[4879] SMF 2.0 Final intermittant login and session failure (and workaround)

Started by rawlogic, August 20, 2011, 07:48:48 PM

Previous topic - Next topic

rawlogic

Symptoms

When attempting to log in, it intermittently fails the first time, with the error "Password incorrect" even though you're sure that you entered the correct password, but your login is always successful the second time.

When attempting to post, you intermittently get a message that your session has timed with the error "The following error or errors occurred while posting this message.  Your session timed out while posting.  Please try to re-submit your message." even though you're sure you shouldn't be timing out.

When attempting to log out, you get the error message "Session verification failed".

When attempting to log into the admin control panel, you get the error message "Password incorrect", even though you're sure you have the correct password.

Description

It's an SMF bug, but it's triggered from the following setting in your php.ini:

session.hash_bits_per_character = 6

Since PHP 5, the session_id may contain commas and minus signs if the session.hash_bits_per_character setting is set to 6.

When SMF 2.0 Final checks the validity of a session_id, using a regular expression, the check fails if the session_id contains commas and minuses.

When having session.hash_bits_per_character set in your php.ini to 4 or 5, commas and minus signs aren't used in the session_id. This setting was new in PHP 5. Prior to the setting, it defaulted to 4 bits per character. A setting of 4 and 5 passes, but 6 does not.

This has most likely become a problem as ISPs and users are hardening their PHP settings beyond the default settings.

You can verify your session.hash_bits_per_character setting by viewing the output of the phpinfo() function and searching for the name hash_bits_per_character.

Workaround

So the workaround is to configure session.hash_bits_per_character in php.ini to 4 or 5:

session.hash_bits_per_character = 5

SMF Code Fix

Everywhere you see the regular expression that checks for a valid session_id in Load.php:

'~^[A-Za-z0-9]{16,32}$~'

You need to change to this (notice the addition of the comma and minus):

'~^[A-Za-z0-9,-]{16,32}$~'

Note: there are multiple places where the regular expression occurs. Update all of them.

Without the fix, SMF will kill any "invalid" session, and the Javascript functions that utilize the session_id will fail, since the session_id will be different on the next post.

This problem was intermittent, as the session_id is pseudo random and won't always contain a comma or minus even with session.hash_bits_per_character set to 6.

This also corrects the intermittent "Session verification failed" errors.

Recovering from the invalid session

Once you've fixed the issue, any affected user needs to clear their browser's cookies. They will then be prompted to log in again, and it should be fine after that.

ElusiveEagle

Wow! This is fantastic. Thank you!

This makes a lot of sense as I have noticed commas in the session variable but never put much thought to it (I thought they seemed strange to have but I figured I'd trust the SMF code). I haven't yet tried the fix as I had a quick question, but it makes perfect sense to me.

I checked the session.hash_bits_per_character setting on both my old and new servers and both are set to 6. Hence my issues. My question is as follows: Would it be better to just change the session.hash_bits_per_character value to 5 and leave the SMF regular expression the same or should I just change the regular expression to account for commas and dashes? I'm leaning towards the latter as that way I minimize changing the php.ini settings too much (yes, I could just change it for that domain, but anyway...).

Thanks again for your help! :)

rawlogic

Quote from: ElusiveEagle on August 23, 2011, 08:38:46 PM
Would it be better to just change the session.hash_bits_per_character value to 5 and leave the SMF regular expression the same or should I just change the regular expression to account for commas and dashes? I'm leaning towards the latter as that way I minimize changing the php.ini settings too much (yes, I could just change it for that domain, but anyway...).

I changed the code, then deleted my custom php.ini settings. I'll assume SMF will fix the bug in the next release, so it's one less thing I have to worry about.

Thanks for the show of gratitude. I put a lot of time into resolving the issue. :)


ElusiveEagle

Quote from: rawlogic on August 23, 2011, 10:40:16 PM
I changed the code, then deleted my custom php.ini settings. I'll assume SMF will fix the bug in the next release, so it's one less thing I have to worry about.

Thanks for the show of gratitude. I put a lot of time into resolving the issue. :)

Sounds good. I'll stick with my initial plan then. :) And thank you! I sure hope it works. I can't imagine this not being it.

Quote from: live627 on August 23, 2011, 10:59:50 PM
What exactly is your PHP version?

