This one's still a problem. The working hypothesis is that something loads up auth/session.php earlier than expected, when $CFG->wwwroot isn't filled in yet, and this causes a session cookie header to be sent out with the default value for the cookie's "path" component. The default is everything between the first and last "/" in the URL. So, if you're visiting an admin page, path "/admin/site/".
Thus a cookie with the name "mahara" and the path "/admin/site/" gets stored by the browser. Then the user logs in. This causes their session ID to regenerate to a new one. This is handled by sending out a new cookie with the same, domain, and path. But this *doesn't* override the "/admin/site/" cookie, because it has a different path. Now the user has two cookies named "browser" in their browser's cookie store. One at "/" and one at "/admin/site/". If they visit the page "/admin/site/index.php", their browser will send both cookies, with the "/admin/site/" one first, because it's more specific. The problem is, PHP doesn't handle multiple session cookies with the same name well. It just reads the first one, and ignores the subsequent ones. The first one is "/admin/site/", with the old session ID. The old session ID is not recognized as valid, so the user is force-logged out. The big question is, though, how exactly does a header with the wrong path get sent out? In theory, our code to delete duplicate session cookie headers from the response, should delete the ones with the bad path as well. And in theory, when we call the code in auth/session.php that names the cookie "mahara", that same chunk of code should compute the proper path for it based on the wwwroot, which seldom changes. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1592236 Title: Sessions: constantly asked to log in to access the Users Admin screen Status in Mahara: Triaged Bug description: Mahara: 16.04.1 DB: Postgres OS: Linux Browser: Firefox I think there may be something funny with sessions happening. When the session times out (it's currently set to 2 hours) and I'm on the /admin/users/search.php, I think it doesn't correctly update the session once I log in again. This is what I think the steps are to reproduce it: 1. leave screen on /admin/users/search.php 2. have the session time out 3. try to do something on the screen (i.e. search for a user) 4. It will redirect to the login screen. 5. Login correctly 6. user search screen is displayed. 7. click on the Configure Site menu link 8. Click back on the Users menu link 9. It will ask you to log back in again. It seems to only happen on the Users (and Group - I think) menu links. Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1592236/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
