[TYPO3-dev] Solving existing session problems - sole technical approach - Even worse version of the problem: Involuntary hijacking

Christopher Lörken christopher at loerken.net
Thu Feb 5 12:35:45 CET 2009 

Hello everyone.

We've experiencing some session problems on our site since a few days 
that are far worse then simply having to log in twice:

Our users frequently get the wrong session and are logged in as someone 
else!
(I am only speaking about FE logins here. Since we are currently using 
only one BE login I can neither confirm nor neglet problems there.)

I am sure you understand the severity of this problem and I would really 
be glad for _any_ help I can get in this matter!


Extended description:
- users return to our site and are logged in correctly because of stored 
cookie
- when they click somewhere, they are logged in as someone else (has 
been reported for simply browsing the site as well as for changing 
languages).
- everything works normal when they log out and in again
- The problem has first been reported on January 30th.
- The problem has, up to now, only been reported on the german part of 
the site. Probably users that go to the .com domain and change the 
language to german.
- I did not manage to reproduce the problem.

Used versions:
I've upgraded from Typo3 4.2.3 -> 4.2.4 on January 21st. First bug 
report came on Jan. 30th (still running 4.2.4). I've upgraded to 4.2.5 
on Febuary 4th as I read about the session problems. I've cleared the 
fe_sessions table, but the problem remains.


Two answer your questions Marcus:

>  - browser type and version
Confirmed reports for Firefox 3.0.5 and IE 6.

>  - host setup as multidomain (with web server config (alias) or TYPO3
> multidomain)
Multiple domains: supremacy1914.com .de .at
Same Typo3 tree with different languages per L parameter.

>  - any redirects (with web server config or TYPO3)
German speaking domains automatically append the L=1 per htaccess redirect:
# append default start site to empty domain
RewriteCond %{REQUEST_URI} ^/$ [NC]
RewriteCond %{HTTP_HOST} ^[a-z\.]*supremacy1914\.(at|ch|de)+(.*) [NC]
RewriteRule .* http://www.supremacy1914.%1/index.php?id=25 [L,R=301]

# append L=1 if on german TLD, a index.php file is requested and it is
# not eID mode.
RewriteCond %{HTTP_HOST} ^[a-z\.]*supremacy1914\.(at|ch|de)+(.*) [NC]
RewriteCond %{REQUEST_URI} ^/index\.php(.*)$ [NC]
RewriteCond %{QUERY_STRING} !^(.*)&L=(.*)$ [NC]
RewriteCond %{QUERY_STRING} !^(^eID=|.*&eID=)(.*)$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI}?%{QUERY_STRING}&L=1 
[L,R=301]

>  - cookie details as shown in the browser
Sadly, I cannot reproduce the problem.

>  - sniffed network traffic (domain D sets cookie C, cookie details are
> shown in browser as XXX, browser sends slightly modified cookie C back
> to domain)
Don't know how to do that.

>  - different behaviour in browser X and browser Y
Since it has been reported in FF3 and IE6 I think it is a cross browser 
problem. We do, however, get reports that IE7 does have problems with 
keeping the session and that users are frequently logged out without 
reason. Again, I couldn't reproduce that on my system.

>  - is a proxy involved
no

>  - TYPO3 configuration ($TYPO3_CONF_VARS['SYS']['cookieDomain'] etc..)
cookieDomain is not set.
$TYPO3_CONF_VARS['FE']['lifetime'] = '86400';
$TYPO3_CONF_VARS['FE']['permalogin'] = '2';

Used extensions are tx_felogin (1.0.0), sr_languagemenu (1.4.0) mm_forum 
  user registration module (0.1.7)

For matters of completeness (may or may not be important):
I've rewritten part of the user registration to log them in 
automatically when they register. I am using this method to do that:

/**
* Logs in a user in the Typo3 FE.
*
* Login code discussion: 
http://www.typo3.net/forum/list/list_post//71147/?page=1#pid299542
* Final code adopted from here: 
http://www.sk-typo3.de/FE-Userlogin-per-Code.191.0.html
*
* @param string $uname - unescaped name of the user.
*/
public static function loginUserByName($uname) {
  if (!$GLOBALS['TSFE']->fe_user) {
    $GLOBALS['TSFE']->fe_user = tslib_eidtools::initFeUser();
  }
  $GLOBALS['TSFE']->fe_user->checkPid=0; //do not use a particular pid
  $info= $GLOBALS['TSFE']->fe_user->getAuthInfoArray();
$user=$GLOBALS['TSFE']->fe_user->fetchUserRecord($info['db_user'],$uname);
  $GLOBALS['TSFE']->fe_user->createUserSession($user);
  $GLOBALS['TSFE']->fe_user->user = $user;
		
}


--> I am keeping custom log files (code removed from the snipped above) 
and the creation of new users and their auto-login does not show ovious 
relations to the session problem.

