• Welcome to Simple Machines Community Forum. Please login or sign up.
December 07, 2021, 01:43:29 AM

News:

Want to get involved in developing SMF, then why not lend a hand on our github!


[4244]SMF 2.0 RC3 - Obfuscation of session variable name breaks integration

Started by Orstio, April 01, 2010, 05:46:51 PM

Previous topic - Next topic

MultiformeIngegno

Quote from: Nao on June 11, 2010, 08:58:21 AM
Sorry, forgot about that... test / lorenzo
Great!! Works for me! 8) ;)

If you try this we can see if this has been fixed too:
Quote from: MultiformeIngegno on June 11, 2010, 06:54:04 AM
Another test you can try: call boardNews in the ssi page (display the latest topic from a board), then visit the ssi page when you're logged in, links will work as expected and will bring you to the right topic. Then logout and visit the ssi page again. You should notify that boardNews links are not working and you're redirected to the board index instead of the expected topic. This behavior is related to this bug because if you take a look at the boardNews links (ONLY IF YOU'RE LOGGED OUT), they are "strange"..
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

I added simply ssi_boardNews() and everything works for me...

I guess I'll have to look into your site!
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

Quote from: Nao on June 11, 2010, 09:15:00 AM
I guess I'll have to look into your site!
FTP details I "PMmed" you still work! ;)
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

MultiformeIngegno

You can reproduce this behavior by visiting www dot rockciclopedia dot com and clicking one of these links:


This is the urls structure:
http:*/forum dot rockciclopedia dot com/index.php?PHPSESSID=5c6df767585c2ca044f958a845773385&/topic,xxxx.0.html?PHPSESSID=5c6df767585c2ca044f958a845773385

There's phpsessid twice!

And here is the code (boardNews):

$array = ssi_boardNews(5, 7, null, 570, 'array');

foreach ($array as $key => $news)
{
if ($key == 0)
{
echo '
<a href="', $news['href'], '"><big><strong>', $news['subject'], '</strong></big></a>


<br />', $news['body'], '<br /><hr />';
}
else
{
if($key == 1)
echo '<center><a href="http://extra.rockciclopedia.com/feed.php"><strong><img width="11px" src="http://www.rockciclopedia.com/images/rss_icon.png" alt="*" /> <font color="white">Iscriviti al feed rss</font></strong></a> <span style="visibility: hidden;">-----------</span><a href="http://forum.rockciclopedia.com/index.php?action=post;board=5.0"><strong><img width="11px" src="http://www.rockciclopedia.com/images/news.png" alt="*" /> <font color="white">Segnalaci una news</font></strong></a></center><hr />';

echo '
<a href="', $news['href'], '"><font style="font-size: 1.1em"><strong>', $news['subject'], '</strong></font><img src="', str_replace(';preview', ';thumb', $news['image']), '" alt="', $news['subject'], '" style="float: right; margin-top:2px; margin-left: 5px;" height="54px" /></a> <span style="color:#666">(<small>', date('d/m/Y', $news['timestamp']), '</small>)</span> <br />', shorten_subject(strip_tags($news['body']), 130), '<br /><hr style="margin-top: 15px; margin-bottom: 5px;" />';
}
}
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

Weird!!!! :(

I've tried with Firefox, Chrome and IE..
Here's a screen:
http://img192.imageshack.us/img192/9328/boardnews2.jpg

Uhm.. I don't know.. Try using a cache-clean browser...

P.S.: The svn at ssi dot geez dot fr does contain your fixes from noisen or it's simply the latest rev and you don't know why it works?
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

1/ I'm using Opera... And it's clean. It has much better cache handling than the competition. It's not a leftover or anything. This is probably because I have a PHPSESSID cookie that is set. The first time you visit a website, you can't immediately get a session cookie. The session is created, and the page is sent to you as is. If your cookie feature is disabled, then let's say you logged into a site -- you'll see yourself as logged, and next time you refresh the page, you're logged off. This is the same here: the first time you come to a site, you don't have a session cookie, so a temporary session is created, with ID stored in PHPSESSID, and this is sent to you. The next time you reload the page, you should have the session in your cookie, and no PHPSESSID in links. It's always like that.
Maybe your own browser has cookies disabled or something?

2/ My geez test site has the latest revision, yes. There is no "intended" fix in it. That's why I'm stumped. It didn't work with the May 28 revision, then I updated it to the June 9 revision and it started working. However, once again: there is no visible change in the last 2 weeks that is directly related to sessions. I committed most of the changes in these last two weeks, so it's likely that I added a fix from noisen.com while fixing some other bug. But what fix, really? I don't know...
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

Quote from: Nao on June 11, 2010, 10:41:55 AM
Maybe your own browser has cookies disabled or something?
No, I'm sure! I've seen this behavior also with different browsers in different OS/computers (one with Mac OSX too)!
So it's simply.. weird!! xD

Quote from: Nao on June 11, 2010, 10:41:55 AM
2/ My geez test site has the latest revision, yes. There is no "intended" fix in it. That's why I'm stumped. It didn't work with the May 28 revision, then I updated it to the June 9 revision and it started working. However, once again: there is no visible change in the last 2 weeks that is directly related to sessions. I committed most of the changes in these last two weeks, so it's likely that I added a fix from noisen.com while fixing some other bug. But what fix, really? I don't know...
Uhm... should be useful to see if it fixes the problem on my site..
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

Okay, I'm getting a backup from my geez site and will compare the files manually...
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

Nao 尚

After a painful backup retrieval session (it kept logging off the ftp server >_<), I got to compare the files... STILL no obvious change to me. Then it struck me, okay I'll just reinstall the version that didn't work... AND IT STILL WORKS. (Try it out, it's the old version that's online now.)

So, maybe.................... Maybe it isn't a SMF code problem at all! But WHAT ELSE, then?!

This thing is going to be the death of me...
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

I really have no idea.. I only know that with RC2 it worked! :(
The strange thing is that your setup sometimes works, sometimes not.. in my site (and also the test setup, username: demo, password: password) it always does not work!
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

Okay, I'm reinstalling a fresh RC3 in its place...

So far so bad. I've uploaded all of the contents of Themes and Sources, and it still works.
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

Nao 尚

Just can't reproduce now.

I tried on your test site again, and reproduced, so I'll be working on that one I guess...
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

MultiformeIngegno

Nao did you manage to connect to my site with the new ftp details? :)
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

I didn't try yet. Not only wasn't I online today, but I'm pretty dried out when it comes to SMF right now. Dunno what I'll do about it.
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

Nao 尚

Okay...... Here are my findings over this last week. I'm pretty confident I've nailed the problem, and I'm also very confident it can hardly be fixed.

- I traced back the issue to loadSession(), which as it says, loads the current session.
- Normally, this function should return the same session_var for both subdomains. It doesn't. However, the PHPSESSID is indeed the same for both subdomains, meaning it really SHOULD be returning the same session_var.
- Now, armed with much patience, I did an ini_get_all() on your server and compared it with my server's. Basically, they're very close, except for two things:
1/ session.use_trans_sid is set to 0 on your server, and 1 on mine. Since SMF disables it, it shouldn't be the origin of the problem. May still be worth looking into.
2/ your server has the Suhosin patch installed, with, take very careful note, suhosin.cookie.cryptdocroot and suhosin.session.cryptdocroot set to 1. This behavior, according to this website, often leads different subdomains to return a different session_var when using the same PHPSESSID. Sounds familiar?

ini_set("suhosin.session.cryptdocroot", "Off");
ini_set("suhosin.cookie.cryptdocroot", "Off");


So, I tried to apply the link's solution (see above) and disable the suhosin variables, but your server refuses it. It gives an access of 6, which means it can be overridden in php.ini or .htaccess, but not with a script. I tried both .htaccess and php.ini (I've left the php.ini online for you to see), and it STILL does not change the value of these variables. Now you'll have to ask your host to try and disable these two variables manually via their master php.ini or httpd.conf!
If it still doesn't work, ask them to try and revert the session.use_trans_sid variable.

Finally, if it STILL doesn't work, just try with another host.

I officially will NO longer work myself on that bug. It has eaten 80% of my week (mainly trying to reproduce the bug on various setups), and it's now quite obvious to me that it's something specific to a badly configured server. (Or a bug in PHP, which in any case, means it's NOT SMF's fault.)

PS: loadSession() is the same in both RC2 and RC3, so there's no reason your RC2 should have worked any better. Try again (like, install yet another test copy of SMF RC2 in a folder inside the subdomain), but I very much doubt it will work at all.
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

Thanks for your really useful info and your time spent on this! ;)
I'll ask my host if they can help me, but... didn't you reproduce it on your server too?

Quote from: Nao on June 09, 2010, 06:49:36 PM
Oh, btw, I reproduced the bug on a fresh install of the latest svn, with two different subdomains, using the same setup (ie the SSI subdomain is in a folder inside the main subdomain.)
So, it's definitely not a problem with your server. It'll be easier for me to deal with (as it's a test server), I won't be needing your ftp details again. (I only use other people's ftp details as a last resort.)
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Nao 尚

Quote from: MultiformeIngegno on June 14, 2010, 04:57:53 AM
Thanks for your really useful info and your time spent on this! ;)
I'll ask my host if they can help me,
Hopefully they'll be quick, because... well, I can't wait to see?

Quotebut... didn't you reproduce it on your server too?
Yes, but remember? It fixed itself... So it may have been a different problem, something like a cookie not setting itself properly or whatever. I'll probably never know why it happened in the first place. Thing is, I did try to reset the website to how it was when I reproduced the bug, and it didn't happen again, so it's not something due to a change in the code.
Also, if you can try installing RC2 on a testforum2 subdomain and your SSI file in testextra2, and show me that it DOES work this time, then I'll spend an extra day tracing through it.

PS: It's not actual "tracing", because tracing involves having a local server+debugger, and I don't use that kind of thing (I probably would have installed one if the bug could have been reproduced anywhere), so it takes a lot more time because it involves putting print_r and echo calls everywhere in the code to check how it evolves. Really NOT funny at all... Just look at me this morning, I'm a complete mess. I received 6 or 7 PMs from my team leader and have yet to answer any one of them.
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered.

Aeva Media rocks your life.

MultiformeIngegno

OK man... you're right (as always). Also with SMF 2.0 RC2 it doesn't work.
I've opened a ticket, hopefully they'll disable the patch or.. don't know.. they're always kind! :)
RockCiclopedia (wiki - forum), Tutta la storia del rock, scritta da voi ...
Rimanere aggiornati sul mondo della musica grazie al nuovo feed "RockCiclopedia Music News"!

Advertisement: