[SOLVED] Cookie problems

sddroog

Joined: 2005-02-01
Posts: 132
Posted: Mon, 2005-02-21 08:42

Just updated G2 with latest CVS. After that all users are unable to login, unless they delete there cookies first. But as soon as you logoff and try to login again, the problem is back. Even if you try to login with the same user, it fails until the cookies are deleted again.

No error message is given, but after entering the username and password you are being 'logged in' as Guest or not at all (if Guest has no rights) and returned to the login screen.

Help?

Edit: just found out that after closing and opening IE you can login again. Just once, then you have to close and open IE again...

 
sddroog

Joined: 2005-02-01
Posts: 132
Posted: Tue, 2005-02-22 07:22

Am I really the only one with this problem? I updated again with the latest CVS but the problem still exists.

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Tue, 2005-02-22 16:12

Just installed (no upgrade) the newest nightly release, using firefox.
First, I couldn't login, tried it x times.
Then I deleted the cookies from the domain of the server and now it works. I can login/logout/login again. It works.
Never had this issue before with G2, what did you change mindless, bharat?

 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Tue, 2005-02-22 16:41

bharat added some domain info encoded in the cookie a while back.. but i thought if your session was rejected due to that info it should generate a new cookie for you (i never tested that though).

 
sddroog

Joined: 2005-02-01
Posts: 132
Posted: Tue, 2005-02-22 19:01

Well, it doesn't work for me. Only after deleting the cookies and/or restarting IE I can login again after I logoff.

I turned on debugging during the (failed) login procedure. There is no error message or anything, so perhaps it will help?

http://foto.dedroog.com/debug.txt

Some other info: http://foto.dedroog.com/info.php

If anything else is required for further debugging please let me know. Then I will try to get that arranged.

Thanks for the great support.

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Tue, 2005-02-22 19:11

i guess we can neglect the browser. tried it with IE, it works for me on my server.
sddroog, why do you use IE anyway?? firefox, opera, .... is the way to go.

but the problem persits for sddroog. anyone?

 
sddroog

Joined: 2005-02-01
Posts: 132
Posted: Tue, 2005-02-22 19:54
valiant wrote:
sddroog, why do you use IE anyway?? firefox, opera, .... is the way to go.

I use multiple browsers. I have the same problem with firefox. But most of my users use IE...

 
sddroog

Joined: 2005-02-01
Posts: 132
Posted: Tue, 2005-02-22 20:30

I just created a new website. Downloaded latest version from CVS. Created new database, everything from scratch.

I could login as admin only once. After logging out and trying to login again, it logged me in as guest.

There must be something different with my setup. I can't believe I am the only one having this problem.

 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Tue, 2005-02-22 21:35

maybe watch your GALLERYSID cookie.. when you login you should get a new session id in the cookie.

 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Tue, 2005-02-22 21:45

here's one thing to try, not sure if it's the cause..
edit your modules/core/classes/GallerySession.class file, line 359.. comment out:
$this->_loadedSessionData = $localLoadedSessionData;
and try again.

 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Tue, 2005-02-22 21:51

sddroog, ignore the 2 messages above.. i did some testing and found the bug. we'll work on a fix.. thanks for the report.

 
BorgKing
BorgKing's picture

Joined: 2002-09-12
Posts: 314
Posted: Tue, 2005-02-22 22:44

I'm having the same problem with one of my G2 installations, but apparently a solution is already in the works. Please post a message when the bug is exterminated, and many thanks to the exterminator.

 
volksport
volksport's picture

Joined: 2002-10-06
Posts: 239
Posted: Tue, 2005-02-22 23:46

mindless i created a new bug that is similar, but I only saw it when the root album did not have any everybody group viewing permissions..

link: http://sourceforge.net/tracker/index.php?func=detail&aid=1146021&group_id=7130&atid=107130

 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Tue, 2005-02-22 23:52

here's the situation I repro'd:
1) be logged in
2) logout
3) the very next page that is generated has sessionids in the urls
4) click login in the top navbar; returnUrl in this link has the sessionid
5) login.. you get a cookie with a new sessionid
6) you get redirected to the returnUrl, so the cookie changes back to
the old value and you aren't logged in anymore.

 
sddroog

Joined: 2005-02-01
Posts: 132
Posted: Wed, 2005-02-23 07:46
mindless wrote:
sddroog, ignore the 2 messages above.. i did some testing and found the bug. we'll work on a fix.. thanks for the report.

