to redirect the browser to a different URL, please use "session_write_close()" before to write the session data. Because the same effect may appear that on redirection the browser session is lost:
On a PHP 5.4 based system Piwik works without these changes for us, but on 2 separate PHP 5.5 based systems (where we are able to confirm that session management works as many other PHP applications work nicely there) Piwik only will keep the current browser session with the above changes applied.
Please check for yourself, and include these changes into the main code if possible (or any other solution to make Piwik work on PHP 5.5).
The text was updated successfully, but these errors were encountered:
We use Zend-Server 6.3 with PHP 5.5.7 currently. [session.use_strict_mode] is disabled.
As the server also runs eCommerce applications, we will run with [session.use_strict_mode] in the future to prevent session fixation and have the highest server side security in place.
Also upgrading to PHP 5.5.9 is not an viable option as it is not available for Zend-Server yet. Also here, I disagree to "fix" the server side when there is a code correction the viable option.
I do not understand the comment, why not simply improve the code?
Other applications like Magento work perfectly without change in this environment.
Btw the problem was also reported by pisc.software in this forum post
@pisc.software would you mind doing a pull request for your change? If the builds pass, it should be safe to merge and for sure, we'd like to fix it if possible. Btw would be interesting to know if you can replicate on 5.5.9 as well, in case you can easily test it.
Replying to matt:
Anyway, we invested our time and have a working correction that also does regenerate the Session-ID. Basically the Session-ID is required to be regenerated before the authentication cookie is being sent. Currently that is done afterwards.
We will make a Push-Request, however we do not have access privileges to push the corrected branch to Github.