CMS Made Simple Forums
https://forum.cmsmadesimple.org/

Session ID problem and fix
https://forum.cmsmadesimple.org/viewtopic.php?f=8&t=79398
Page 2 of 2

Author:  timdebuurman [ Mon Feb 11, 2019 7:06 pm ]
Post subject:  Re: Session ID problem and fix

Hey,

Got a installation in 2.2.9 and logt out and in with another account for testen my clients account and a similar problem occurred.

In TinyMCE editor when opening the Filemanager the text 'Access denied' appeared.

Another test in an incognito browser and it works again.

Seems that the problem is not fixed yet.

gr Tim

Author:  Rolf [ Tue Feb 12, 2019 9:29 am ]
Post subject:  Re: Session ID problem and fix

Please also test using 2.2.9.1. Thx.

Author:  Charles Butcher [ Mon Mar 25, 2019 5:10 pm ]
Post subject:  Re: Session ID problem and fix

I seem to have a problem with session cookies that looks as though it may be related to the original report.

It occurs when adding a {CMSMS_selflink} tag in TinyMCE, using the toolbar button. Trying to save or cancel crashes out to the login screen.

Clearing the session cookie ("CMSSESSIDxxxxx") fixes the problem for the next login. If I log out and then back in (either the same or a different user) without clearing the cookie, the problem recurs.

According to cPanel, ModSecurity is turned off.

I haven't tested for this bug, which is referenced above and was supposed to be fixed in 2.2.9.

I'm using CMSMS 2.2.10. Latest versions of Safari and Firefox on a Mac, in case it's somehow related to the browser.

Author:  arnoud [ Mon Mar 25, 2019 8:21 pm ]
Post subject:  Re: Session ID problem and fix

Although running https:// CMSMS does not set the 'secure' flag on the CMSSESSIDxxxxxx cookie. (@session stuff in ./misc.functions.php).

It helped me to modify php.ini.
Or if your host allows it you can add the following lines to config.php, hope it helps.

Code:
@ini_set('session.cookie_httponly', 1);
@ini_set('session.cookie_secure', 1);

Author:  Charles Butcher [ Mon Mar 25, 2019 9:15 pm ]
Post subject:  Re: Session ID problem and fix

Thank you arnoud. I tried adding this to config.php but no success so far.

Can I look at the CMSSESS… cookie to tell whether it's working? At the moment its value stays the same, even when I close the window and reopen it. I'm guessing that since it is a session cookie I should be able to watch it changing? This would be simpler than crashing out of TinyMCE.

I have been able to modify config.php to set error reporting, memory limit and so on, so I hoped your fix would work – but apparently not.

What are the corresponding commands for php.ini?

I'm assuming it makes no difference that I have a rewrite rule for http >> https.

Author:  Charles Butcher [ Tue Mar 26, 2019 9:31 am ]
Post subject:  Re: Session ID problem and fix

Just to confirm, I now have those settings in place (and confirmed via 'ini_get') but the problem of crashing out of TinyMCE persists. The CMSSESSIDxxxx cookie remains the same; deleting it fixes the problem till next time.

The other session key (the much longer one) is cleared properly when I sign out. I assume the same should happen for CMSSESSIDxxxx, but it doesn't.

Page 2 of 2 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/