Login/Logout does not work properly

[tchize]

Here is my problem (already notified this during canary version, but it seems it's not fixed yet in 1.0.2)

Log-in:
When i go to cms/admin/index.html, i am requested to log-in (redirected to admin/login.php)
I type correct username and paswword and am back to the same login page, without any error message displayed
Then, i don't type again my password, instead i try again to load admin/index.php.
After a few minutes i stop being redirected to login page an i get the admin panel.

This looks like there is a delay between the moment my credential are accepted and the moment i is really taken intou conideration by system.

Log-out: (more critical problem)
If i click the 'logout' button, i correctly get redirected to the login page
However, if i hit the 'back' boutton of browser, i am still able to enter the admin panel. That mean if i am on a public terminal, i have to take care to remove cookies. The logout simply don't work
If, after logout, i wait 5 minutes, and try to access admin/index.html, i still am given access right, so my logout is definitly not take into account.

This cms is running on the sourceforge web pages. I think that sourceforge web servers are clustered. I don't know if it is related. It looks like something is wrong with session handling in cms, but i don't know what (am not a php coder).

Help on this appreciated

[3dc]

Hello,
I'm using FF at win and dont get the "logout-problem".
If i go back one or more page(s) after logout, the loginscreen appears; as it should.

sorry, have no further idea on this... just the info that it works at my side.

Greetz - ~3DC~

[ID2020]

After you close down the browser window it should be ok.

I think the password is stored in the memory during the session. If the session is broken by closing down the browser the memory is cleared and the session ended.

Using your login on a public or shared computer is always a risk. There can be a keylogger present.

hope it helps.

Greetz,
ID2020

[tchize]

I know it supposely works with most people, if it was not the case, it wouldn't have stayed since CMSMS "canary". This session handling problem is probably specific to clustered environment or some specific apache configuraiton. However i have no ideas where to look at first.  The login problem while not a security problem, is a very annoying one. I always have to wait for my credentials to get accepted for a few minutes. (Well it depends, sometimes it works after 10 seconds, sometime i have to retry for 5 minutes)

[ID2020]

Is there a proxy server present?

Mayby it is caching ahead?

[tchize]

Ok, found out by testing a bit.

The webserver is clustered, meaning from one request to another you can end up in different nodes. by default, php stores session datas inside /tmp. However, each node has his own /tmp, so when your request end in another node, you have another session.

My quick hack solution was to add this in the beginning of cms/includes.php:

Code: Select all

#Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
#$Id: include.php 3393 2006-08-25 15:37:35Z wishy $

session_save_path('/tmp/persistent/session');

define('ADODB_OUTP', 'debug_sql');

$dirname = dirname(__FILE__);

Have notified developper team to request adding of this parameter to configuration

[mindugo]

The problem still exists in version 1.3.1. Session handling doesn't work properly (as described by tchize) on clustered server. I've tried a workaround proposed by tchize, but I'm still able to use admin panel by pressing 'back' button of the browser (either Firefox 3 or Explorer 7) after logout.
Your help how to solve this serious problem would be highly appreciated.

[Dr.CSS]

You should have started new thread/post and linked to this one and give all info about what you are running, CMSMS ver. OS of server etc....

[mindugo]

Sorry for posting to an old thread but I've found it exactly matching my problem. As I have posted already I am running CMSMS 1.3.1 'Havana' on free hosting service. They are running PHP version 5.2.6 on clustered server with session save path set to '/tmp'. With this configuration CMSMS session handling doesn't work properly - usually I cannot logout or even login as another user, sometimes I get broken sessions, etc.
I think I've solved this problem temporarily by setting session_save_path in include.php to my user directory, but it's under public htdocs directory..

[Pierre M.]

Hello,

I remember having posted in at least one other thread about a "cluster" configuration problem. Search with Google.

"Free hosting" + "session handling doesn't work properly" => don't expect requirements to be met.
http://wiki.cmsmadesimple.org/index.php ... quirements
Thanks for your temporarily workaround.

Pierre M.

[mindugo]

Thanks for response, Pierre M. I'm afraid that particular free hosting service meets all the requirements for CMSMS - either listed in documentation and those being checked by CMSMS itself during installation (every single point is OK there, including "Checking if session.save_path is writable").
Unfortunately, I didn't manage to find any other posts related to clustered servers and CMSMS.

[Pierre M.]

Search with Google.

http://www.google.fr/search?hl=fr&q=%2B ... ogle&meta= returns at least http://forum.cmsmadesimple.org/index.ph ... 523.0.html

Pierre M.