Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Investigate Login does not work & Browser Session lost on PHP 5.5 #4806

Closed
anonymous-piwik-user opened this Issue · 13 comments

3 participants

Anonymous Piwik user Anthon Pang Matthieu Aubry
Anonymous Piwik user

We use Piwik on a Server with Zend-Server 6.0.3 and PHP 5.5. We noticed that login does not work, despite correct user credentials the Session gets reset and the login screen reappears without message.

We debugged it and found out that Session::regenerateId() is programmed such to destroy the old session, so the login authentication is lost on the browser cookie and a valid login attempt to fail.

A fix for this is:

/* core/Session.php */

    public static function regenerateId()
    {
        /*--PHP 5.5--*/
        return;
    }

Also whenever sending the Header("Location:..."winking smiley to redirect the browser to a different URL, please use "session_write_close()" before to write the session data. Because the same effect may appear that on redirection the browser session is lost:

/* core/Plugin/Cntroller.php */

    public function redirectToIndex($moduleToRedirect, $actionToRedirect, $websiteId = null, $defaultPeriod = null,
                                    $defaultDate = null, $parameters = array())
    {

        .....

        if ($websiteId) {
            $url = "Location: index.php?module=" . $moduleToRedirect
                . "&action=" . $actionToRedirect
                . "&idSite=" . $websiteId
                . "&period=" . $defaultPeriod
                . "&date=" . $defaultDate
                . $parametersString;

            /*--PHP 5.5--*/
            session_write_close();
            header($url);
            exit;
        }
/* core/Url.php */

    static public function redirectToUrl($url)
    {
        if (UrlHelper::isLookLikeUrl($url)
            || strpos($url, 'index.php') === 0
        ) {
            /*--PHP 5.5--*/
            session_write_close();
            @header("Location: $url");
        } else {
            echo "Invalid URL to redirect to.";
        }
        exit;
    }

On a PHP 5.4 based system Piwik works without these changes for us, but on 2 separate PHP 5.5 based systems (where we are able to confirm that session management works as many other PHP applications work nicely there) Piwik only will keep the current browser session with the above changes applied.

Please check for yourself, and include these changes into the main code if possible (or any other solution to make Piwik work on PHP 5.5).

Thanks.
Keywords: php-5.5

Anthon Pang
Collaborator

This sounds like a bug with session.use_strict_mode enabled. Try disabling it or upgrading to php 5.5.9.

Anonymous Piwik user

We use Zend-Server 6.3 with PHP 5.5.7 currently. [session.use_strict_mode] is disabled.
And I disagree to change the PHP.ini which does work for other applications that use sessions heavily (like Wordpress or Magento), especially if there is a easy correction on the apps code that corrects it.

As the server also runs eCommerce applications, we will run with [session.use_strict_mode] in the future to prevent session fixation and have the highest server side security in place.

Also upgrading to PHP 5.5.9 is not an viable option as it is not available for Zend-Server yet. Also here, I disagree to "fix" the server side when there is a code correction the viable option.

I do not understand the comment, why not simply improve the code?

Other applications like Magento work perfectly without change in this environment.

Anthon Pang
Collaborator

My comment was meant to diagnose the condition(s) reqd to replicate the problem.

You are the first to report a problem with 5.5.x.

Matthieu Aubry
Owner

Btw the problem was also reported by pisc.software in this forum post

@pisc.software would you mind doing a pull request for your change? If the builds pass, it should be safe to merge and for sure, we'd like to fix it if possible. Btw would be interesting to know if you can replicate on 5.5.9 as well, in case you can easily test it.

Anthon Pang
Collaborator

Note: the regenerateId() change weakens Piwik against session hijacking attack.

Matthieu Aubry
Owner

If it has security implications, let's decrease priority again until we understand what's happening & consequences of the proposed patch.

Anonymous Piwik user

Replying to matt:
Yes, thats true. If it has security implications lets just not allow login to anyone using Piwik on Zend-Server with PHP-5.5

Anyway, we invested our time and have a working correction that also does regenerate the Session-ID. Basically the Session-ID is required to be regenerated before the authentication cookie is being sent. Currently that is done afterwards.

We will make a Push-Request, however we do not have access privileges to push the corrected branch to Github.

Anonymous Piwik user

Pull request is on GitHub:

#241

Matthieu Aubry
Owner

@pisc.software do you have session.auto_start=1 maybe?

could you please print the content of:

$ cat /etc/php5/apache2/php.ini | grep 'session.'

so I can check your session settings and try to reproduce the error?

Matthieu Aubry
Owner

Also, are you using php-fpm ?

Matthieu Aubry
Owner

Maybe this is now working after my two commits in:

@pisc.sofware could you please test the latest Piwik RC release, and confirm whether it works or not? if it's not working, what parts of your patch is missing?

Thanks for your help tracking down this bug!

Anonymous Piwik user

Tested with the most recent Zend-Server 6.3.0 with PHP 5.5.7 and looks like that it works. Login works and the "Open Source Web Analytics" slogan shows again also.

Matthieu Aubry
Owner

Nice to hear it's fixed! :)

And cheers for the original pull request, this was really helpful

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.