Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Session keeps breaking on any POST request #4931
Reported by Ashus on 4 Nov 2015 01:04 UTC as Trac ticket #1490582
In my current environment (HTTPS, HTTP/2, Apache 2.4.17, PHP 5.6.14 via fastcgi) Roundcube does not work. Anytime I submit any form, it logs out with the message "invalid auth cookie sent". I debugged it and found the problem in the core file program/lib/Roundcube/rcube.php on line 528:
I presume the variable $_SERVER[SCRIPT_NAME] was used to check for specific instance of RC on the same server where cookies might collide. My debug has resulted in these:
Post requests were without Get queries so dirname extracted something else.
Comment by @alecpl on 4 Nov 2015 07:32 UTC
Strange. Looks to me as a PHP or server configuration issue. According to PHP manual 'SCRIPT_NAME' contains the current script's path. It's not filesystem path, but the path from the URL. So, not something I'd expect either.
We can't use
BTW, there's no such code in git-master, so the fix is needed for 1.1 only.
Comment by @alecpl on 4 Nov 2015 08:07 UTC
From the other hand, the uniqueness of the secret key is achieved by the code in rcube_session::_mkcookie(). So, as I understand that variable don't have to be unique to the Roundcube instance, but to the whole server. It's just there to make des_key guessing harder, I suppose.
However, I'm afraid that if we change that code, we may break something unintentionally. So, I propose to keep SCRIPT_NAME use, but just remove everything starting from ? character. What do you think?
ps. I'm looking for most simple solution, I don't want to backport changes from master, as they are too intrusive for a stable branch.
Comment by Ashus on 4 Nov 2015 08:43 UTC
Well I tried it with SCRIPT_FILENAME and found nothing broken. SCRIPT_NAME might still be used inside dirname after removing
I googled for old phpinfos and found SCRIPT_FILENAME was working fine even in PHP 5.1.6. Your choice.