Thank you!

 
pelle
pelle's picture

Joined: 2004-12-10
Posts: 389
Posted: Wed, 2005-02-23 22:41

How 'bout this:

Index: GallerySession.class
===================================================================
RCS file: /cvsroot/gallery/gallery2/modules/core/classes/GallerySession.class,v
retrieving revision 1.61
diff -u -r1.61 GallerySession.class
--- GallerySession.class        19 Feb 2005 06:49:02 -0000      1.61
+++ GallerySession.class        23 Feb 2005 22:43:19 -0000
@@ -350,6 +350,7 @@
        /* Store the current session data */
         $localSessionData = $this->_sessionData;
         $localLoadedSessionData = $this->_loadedSessionData;
+        $oldId = $this->getSessionId();

        /* Reset the session data to create a new session id */
        $this->reset();
@@ -358,6 +359,16 @@
        $this->_sessionData = $localSessionData;
        $this->_loadedSessionData = $localLoadedSessionData;

+       /* If we have a return url we need to change session id */
+       if (GalleryUtilities::hasRequestVariable('return')) {
+           GalleryUtilities::putRequestVariable('return',
+                   str_replace(GalleryUtilities::prefixFormVariable($this->getKey()) . '=' .
+                                       $oldId,
+                               GalleryUtilities::prefixFormVariable($this->getKey()) . '=' .
+                                       $this->getSessionId(),
+                               GalleryUtilities::getRequestVariables('return')));
+       }
+
        return GalleryStatus::success();
     }

Edit: fixed linelength

 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Thu, 2005-02-24 00:55

pelle, very nice.. here are the steps to get a bad navigation link.. how about this one?

1) be logged in
2) logout
3) click on a link that will generate a navigation url.. i used "add photo to cart"
4) whatever page you're on now should have "return to album" (or photo) in the Navigation section of the sidebar.. the url for that link should have a sessionid in it. (if you used cart like i did you'll notice the cart is now empty.. i've filed a separate bug for that)
5) click login in top navbar
6) login
7) you should be back on the page with return to album/photo.. you should still be logged in.
8) click the return to album/photo link.. now you'll be logged out

 
pelle
pelle's picture

Joined: 2004-12-10
Posts: 389
Posted: Thu, 2005-02-24 01:53

Allright, I forgot about the session cache. This oughta do it:

Index: GallerySession.class
===================================================================
RCS file: /cvsroot/gallery/gallery2/modules/core/classes/GallerySession.class,v
retrieving revision 1.61
diff -u -r1.61 GallerySession.class
--- GallerySession.class        19 Feb 2005 06:49:02 -0000      1.61
+++ GallerySession.class        24 Feb 2005 01:50:36 -0000
@@ -350,6 +350,7 @@
        /* Store the current session data */
         $localSessionData = $this->_sessionData;
         $localLoadedSessionData = $this->_loadedSessionData;
+        $oldId = $this->getSessionId();

        /* Reset the session data to create a new session id */
        $this->reset();
@@ -358,10 +359,43 @@
        $this->_sessionData = $localSessionData;
        $this->_loadedSessionData = $localLoadedSessionData;

+       /* If we have a return url we need to change session id */
+       if (GalleryUtilities::hasRequestVariable('return')) {
+           GalleryUtilities::putRequestVariable('return',
+                   $this->_regenerateUrlSessionId(
+                           GalleryUtilities::putRequestVariables('return')));
+       }
+
+       /* Check for return urls in the session cache */
+       if ($this->exists('core.navigation')) {
+           $navigation = $this->get('core.navigation');
+
+           foreach ($navigation as $navId => $info) {
+               if (isset($navigation[$navId]['data']['returnUrl'])) {
+                   $navigation[$navId]['data']['returnUrl'] =
+                           $this->_regenerateUrlSessionId($info['data']['returnUrl']);
+               }
+           }
+
+           $this->put('core.navigation', $navigation);
+       }
+
        return GalleryStatus::success();
     }

     /**
+     * Replace the session id a URL
+     *
+     * @return string url with valid session id
+     * @access private
+     */
+    function _regenerateUrlSessionId($url) {
+       $replace = GalleryUtilities::prefixFormVariable($this->getKey()) . '=' . $this->getId();
+       $regex = preg_quote(GalleryUtilities::prefixFormVariable($this->getKey()));
+       return preg_replace('/' . $regex . '\=([a-zA-Z0-9]+)/i', $replace, $url);
+    }
+
+    /**
      * Get rid of any sessions that have not been accessed within our
      * inactivity timeout or have exceeded the max lifetime.
      *
 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Thu, 2005-02-24 08:55

you've got a put/get mismatch but this is basically right.. i'll commit the fix asap. thanks!

 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Thu, 2005-02-24 11:30

should be fixed now, please verify.
i confirmed i committed the code just in time to make the 2-24 nightly build on jmullan's site. i don't think it was in time for the build on chetan sarva's site.

 
sddroog

Joined: 2005-02-01
Posts: 132
Posted: Thu, 2005-02-24 12:39
mindless wrote:
should be fixed now, please verify.

It works for me, thanks again!

 
BorgKing
BorgKing's picture

Joined: 2002-09-12
Posts: 314
Posted: Thu, 2005-02-24 15:46

Confirmed, I just upgraded from cvs (core 0.8.17) and everything works fine now for both my G2 installations.

mindless & pelle, thanks a lot!