Page 1 of 2

Session ID problem and fix

Posted: Fri Nov 16, 2018 10:37 am
by timdebuurman
Hi,

I came across the (already few times mentioned) problem with Filemanager pop-up from Microtiny, loggin me out en showing the Loginscreen instead of the Files.

After research, I noticed the problem only occured after logout and login again.

Found out that at logout a cookie was still present and therefore not renewed.

In my case it was a cookie with the name CMSSESSIDfa53c6742e1d

If I removed the cookie myself, the problem was gone.

I believe this can be a bug in the core to be fixed.

Made a quickfix myself in the file /admin/login.php for now, that removes all cookies there, but this fix is not for permanent, because sometimes some cookies must remain.

Please make contact if there is some questions about reproducing this.

thx

Re: Session ID problem and fix

Posted: Mon Nov 26, 2018 3:15 pm
by johnboyuk1
I've just come to the boards to raise a very similar question!

I actually also raised the question last year on these boards but couldn't find a resolution - if its a bug its been around for a while. I have customers who keep complaining about it. Is there an easy fix for this because I cant really be asking non-tech minded people to go looking for cookies to delete

The version I've just had a report of this happening on is 2.2.7, its also happened on older 2.x versions for me too

Help ..!

Re: Session ID problem and fix

Posted: Mon Nov 26, 2018 4:38 pm
by DIGI3
I had a similar problem a while ago but I'm pretty sure it was caused by mod_security. Can you both confirm that you don't have mod_security on the server in question?

If you don't, please try to provide specific steps in order to recreate it. It may be somewhat obscure - particular browser version, account type, what admin page was visited prior, etc.

Re: Session ID problem and fix

Posted: Mon Nov 26, 2018 4:58 pm
by johnboyuk1
Last report from client was when trying to access the file manager

How do we check re mod_security - isn't listed in 'System Information'

Re: Session ID problem and fix

Posted: Mon Nov 26, 2018 5:03 pm
by DIGI3
You'd need to check with your host. Sometimes you can disable it in cPanel but it depends on your host's settings. There's not a reliable way for PHP to detect it so CMSMS can't tell.

Re: Session ID problem and fix

Posted: Mon Nov 26, 2018 5:09 pm
by johnboyuk1
Will double check -been using this host for years with CMSMS sites so I think its ok but will make sure!

Re: Session ID problem and fix

Posted: Mon Nov 26, 2018 5:50 pm
by timdebuurman
Hi,

(The mod_security question will be checked.)
EDIT: Out server does not have the mod_security modul installed/active, so that can not be the couse

Meanwile, let me get to the reproducing.

I can reproduce this, by logging in the admin, logging out again en log in with a different account.

That way the cookie of the first user, which was not deleted, will cause the problem with the new user.

Further testing will be the opening of the WYSIWYG-editor in Microtiny en try to open the Filemanager.
As said, checking the cookies and manually deleting the cookie named CMSSESSIDfa53c6742e1d (seems like a session cookie, because the 'SESSID' in the name) fixed it for me.


gr Tim

Re: Session ID problem and fix

Posted: Tue Nov 27, 2018 9:28 am
by johnboyuk1
This is the report direct from my client:
Have been trying to update the website today.
After initial login, it will ask me to log in again when trying to access the file manager. Following this when clicking submit on the content editor it will kick me out, ask me to log in again without saving any of the changes made.

Re: Session ID problem and fix

Posted: Mon Dec 03, 2018 2:03 pm
by johnboyuk1
Anyone got any further thoughts on this - got clients complaining at me!

timdebuurman has confirmed its not mod_security

Re: Session ID problem and fix

Posted: Mon Dec 03, 2018 4:11 pm
by DIGI3
Are you running 2.2.8? I saw in an early post you mentioned 2.2.7.

Re: Session ID problem and fix

Posted: Mon Dec 03, 2018 4:49 pm
by timdebuurman
It's 2.2.8

Re: Session ID problem and fix

Posted: Tue Dec 04, 2018 12:46 am
by DIGI3
I can recreate it, legit bug. There was a similar issue that I think is already fixed for 2.3 but I'll verify then file a BR if necessary.

Re: Session ID problem and fix

Posted: Tue Dec 04, 2018 12:49 am
by DIGI3
For a temporary workaround, suggest to your client they use a separate browser session (incognito mode is the easiest) for each username, rather than logging in and out.

Re: Session ID problem and fix

Posted: Tue Dec 04, 2018 7:17 pm
by DIGI3

Re: Session ID problem and fix

Posted: Thu Dec 06, 2018 10:35 am
by johnboyuk1
Thanks DIGI3