SMF Development > Fixed or Bogus Bugs

[4879] SMF 2.0 Final intermittant login and session failure (and workaround)

(1/8) > >>

rawlogic:
Symptoms

When attempting to log in, it intermittently fails the first time, with the error "Password incorrect" even though you're sure that you entered the correct password, but your login is always successful the second time.

When attempting to post, you intermittently get a message that your session has timed with the error "The following error or errors occurred while posting this message.  Your session timed out while posting.  Please try to re-submit your message." even though you're sure you shouldn't be timing out.

When attempting to log out, you get the error message "Session verification failed".

When attempting to log into the admin control panel, you get the error message "Password incorrect", even though you're sure you have the correct password.

Description

It's an SMF bug, but it's triggered from the following setting in your php.ini:


--- Code: ---session.hash_bits_per_character = 6
--- End code ---

Since PHP 5, the session_id may contain commas and minus signs if the session.hash_bits_per_character setting is set to 6.

When SMF 2.0 Final checks the validity of a session_id, using a regular expression, the check fails if the session_id contains commas and minuses.

When having session.hash_bits_per_character set in your php.ini to 4 or 5, commas and minus signs aren't used in the session_id. This setting was new in PHP 5. Prior to the setting, it defaulted to 4 bits per character. A setting of 4 and 5 passes, but 6 does not.

This has most likely become a problem as ISPs and users are hardening their PHP settings beyond the default settings.

You can verify your session.hash_bits_per_character setting by viewing the output of the phpinfo() function and searching for the name hash_bits_per_character.

Workaround

So the workaround is to configure session.hash_bits_per_character in php.ini to 4 or 5:


--- Code: ---session.hash_bits_per_character = 5
--- End code ---

SMF Code Fix

Everywhere you see the regular expression that checks for a valid session_id in Load.php:


--- Code: ---'~^[A-Za-z0-9]{16,32}$~'
--- End code ---

You need to change to this (notice the addition of the comma and minus):


--- Code: ---'~^[A-Za-z0-9,-]{16,32}$~'
--- End code ---

Note: there are multiple places where the regular expression occurs. Update all of them.

Without the fix, SMF will kill any "invalid" session, and the Javascript functions that utilize the session_id will fail, since the session_id will be different on the next post.

This problem was intermittent, as the session_id is pseudo random and won't always contain a comma or minus even with session.hash_bits_per_character set to 6.

This also corrects the intermittent "Session verification failed" errors.

Recovering from the invalid session

Once you've fixed the issue, any affected user needs to clear their browser's cookies. They will then be prompted to log in again, and it should be fine after that.

ElusiveEagle:
Wow! This is fantastic. Thank you!

This makes a lot of sense as I have noticed commas in the session variable but never put much thought to it (I thought they seemed strange to have but I figured I'd trust the SMF code). I haven't yet tried the fix as I had a quick question, but it makes perfect sense to me.

I checked the session.hash_bits_per_character setting on both my old and new servers and both are set to 6. Hence my issues. My question is as follows: Would it be better to just change the session.hash_bits_per_character value to 5 and leave the SMF regular expression the same or should I just change the regular expression to account for commas and dashes? I'm leaning towards the latter as that way I minimize changing the php.ini settings too much (yes, I could just change it for that domain, but anyway...).

Thanks again for your help! :)

rawlogic:

--- Quote from: ElusiveEagle on August 23, 2011, 08:38:46 PM ---Would it be better to just change the session.hash_bits_per_character value to 5 and leave the SMF regular expression the same or should I just change the regular expression to account for commas and dashes? I'm leaning towards the latter as that way I minimize changing the php.ini settings too much (yes, I could just change it for that domain, but anyway...).

--- End quote ---

I changed the code, then deleted my custom php.ini settings. I'll assume SMF will fix the bug in the next release, so it's one less thing I have to worry about.

Thanks for the show of gratitude. I put a lot of time into resolving the issue. :)

live627:
What exactly is your PHP version?

ElusiveEagle:

--- Quote from: rawlogic on August 23, 2011, 10:40:16 PM ---I changed the code, then deleted my custom php.ini settings. I'll assume SMF will fix the bug in the next release, so it's one less thing I have to worry about.

Thanks for the show of gratitude. I put a lot of time into resolving the issue. :)

--- End quote ---

Sounds good. I'll stick with my initial plan then. :) And thank you! I sure hope it works. I can't imagine this not being it.


--- Quote from: live627 on August 23, 2011, 10:59:50 PM ---What exactly is your PHP version?

--- End quote ---

Old server: 5.3.5
New server: 5.3.6

Navigation

[0] Message Index

[#] Next page

Go to full version