Old server: 5.3.5
New server: 5.3.6

live627


rawlogic

Quote from: live627 on August 23, 2011, 10:59:50 PM
What exactly is your PHP version?
I recently installed SMF 2.0 on a server with PHP 5.3.5, and it failed immediately due to session.hash_bits_per_character being set to 6.

In my testing, I recreated the issue on the following PHP versions and platforms simply by changing session.hash_bits_per_character:
5.2.13 (Windows 7)
5.2.17 (Debian)
5.3.5 (Windows 7 and Debian)
5.3.7 (Windows 7)

Since my web host provider setup the Linux environments for me, I don't know if the default session.hash_bits_per_character setting changed with a particular PHP version, or if they tweaked the configuration.  I'm guessing they tweaked it. The bug is likely to be an issue with any PHP version 5.0 and later, since if the user has their session.hash_bits_per_character set to 6, it causes a problem.

So .... why do you ask? :)

ElusiveEagle

I just wanted to report back that so far things are quite peachy. :)

I didn't mess with my PHP configuration but rather opted to "patch" the SMF Load.php file as you explained above. I tested it on a mirrored site first, and each time my session variable included a "-" or "%2C" (comma) I was still able to authenticate successfully.

I then implemented the fix on my live site, changed the SMF cookie name, and logged all users out. So far so good. :)

Gothkid

I'm still not having any luck. I'm running on Windows Server 2008 R2 with php version 5.3.6. I've changed the session.hash_bits_per_character to both 5 and 4 and replaced 4 lines in Load.php with what you said to replace. I still get the session is invalid error. Is there something I'm doing wrong?

Illori


rawlogic

Gothkid, if this is your issue, this fixes it from happening in the future. However, to recover from an invalid session, you'll still need to clear your browser's cookies. Once you clear your cookies, you should be prompted to log in again, and everything should be fine.

On Apache, you wouldn't need to restart the web server, but I don't know about IIS. Do as Illori suggested and restart it. However, do view the results of phpinfo() to see if you've got the setting correct. You don't need to change the code and the setting. One or the other will fix the issue, but I suppose both is better.

Gothkid

I have restarted IIS mulitple times after changing the php.ini. I have also deleted my cookes and the cache folder and tried on different computers. I'm logged into my server through Remote desktop and trying on that and my home pc and both are getting the same errors. I looked at the sessions table in Mysql and there is no session id for my login.. Would that be the problem also?

The orginal session setting in php.ini is 5. I just restored the backup of the default before messing around with it. I seem i just can't figure out how to get 2.0 to work for me. Its a shame because I'm tired of MyBB tables needing repairing..

rawlogic

Gothkid, what happens when you log out and log back in? Also, I tried to take a look at your forum at theworld-r2.net/forum to view the session IDs, but it says Service Unavailable.


Joshua Dickerson

rawlogic, thanks for the fix. Going to be hard to test it.

Would you consider making it in to a mod for users that haven't upgraded? I am going to commit the fix to the trunk (2.1).

Keep up the good work!
Come work with me at Promenade Group



Need help? See the wiki. Want to help SMF? See the wiki!

Did you know you can help develop SMF? See us on Github.

How have you bettered the world today?

Joshua Dickerson

Fixed with rev 10896 in trunk. Still needs to be fixed in 2.0 branch.
Come work with me at Promenade Group



Need help? See the wiki. Want to help SMF? See the wiki!

Did you know you can help develop SMF? See us on Github.

How have you bettered the world today?

Joker™

Joshua, can we hazz the fix in the next update of SMF 2.0 branch as well?
Github Profile
Android apps
Medium

How to enable Post Moderation

"For the wise man looks into space and he knows there is no limited dimensions." - Laozi

All support seeking PM's get microwaved

OvermindDL1

Quote from: Joker™ on January 03, 2012, 05:40:54 AM
Joshua, can we hazz the fix in the next update of SMF 2.0 branch as well?

I am running the latest SMF (2.0.2 at this time) and I just got bit by this bug, editing the Load.php fixed it here as well, any chance of this fix getting into SMF 2.0.3+?

theshown

My Projects: SOLDAT Italia

emanuele

Please apply the fix provided by rawlogic and it should disappear.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Advertisement: