SMF Development > Bug Reports

[4244]SMF 2.0 RC3 - Obfuscation of session variable name breaks integration

<< < (3/18) > >>

MultiformeIngegno:

--- Quote from: Orstio on April 04, 2010, 10:01:55 AM ---There is no point in the SSI functionality if it isn't going to work.  It's bad enough that the SSI login/logout redirect bug has been around since the session fixation security fix (1.1.6?) and never fixed.  Now there's an even bigger SSI.php file with even more functions, and half of them rendered useless by obfuscating a variable name.

--- End quote ---
You're right... SSI is the strong point of SMF!!

P.S.: Thanks Norv! ;)

MultiformeIngegno:
OK, I'm able to reproduce clearly this issue. Here's the procedure:

You have a freshly installed SMF 2.0 RC3 in a /test_forum folder. Now create a subdomain, testforum.yourdomain.com (that of course has test_forum as main dir). Now change the forum url to use the subdomain. OK. Create a new folder in your server (out of the forum one), called /test_ssi. Now put there your ssi file, called myssifile.php:

--- Code: ---<?php
// Layers to be utilized
$ssi_layers = array('html', 'body');

//This is the SSI.php file in the Board dir.
require('../test_forum/SSI.php');
?>

My test file!

<?php
ssi_shutdown();
?>

--- End code ---

Now create another subdomain so you have testssi.yourdomain.com (with of course /test_ssi as main directory). Now clear your cookies/cache/everything and go to -> testssi.yourdomain.com/myssifile.php. You should see your ssi-based file with (of course) the login box. Now try to login, you should get the "password wrong" error and all the behaviors that we've talked about (sessions number that changes at every refresh, etc...)!

ALL THIS HAPPENS WITH THE OPTIONS "Use subdomain independent cookies" ON and "Enable local storage of cookies" OFF!

If you're on the same subdomain or without subdomains, you don't have these issues (or at least I can't reproduce 'em!).

:)

MultiformeIngegno:
I'd like to bump this and also report another behavior I think related to this: in one of my ssi-based pages (on a different subdomain from the forum one) I use the ssi_recentTopics function, this is my code:


--- Code: ---global $context, $settings, $scripturl, $txt;
global $user_info, $modSettings, $smcFunc, $posts;
global $color_profile;
$array = ssi_recentTopics(10, null, null, 'array');

echo '<div id="recentpost">';

$odd = false;
foreach ($array as $post)
{
  echo '<div class="recentpost ', ($odd ? 'odd' : 'even'), '">
<span class="topicname" style="font-size: 85%"><strong><a href="', $post['href'], '">', $post['subject'], '</a></strong></span>

', !$post['is_new'] ? '' : '<a href="' . $scripturl . '?topic=' . $post['topic'] . '.msg' . $post['new_from'] . ';topicseen#new" rel="nofollow"><img src="' . $settings['lang_images_url'] . '/new.gif" alt="' . $txt['new'] . '" border="0" /></a>', '

<br /><small>Posted by <span class="author">', $post['poster']['link'], '</span><br /><span class="date">', $post['time'], '</span><br /><em>(Views: ', $post['views'], ' | Replies: ', $post['replies'], ')</em></small><br /><br />
</div>';

  $odd = !$odd;
}
echo '
</div>';

--- End code ---

Now, sometimes (I really can't figure why this happens only sometimes) instead of going to the topic, I'm redirected to the board index!

Here's the link of one of the topic links when this happens:
http://forum.rockciclopedia.com/index.php?PHPSESSID=4e9ca3e505fdaf32d747fb9831b6d9b7&/topic,1352.msg22299/topicseen.html?PHPSESSID=4e9ca3e505fdaf32d747fb9831b6d9b7#new
(I don't have any pretty url/simplesef/topic-related mod or other strange ones, I only have seo-friendly urls enabled. I've also tried to disable tht option but this still happens!)

So, this finally seems related to the (huge) issue with sessions! :(

Orstio:
What do the URLs look like if you turn off SEO Friendly URLs in SMF?

MultiformeIngegno:
Unfortunately it's not easy to reproduce this latest behavior (I really can't understand when happens)... anyway I didn't understand yet if you managed to reproduce the main (and most important) issue..:


--- Quote from: MultiformeIngegno on April 04, 2010, 07:53:32 PM ---OK, I'm able to reproduce clearly this issue. Here's the procedure:

You have a freshly installed SMF 2.0 RC3 in a /test_forum folder. Now create a subdomain, testforum.yourdomain.com (that of course has test_forum as main dir). Now change the forum url to use the subdomain. OK. Create a new folder in your server (out of the forum one), called /test_ssi. Now put there your ssi file, called myssifile.php:

--- Code: ---<?php
// Layers to be utilized
$ssi_layers = array('html', 'body');

//This is the SSI.php file in the Board dir.
require('../test_forum/SSI.php');
?>

My test file!

<?php
ssi_shutdown();
?>

--- End code ---

Now create another subdomain so you have testssi.yourdomain.com (with of course /test_ssi as main directory). Now clear your cookies/cache/everything and go to -> testssi.yourdomain.com/myssifile.php. You should see your ssi-based file with (of course) the login box. Now try to login, you should get the "password wrong" error and all the behaviors that we've talked about (sessions number that changes at every refresh, etc...)!

ALL THIS HAPPENS WITH THE OPTIONS "Use subdomain independent cookies" ON and "Enable local storage of cookies" OFF!

If you're on the same subdomain or without subdomains, you don't have these issues (or at least I can't reproduce 'em!).

--- End quote ---

I managed to reproduce this in 2 different hosting and 2 different rc3 (clean) installations... You only need to install the forum in a subdomain and then create a page that calls ssi.php from a different subdomain! :)

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version