New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Random logouts caused by lack of Vary: Cookie
header.
#1594
Comments
I can confirm this problem for a wiki that was hosted at https://www.siteground.com/ Unfortunately I have no setup to reliably test this on, so I'm leaning toward always sending the |
* master: (72 commits) fix platform to the minimum requirement translation update translation update translation update translation update translation update replace conditional with array_pad refactor: more extensible Content-Type header handling fix: correctly show conflicts in extension manager fix: check if key is set to fix PHP Notice fix: access first element of associative arrays fix: set default value for empty var fix: initialize vars to prevent PHP Notice adjust default bcrypt iterations to 10. fixes #2093 always send Vary: Cookie header. fixes #1594 moved function and fixed whitespace errors show more info on failed HTTP requests do not export the appveyor config Added appveyor config for automated windows testing Update check supports HTTPS ...
Unfortunately, my Dokuwiki installation starts to have also this problem. I currently moved it to SiteGround hosting, and the behaviour described above (automatic log out) started to occur. If I delete cookies in the computer, it works for a while, but than the auto logout starts to appear whenever I change the page. Surprisingly, I have several dokuwiki's installed in parallel, but this behaviour occurs in only one. I tried to uninstall different packages, but it does not help. As I understand I should modify the .htaccess file - would you please give me a hint how to do that? What exactly I should add there and where? And is it a problem that I do not have .htaccess file, but .htacccess.dist instead? Thanks! |
@zdealveindy You can either patch your DokuWiki (the fix is in master a69722b but not released yet) or use |
Thanks, phy25, for navigating me. In the end the guys from SiteGround support team helped me with that. Their solution was to:
I fixed this for all my dokuwiki websites, so far works great. I guess after the release of new dokuwiki version this fix will not be necessary. |
I run DokuWiki on NearlyFreeSpeech shared hosting, and they've implemented and are beta-testing a new caching proxy system for their network. I've finally tracked down a problem I had with random logouts (often on the very page loaded after a user logged in) to the deletion of the cookie by lib/exe/fetch.php.
After further troubleshooting, I've determined that DokuWiki's behaviour within inc/auth.php of deleting the login cookie on every unauthenticated response, even if no login cookie was sent in the associated request, caused the proxy to cache the `Set-Cookie: DW=deleted' header and send it for most subsequent requests — including for _media/wiki:logo.png, meaning every page load with images enabled would log the user out!
This is resolved by setting a
Vary: Cookie
header on all cacheable content — I currently have it set in .htaccess (Header always append Vary "Cookie"
), but it may be more correct to only serve it for specific pages and thus set it within PHP, but I leave the exact implementation up to whichever of you is more knowledgeable of that kind of thing. :)The text was updated successfully, but these errors were encountered: