Advertisement:

Author Topic: 2.0.14 session_start(): Failed to decode....  (Read 6365 times)

Offline NekoSensei

  • Semi-Newbie
  • *
  • Posts: 60
  • Gender: Male
  • SMF User
    • Le Pays Du Manga et des Cartoons oubliés
Re: 2.0.14 session_start(): Failed to decode....
« Reply #20 on: December 09, 2017, 11:58:48 AM »
Is it possible that these errors come from the fact that some spam robots block cookies?

Offline shawnb61

  • Developer
  • Sophist Member
  • *
  • Posts: 1,334
    • sbulen on GitHub
Re: 2.0.14 session_start(): Failed to decode....
« Reply #21 on: December 09, 2017, 02:07:21 PM »
My initial thought is no.  My understanding is that when cookies are blocked php resorts to putting the session ID in the URL instead.  I don't think that would affect session contents. 

It is more likely that there is something unusual about sessions for bots under some circumstances. 

Could you find the lengths of your longest & shortest sessions?  You should be able to run these queries in the SQL window in phpMyAdmin:
Code: [Select]
SELECT LENGTH(data) AS maxlen FROM smf_sessions ORDER BY maxlen DESC LIMIT 1;
SELECT LENGTH(data) AS minlen FROM smf_sessions ORDER BY minlen ASC LIMIT 1;

Maybe something will stand out...  (My sessions range from ~80 bytes to ~4K bytes)
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline NekoSensei

  • Semi-Newbie
  • *
  • Posts: 60
  • Gender: Male
  • SMF User
    • Le Pays Du Manga et des Cartoons oubliés
Re: 2.0.14 session_start(): Failed to decode....
« Reply #22 on: December 09, 2017, 03:09:51 PM »
For the moment with your 2 requests I get this:

maxlen
3622

minlen
82

Offline shawnb61

  • Developer
  • Sophist Member
  • *
  • Posts: 1,334
    • sbulen on GitHub
Re: 2.0.14 session_start(): Failed to decode....
« Reply #23 on: December 09, 2017, 10:15:01 PM »
Thanks for sending me your session info.  It all looks good.  (I.e., the bad ones are getting destroyed just as the message says.)

Let me ponder this...  I may have something for you to test in a bit... 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline shawnb61

  • Developer
  • Sophist Member
  • *
  • Posts: 1,334
    • sbulen on GitHub
Re: 2.0.14 session_start(): Failed to decode....
« Reply #24 on: December 23, 2017, 02:11:53 PM »
NekoSensei -
Are you still having this issue?   If so, I'll get you some code to test.
Sorry for leaving you hanging, a few things came up.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline NekoSensei

  • Semi-Newbie
  • *
  • Posts: 60
  • Gender: Male
  • SMF User
    • Le Pays Du Manga et des Cartoons oubliés
Re: 2.0.14 session_start(): Failed to decode....
« Reply #25 on: December 23, 2017, 03:33:36 PM »
hi shawnb61, yes it's always the same and I just cleaned fifty error messages from the same robot ... lol

Offline shawnb61

  • Developer
  • Sophist Member
  • *
  • Posts: 1,334
    • sbulen on GitHub
Re: 2.0.14 session_start(): Failed to decode....
« Reply #26 on: December 30, 2017, 10:53:01 PM »
I have been working with NekoSensei offline on this.  What we have learned:
 - This activity was traced to a known malicious spammer
 - The session problems were caused by special UTF8 characters in the search field
 - The problems went away when NekoSensei rewrote the ban messages in English (all ISO-8859-1, no UTF8)

The true underlying problem is that searches for strings with multi-byte UTF8 characters cause session issues.  It appears the spammer was searching the site for his/her ban message (which is why the issues went away when NekoSensei changed the ban messages).   

However, you can still reproduce all the symptoms by searching for multi-byte strings.  A bug has been logged for this.   

Note that the search works fine; the message is logged in the background & the session is rebuilt in the background.  There is no user impact, just worrisome entries in the error log. 

Thanks to NekoSensei for being patient & providing all sorts of helpful info. 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,388
    • StoryBB/StoryBB on GitHub
Re: 2.0.14 session_start(): Failed to decode....
« Reply #27 on: December 31, 2017, 06:10:41 AM »
If the session table isn't UTF-8, all manner of stupid stuff could happen now sessions are done with JSON.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline shawnb61

  • Developer
  • Sophist Member
  • *
  • Posts: 1,334
    • sbulen on GitHub
Re: 2.0.14 session_start(): Failed to decode....
« Reply #28 on: December 31, 2017, 06:36:49 AM »
This even occurs if everything is UTF8.  And it's not the JSON encoding, not directly, anyway.  It has to do with the internal session_encode() not liking UTF8.  This error is on 2.0 & 2.1.  For more info, check out issue #4444 on Github.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline albertlast

  • Development Contributor
  • Full Member
  • *
  • Posts: 587
Re: 2.0.14 session_start(): Failed to decode....
« Reply #29 on: December 31, 2017, 06:45:28 AM »
Like i mention in #4444 the information are not enough to reproduce the error.
Would be nice to get a more detail guid to see the issue.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,388
    • StoryBB/StoryBB on GitHub
Re: 2.0.14 session_start(): Failed to decode....
« Reply #30 on: December 31, 2017, 07:28:51 AM »
Try changing the @ini_set('session.serialize_handler', 'php'); to @ini_set('session.serialize_handler', 'php_serialize');

Requires PHP 5.5.4
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Colin

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 7,874
  • Gender: Male
  • SMF Developer
    • colinschoen on GitHub
Re: 2.0.14 session_start(): Failed to decode....
« Reply #31 on: December 31, 2017, 10:42:08 AM »
I have been working with NekoSensei offline on this.  What we have learned:
 - This activity was traced to a known malicious spammer
 - The session problems were caused by special UTF8 characters in the search field
 - The problems went away when NekoSensei rewrote the ban messages in English (all ISO-8859-1, no UTF8)

The true underlying problem is that searches for strings with multi-byte UTF8 characters cause session issues.  It appears the spammer was searching the site for his/her ban message (which is why the issues went away when NekoSensei changed the ban messages).   

However, you can still reproduce all the symptoms by searching for multi-byte strings.  A bug has been logged for this.   

Note that the search works fine; the message is logged in the background & the session is rebuilt in the background.  There is no user impact, just worrisome entries in the error log. 

Thanks to NekoSensei for being patient & providing all sorts of helpful info.



Thank you for identifying this.
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Offline shawnb61

  • Developer
  • Sophist Member
  • *
  • Posts: 1,334
    • sbulen on GitHub
Re: 2.0.14 session_start(): Failed to decode....
« Reply #32 on: December 31, 2017, 11:07:51 AM »
Try changing the @ini_set('session.serialize_handler', 'php'); to @ini_set('session.serialize_handler', 'php_serialize');

Requires PHP 5.5.4

Thanks, I'll put this suggestion in the issue log.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline NekoSensei

  • Semi-Newbie
  • *
  • Posts: 60
  • Gender: Male
  • SMF User
    • Le Pays Du Manga et des Cartoons oubliés
Re: 2.0.14 session_start(): Failed to decode....
« Reply #33 on: January 04, 2018, 05:38:22 AM »
I am happy to have been able to help you, I am available for other additional tests.

I thank shawnb61 who took care of my strange case.

Offline albertlast

  • Development Contributor
  • Full Member
  • *
  • Posts: 587
Re: 2.0.14 session_start(): Failed to decode....
« Reply #34 on: January 04, 2018, 09:49:30 AM »
You could change the code line like mention and
look if the error keeps.

Offline NekoSensei

  • Semi-Newbie
  • *
  • Posts: 60
  • Gender: Male
  • SMF User
    • Le Pays Du Manga et des Cartoons oubliés
Re: 2.0.14 session_start(): Failed to decode....
« Reply #35 on: January 04, 2018, 11:25:51 AM »
Hi albertlast,
Are you talking about this?
Try changing the @ini_set('session.serialize_handler', 'php'); to @ini_set('session.serialize_handler', 'php_serialize');

Requires PHP 5.5.4
Where do I find this line?

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,388
    • StoryBB/StoryBB on GitHub
Re: 2.0.14 session_start(): Failed to decode....
« Reply #36 on: January 04, 2018, 11:58:02 AM »
Probably in Load.php (it's in Session.php in 2.1 but that file didn't exist in 2.0 and I don't know where it is offhand)

Note that you should probably clear the smf_sessions table after doing so.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline NekoSensei

  • Semi-Newbie
  • *
  • Posts: 60
  • Gender: Male
  • SMF User
    • Le Pays Du Manga et des Cartoons oubliés
Re: 2.0.14 session_start(): Failed to decode....
« Reply #37 on: January 04, 2018, 12:22:29 PM »
this line no exist in load.php in my 2.0.15 smf

I have these lines :
Code: [Select]
// Attempt to start the session, unless it already has been.
function loadSession()
{
global $HTTP_SESSION_VARS, $modSettings, $boardurl, $sc;

// Attempt to change a few PHP settings.
@ini_set('session.use_cookies', true);
@ini_set('session.use_only_cookies', false);
@ini_set('url_rewriter.tags', '');
@ini_set('session.use_trans_sid', false);
@ini_set('arg_separator.output', '&');

if (!empty($modSettings['globalCookies']))
{
$parsed_url = parse_url($boardurl);

if (preg_match('~^\d{1,3}(\.\d{1,3}){3}$~', $parsed_url['host']) == 0 && preg_match('~(?:[^\.]+\.)?([^\.]{2,}\..+)\z~i', $parsed_url['host'], $parts) == 1)
@ini_set('session.cookie_domain', '.' . $parts[1]);
}


Code: [Select]
// Use database sessions? (they don't work in 4.1.x!)
if (!empty($modSettings['databaseSession_enable']) && @version_compare(PHP_VERSION, '4.2.0') != -1)
{
session_set_save_handler('sessionOpen', 'sessionClose', 'sessionRead', 'sessionWrite', 'sessionDestroy', 'sessionGC');
@ini_set('session.gc_probability', '1');
}
elseif (@ini_get('session.gc_maxlifetime') <= 1440 && !empty($modSettings['databaseSession_lifetime']))
@ini_set('session.gc_maxlifetime', max($modSettings['databaseSession_lifetime'], 60));

Code: [Select]
// We want to be able to figure out any errors...
@ini_set('track_errors', '1');

But no @ini_set('session.serialize_handler', 'php');

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,388
    • StoryBB/StoryBB on GitHub
Re: 2.0.14 session_start(): Failed to decode....
« Reply #38 on: January 04, 2018, 12:26:54 PM »
Put it before the ini_set for cookies.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline NekoSensei

  • Semi-Newbie
  • *
  • Posts: 60
  • Gender: Male
  • SMF User
    • Le Pays Du Manga et des Cartoons oubliés
Re: 2.0.14 session_start(): Failed to decode....
« Reply #39 on: January 04, 2018, 12:39:41 PM »
Like these ?

Code: [Select]
// Attempt to change a few PHP settings.
==> @ini_set('session.serialize_handler', 'php');
@ini_set('session.use_cookies', true);