Session ID problem and fix

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
User avatar
timdebuurman
Power Poster
Power Poster
Posts: 891
Joined: Sun Nov 06, 2011 8:15 pm
Location: Deventer, Netherlands

Re: Session ID problem and fix

Post by timdebuurman »

Hey,

Got a installation in 2.2.9 and logt out and in with another account for testen my clients account and a similar problem occurred.

In TinyMCE editor when opening the Filemanager the text 'Access denied' appeared.

Another test in an incognito browser and it works again.

Seems that the problem is not fixed yet.

gr Tim
NextDoorMedia - Online Marketing Partner
https://www.nextdoormedia.nl
User avatar
Rolf
Dev Team Member
Dev Team Member
Posts: 7825
Joined: Wed Apr 23, 2008 7:53 am
Location: The Netherlands
Contact:

Re: Session ID problem and fix

Post by Rolf »

Please also test using 2.2.9.1. Thx.
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Image
User avatar
Charles Butcher
Forum Members
Forum Members
Posts: 102
Joined: Sat Jul 05, 2008 8:25 pm
Location: Norfolk, UK

Re: Session ID problem and fix

Post by Charles Butcher »

I seem to have a problem with session cookies that looks as though it may be related to the original report.

It occurs when adding a {CMSMS_selflink} tag in TinyMCE, using the toolbar button. Trying to save or cancel crashes out to the login screen.

Clearing the session cookie ("CMSSESSIDxxxxx") fixes the problem for the next login. If I log out and then back in (either the same or a different user) without clearing the cookie, the problem recurs.

According to cPanel, ModSecurity is turned off.

I haven't tested for this bug, which is referenced above and was supposed to be fixed in 2.2.9.

I'm using CMSMS 2.2.10. Latest versions of Safari and Firefox on a Mac, in case it's somehow related to the browser.
deactivated010521

Re: Session ID problem and fix

Post by deactivated010521 »

Although running https:// CMSMS does not set the 'secure' flag on the CMSSESSIDxxxxxx cookie. (@session stuff in ./misc.functions.php).

It helped me to modify php.ini.
Or if your host allows it you can add the following lines to config.php, hope it helps.

Code: Select all

@ini_set('session.cookie_httponly', 1);
@ini_set('session.cookie_secure', 1);
User avatar
Charles Butcher
Forum Members
Forum Members
Posts: 102
Joined: Sat Jul 05, 2008 8:25 pm
Location: Norfolk, UK

Re: Session ID problem and fix

Post by Charles Butcher »

Thank you arnoud. I tried adding this to config.php but no success so far.

Can I look at the CMSSESS… cookie to tell whether it's working? At the moment its value stays the same, even when I close the window and reopen it. I'm guessing that since it is a session cookie I should be able to watch it changing? This would be simpler than crashing out of TinyMCE.

I have been able to modify config.php to set error reporting, memory limit and so on, so I hoped your fix would work – but apparently not.

What are the corresponding commands for php.ini?

I'm assuming it makes no difference that I have a rewrite rule for http >> https.
User avatar
Charles Butcher
Forum Members
Forum Members
Posts: 102
Joined: Sat Jul 05, 2008 8:25 pm
Location: Norfolk, UK

Re: Session ID problem and fix

Post by Charles Butcher »

Just to confirm, I now have those settings in place (and confirmed via 'ini_get') but the problem of crashing out of TinyMCE persists. The CMSSESSIDxxxx cookie remains the same; deleting it fixes the problem till next time.

The other session key (the much longer one) is cleared properly when I sign out. I assume the same should happen for CMSSESSIDxxxx, but it doesn't.
Post Reply

Return to “CMSMS Core”