Page 2 of 2
Re: Session ID problem and fix
Posted: Mon Feb 11, 2019 7:06 pm
by timdebuurman
Hey,
Got a installation in 2.2.9 and logt out and in with another account for testen my clients account and a similar problem occurred.
In TinyMCE editor when opening the Filemanager the text 'Access denied' appeared.
Another test in an incognito browser and it works again.
Seems that the problem is not fixed yet.
gr Tim
Re: Session ID problem and fix
Posted: Tue Feb 12, 2019 9:29 am
by Rolf
Please also test using 2.2.9.1. Thx.
Re: Session ID problem and fix
Posted: Mon Mar 25, 2019 5:10 pm
by Charles Butcher
I seem to have a problem with session cookies that looks as though it may be related to the original report.
It occurs when adding a {CMSMS_selflink} tag in TinyMCE, using the toolbar button. Trying to save or cancel crashes out to the login screen.
Clearing the session cookie ("CMSSESSIDxxxxx") fixes the problem for the next login. If I log out and then back in (either the same or a different user) without clearing the cookie, the problem recurs.
According to cPanel, ModSecurity is turned off.
I haven't tested for
this bug, which is referenced above and was supposed to be fixed in 2.2.9.
I'm using CMSMS 2.2.10. Latest versions of Safari and Firefox on a Mac, in case it's somehow related to the browser.
Re: Session ID problem and fix
Posted: Mon Mar 25, 2019 8:21 pm
by deactivated010521
Although running https:// CMSMS does not set the 'secure' flag on the CMSSESSIDxxxxxx cookie. (@session stuff in ./misc.functions.php).
It helped me to modify php.ini.
Or if your host allows it you can add the following lines to config.php, hope it helps.
Code: Select all
@ini_set('session.cookie_httponly', 1);
@ini_set('session.cookie_secure', 1);
Re: Session ID problem and fix
Posted: Mon Mar 25, 2019 9:15 pm
by Charles Butcher
Thank you arnoud. I tried adding this to config.php but no success so far.
Can I look at the CMSSESS… cookie to tell whether it's working? At the moment its value stays the same, even when I close the window and reopen it. I'm guessing that since it is a session cookie I should be able to watch it changing? This would be simpler than crashing out of TinyMCE.
I have been able to modify config.php to set error reporting, memory limit and so on, so I hoped your fix would work – but apparently not.
What are the corresponding commands for php.ini?
I'm assuming it makes no difference that I have a rewrite rule for http >> https.
Re: Session ID problem and fix
Posted: Tue Mar 26, 2019 9:31 am
by Charles Butcher
Just to confirm, I now have those settings in place (and confirmed via 'ini_get') but the problem of crashing out of TinyMCE persists. The CMSSESSIDxxxx cookie remains the same; deleting it fixes the problem till next time.
The other session key (the much longer one) is cleared properly when I sign out. I assume the same should happen for CMSSESSIDxxxx, but it doesn't.