Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Form Questions /

Strange Login Troubles


Reply


6 Posts   2004 Views

Avatar
cabby

Community Member, 15 Posts

18 February 2009 at 10:32pm

Hi there!

We have a site running for our customer that runs well. But there exists one problem with the SS Login Form:
Sometimes Login fails in Internet Explorer (any Version). I can proof that login attempts fail just in this browser from time to time.
It drives me crazy, 'cause all users as well as the admin account have this problem.

One time it works without trouble.... then if you try it minutes later, you cannot login again. At first I thought that maybe there would be a proxy or router problem, but that seems to be not the case. Apache Logfiles don't bring important things to my eyes. So there seems to be a problem inside the SS cms. I hope to get help here, for I don't want to write another external login form.

Has anyone seen similar problems with random success with login forms in SS / IE (5-8) ?

Thanks in advance!
cabby

Avatar
cabby

Community Member, 15 Posts

19 February 2009 at 9:26pm

I think that now I tackled this problem down to its roots.
Silverstripe somehow creates more than one PHPSESSID that seems to confuse just IE Browsers.

So I think it may be PHP that's to blame.
I will later post on this topic when I can be sure that the above is fact.

greetings,
cabby

Avatar
cabby

Community Member, 15 Posts

19 February 2009 at 11:44pm

All the trouble comes in fact from multiple PHPSESSID.

Is there a way to ensure that only the newest PHPSESSID is used?
Can we destroy the old PHPSESSID? Or the cookie?

Why do we need session_regenerate_id inside the core? (security/Member.php) It seems to cause all the trouble.

greetings,
cabby

Avatar
cabby

Community Member, 15 Posts

20 February 2009 at 12:10am

Maybe I can answer my own question. (Pretty common here ;-) )

It seems pretty obvious that it should care about the "hijacking PHPSESSID - Problem".

Avatar
cabby

Community Member, 15 Posts

20 February 2009 at 12:30am

Ok, it seems that the problem with multiple PHPSESSIDs is now solved and Login from every IE Browser is now guaranteed.

I just commented out line 113 in sapphire/security/Member.php.

112   static function session_regenerate_id() {
113      //session_regenerate_id(true);
114   }

The root of all evil has been cut through, I hope. ;-)

greetings,
cabby

Avatar
Ingo

Forum Moderator, 801 Posts

24 February 2009 at 11:20pm

Commenting out session_regenerate_id() causes just as much evil as it solves: http://shiflett.org/articles/session-fixation