mahara-contributors team mailing list archive

[Juli <1966213@xxxxxxxxxxxxxxxxxx>]

Hi Kristina! I've been studying this problem a bit. Turns out it happens
in all our production sites (I've tested in 4 of them), but not on my
local development site.

A key detail: If the user moves the widgets slowly, then the error does
not happen. It is necessary to spam the movement.

This is the history of the error, as told from the end to the beginning:

  1. In `mahara/auth/lib.php:auth_setup()` the line `json_reply('global', get_string('nosessionreload'), 1);` is executed. This line is the one that sends the message "Reload the page to log in".
  2. The step 1 is only executed if `$sessionlogouttime == 0`. This variable is defined as `$sessionlogouttime = $USER->get('logout_time');`.
  3. The fact that `$sessionlogouttime == 0` means that the user has been logged out (as confirmed by `\User::is_logged_in()` in `mahara/auth/user.php`.
  4. The value of `$USER->get('logout_time')` becomes zero when calling the constructor of `\Session` in `mahara/auth/session.php`, specifically when calling `@session_start()`.
  5. In my local development PC, my server is configured to process requests one by one, while the production servers are configured to process multiple requests. This means that `@session_start()` is being called multiple concurrent times when the user spams the movement of those widgets.
  6. It is my belief that PHP has a self-defense mechanism that logs out users that spam calls to `@session_start()`. The fact that this call if prefixed with a '@' obscures and silences the errors that may happen (it doesn't help to remove the '@' in my local dev environment... because the error doesn't happen on my dev environment).

If this idea is correct, a possible fix would be to do:

```
  if (session_status() != PHP_SESSION_ACTIVE) {
     @session_start();
  }
```

This way, the call to `@session_start();` will only happen if there is
no active session (thus avoiding the spam calls). We will try this fix
and report if it works or not.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1966213

Title:
  Mahara page edit box resize kills session, when logging in via SSO

Status in Mahara:
  Incomplete

Bug description:
  Mahara version: 21.10.1_RELEASE
  OS: Ubuntu 18.04
  Database: MySQL 5.7.32
  Chrome: 97

  Good day, there is a bug affecting a few Mahara sites. When editing
  the dashboard parts, an error may appear that logs out the user.

  Steps to replicate:
  1. Log in via SSO (for example from Moodle into Mahara).
  2. Click on the edit button to edit your Dashboard.
  3. Resize or move any of the widgets for about 1 minute until the error "Reload the page to log in" appears.

  Here is a video for better understanding:
  https://www.play.mdx.ac.uk/media/Mahara%20Error/1_hopedu64

  ... there is a chance this is not a bug, maybe the SSO on these sites
  is configured so that it times out quickly? Where is this configured
  so I can check?

  Expected outcome:
  No error should appear when editing the parts of the Dashboard.

  Observed outcome:
  The page gets spammed with the error, and the user is logged out.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1966213/+subscriptions