This code has been live for over a month before the problems were first 
reported.


>  - is the problem reproducable
Not for me, but some users report that it happens really a lot to them.

>  - does deleting cookies help
I didn't confirm that with my users, but since logging out and logging 
in fixes the problem for the current session I guess deleting cookies 
does also help.


I'll be glad to provide any more information that you might need and 
that I can deliver. This is _the_ top priority problem for me.


Thank you and best wishes,
Christopher

-------

Find attached my install tool debug info:

### DEBUG SYSTEM INFORMATION - START ###
HTTP_HOST           : www.supremacy1914.com
TYPO3_HOST_ONLY     : www.supremacy1914.com
TYPO3_PORT          :
PATH_INFO           :
QUERY_STRING        : TYPO3_INSTALL[type]=phpinfo
REQUEST_URI         : /typo3/install/index.php?TYPO3_INSTALL[type]=phpinfo
HTTP_REFERER        : 
http://www.supremacy1914.com/typo3/install/index.php?TYPO3_INSTALL[type]=about
TYPO3_REQUEST_HOST  : http://www.supremacy1914.com
TYPO3_REQUEST_URL   : 
http://www.supremacy1914.com/typo3/install/index.php?TYPO3_INSTALL[type]=phpinfo
TYPO3_REQUEST_SCRIPT: http://www.supremacy1914.com/typo3/install/index.php
TYPO3_REQUEST_DIR   : http://www.supremacy1914.com/typo3/install/
TYPO3_SITE_URL      : http://www.supremacy1914.com/
TYPO3_SITE_SCRIPT   : typo3/install/index.php?TYPO3_INSTALL[type]=phpinfo
TYPO3_SSL           :
TYPO3_REV_PROXY     :
SCRIPT_NAME         : /typo3/install/index.php
TYPO3_DOCUMENT_ROOT : /var/www
SCRIPT_FILENAME     : /var/www/typo3/install/index.php
REMOTE_ADDR         : 132.230.161.55
REMOTE_HOST         :
HTTP_USER_AGENT     : Mozilla/5.0 (Windows; U; Windows NT 5.1; de; 
rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
HTTP_ACCEPT_LANGUAGE: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
CONST: PHP_OS       : Linux
CONST: TYPO3_OS     :
CONST: PATH_thisScri: /var/www/typo3/install/index.php
CONST: php_sapi_name: apache2handler
OTHER: TYPO3_VERSION: 4.2.5
OTHER: PHP_VERSION  : 5.2.4-2ubuntu5.4
imagecreatefromgif(): 1
imagecreatefrompng(): 1
imagecreatefromjpeg(: 1
imagegif()          : 1
imagepng()          : 1
imagejpeg()         : 1
imagettftext()      : 1
OTHER: IMAGE_TYPES  : 15
OTHER: memory_limit : 300M
SERVER: SERVER_PORT : 80
SERVER: SERVER_SOFTW: Apache
SERVER: GATEWAY_INTE: CGI/1.1
SERVER: SCRIPT_NAME : /typo3/install/index.php
SERVER: PATH_TRANSLA:
T3CV_GFX: image_proc: 1
T3CV_GFX: gdlib     : 1
T3CV_GFX: gdlib_png : 1
T3CV_GFX: gdlib_2   : 11
T3CV_GFX: im        : 1
T3CV_GFX: im_path   : /usr/X11R6/bin/
T3CV_GFX: im_path_lz: /usr/bin/
T3CV_GFX: im_version: im5
T3CV_GFX: im_negate_: 1
T3CV_GFX: im_imvMask: 0
T3CV_GFX: im_combine: composite
### DEBUG SYSTEM INFORMATION - END ###

More information about the TYPO3-dev mailing list