This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

Form Questions /

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Strange Login Troubles

6 Posts 2973 Views

cabby

Community Member, 15 Posts

18 February 2009 at 10:32pm

Hi there!

We have a site running for our customer that runs well. But there exists one problem with the SS Login Form:
Sometimes Login fails in Internet Explorer (any Version). I can proof that login attempts fail just in this browser from time to time.
It drives me crazy, 'cause all users as well as the admin account have this problem.

One time it works without trouble.... then if you try it minutes later, you cannot login again. At first I thought that maybe there would be a proxy or router problem, but that seems to be not the case. Apache Logfiles don't bring important things to my eyes. So there seems to be a problem inside the SS cms. I hope to get help here, for I don't want to write another external login form.

Has anyone seen similar problems with random success with login forms in SS / IE (5-8) ?

Thanks in advance!
cabby

cabby

Community Member, 15 Posts

19 February 2009 at 9:26pm

I think that now I tackled this problem down to its roots.
Silverstripe somehow creates more than one PHPSESSID that seems to confuse just IE Browsers.

So I think it may be PHP that's to blame.
I will later post on this topic when I can be sure that the above is fact.

greetings,
cabby

cabby

Community Member, 15 Posts

19 February 2009 at 11:44pm

All the trouble comes in fact from multiple PHPSESSID.

Is there a way to ensure that only the newest PHPSESSID is used?
Can we destroy the old PHPSESSID? Or the cookie?

Why do we need session_regenerate_id inside the core? (security/Member.php) It seems to cause all the trouble.

greetings,
cabby

cabby

Community Member, 15 Posts

20 February 2009 at 12:10am

Maybe I can answer my own question. (Pretty common here ;-) )

It seems pretty obvious that it should care about the "hijacking PHPSESSID - Problem".

cabby

Community Member, 15 Posts

20 February 2009 at 12:30am

Ok, it seems that the problem with multiple PHPSESSIDs is now solved and Login from every IE Browser is now guaranteed.

I just commented out line 113 in sapphire/security/Member.php.

112 static function session_regenerate_id() {
113 //session_regenerate_id(true);
114 }

The root of all evil has been cut through, I hope. ;-)

greetings,
cabby

Ingo

Forum Moderator, 801 Posts

24 February 2009 at 11:20pm

Commenting out session_regenerate_id() causes just as much evil as it solves: http://shiflett.org/articles/session-fixation

Return to top