mahara-contributors team mailing list archive

Thread
Date

[Bug 1592236] Re: Sessions: constantly asked to log in to access the Users Admin screen

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1592236@xxxxxxxxxxxxxxxxxx>
Date: Mon, 27 Jun 2016 04:44:20 -0000
Reply-to: Bug 1592236 <1592236@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Okay, I think part of the problem here is that the function we use for
determining the path component of $CFG->wwwroot (and hence the path
component of the cookie's path) is buggy if your $CFG->wwwroot has no
path component or trailing path (e.g.: "http://mahara.example.com";
instead of "http://mahara.example.com/"; or "http://example.com/mahara/";)

In such a case, the function get_mahara_install_subdirectory() will
return the whole domain name, (e.g. "mahara.example.com"). This then
gets set as the cookie's path. Since it doesn't usually match the actual
path component of the URL requested by the browser, the browser ignores
it and instead applies the cookie to the "default path" for the
requested URL.

So, with that in mind, I haven't been able to replicate this naturally,
but I have been able to replicate it with a slight hack to force a bad
path session header to be generated during the vulnerable period.

1. Set up your Mahara site so that in your config.php you have a
$cfg->wwwroot with no path component or trailing slash (e.g.:
$cfg->wwwroot = 'http://mahara';)

2. In htdocs/init.php, on line 201 (right after the call to "$SESSION =
Session::singleton()"), add a line that reads:

$SESSION->set('foo', 'bar');

3. Log out of Mahara.

4. Go to http://mahara/admin/index.php

5. Because you're logged out, you'll see the transient login page. Log
in here.

6. Now you're logged in, click around and everything should work.

7. Log out. You should now see the standard "logged out" homepage.

8. Log back in from the "Logged out" homepage.

9. Click on the Administration link.

Expected result: You should see the admin home page.

Actual result: You see the login screen again, as if you weren't logged
out. If you examine your browser's cookie store now, you will see a
mahara session cookie for the path "/" and another for the path
"/admin/".

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1592236

Title:
Sessions: constantly asked to log in to access the Users Admin screen

Status in Mahara:
Triaged

Bug description:
Mahara: 16.04.1
DB: Postgres
OS: Linux
Browser: Firefox

I think there may be something funny with sessions happening. When the session times out (it's currently set to 2 hours) and I'm on the /admin/users/search.php, I think it doesn't correctly update the session once I log in again.

This is what I think the steps are to reproduce it:
1. leave screen on /admin/users/search.php

2. have the session time out

3. try to do something on the screen (i.e. search for a user)

4. It will redirect to the login screen.

5. Login correctly

6. user search screen is displayed.

7. click on the Configure Site menu link

8. Click back on the Users menu link

9. It will ask you to log back in again.

It seems to only happen on the Users (and Group - I think) menu links.

Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1592236/+subscriptions

References

[Bug 1592236] [NEW] Sessions: constantly asked to log in to access the Users Admin screen
From: Ghada El-Zoghbi, 2016-06-14