Random logouts caused by lack of Vary: Cookie header.

[Celti]

I run DokuWiki on NearlyFreeSpeech shared hosting, and they've implemented and are beta-testing a new caching proxy system for their network. I've finally tracked down a problem I had with random logouts (often on the very page loaded after a user logged in) to the deletion of the cookie by lib/exe/fetch.php.

After further troubleshooting, I've determined that DokuWiki's behaviour within inc/auth.php of deleting the login cookie on every unauthenticated response, even if no login cookie was sent in the associated request, caused the proxy to cache the `Set-Cookie: DW=deleted' header and send it for most subsequent requests — including for _media/wiki:logo.png, meaning every page load with images enabled would log the user out!

This is resolved by setting a Vary: Cookie header on all cacheable content — I currently have it set in .htaccess (Header always append Vary "Cookie"), but it may be more correct to only serve it for specific pages and thus set it within PHP, but I leave the exact implementation up to whichever of you is more knowledgeable of that kind of thing. :)

[splitbrain]

I can confirm this problem for a wiki that was hosted at https://www.siteground.com/

Unfortunately I have no setup to reliably test this on, so I'm leaning toward always sending the Vary: Cookie header instead of selectively doing so (which I can't test)

[zdealveindy]

Unfortunately, my Dokuwiki installation starts to have also this problem. I currently moved it to SiteGround hosting, and the behaviour described above (automatic log out) started to occur. If I delete cookies in the computer, it works for a while, but than the auto logout starts to appear whenever I change the page. Surprisingly, I have several dokuwiki's installed in parallel, but this behaviour occurs in only one. I tried to uninstall different packages, but it does not help. As I understand I should modify the .htaccess file - would you please give me a hint how to do that? What exactly I should add there and where? And is it a problem that I do not have .htaccess file, but .htacccess.dist instead? Thanks!

[phy25]

@zdealveindy You can either patch your DokuWiki (the fix is in master a69722b but not released yet) or use .htaccess to add a header (like this: https://stackoverflow.com/questions/1570673/add-a-header-to-each-request-using-htaccess). Ignore .htaccess.dist and just use a new .htaccess to start with, or rename that to .htaccess and append lines to that file (if you want to use a nicer URL).

[zdealveindy]

Thanks, phy25, for navigating me. In the end the guys from SiteGround support team helped me with that. Their solution was to:

1. add the following line to .htaccess:

<IfModule mod_headers.c>
Header add Strict-Transport-Security "max-age= 157680000"
</IfModule>

2. add the following code into /inc/init.php, lines 45-46, as in the fix you mentioned above:

// avoid caching issues #1594
header('Vary: Cookie');

I fixed this for all my dokuwiki websites, so far works great. I guess after the release of new dokuwiki version this fix will not be necessary.