Okay, I think part of the problem here is that the function we use for determining the path component of $CFG->wwwroot (and hence the path component of the cookie's path) is buggy if your $CFG->wwwroot has no path component or trailing path (e.g.: "http://mahara.example.com"; instead of "http://mahara.example.com/"; or "http://example.com/mahara/";)
In such a case, the function get_mahara_install_subdirectory() will return the whole domain name, (e.g. "mahara.example.com"). This then gets set as the cookie's path. Since it doesn't usually match the actual path component of the URL requested by the browser, the browser ignores it and instead applies the cookie to the "default path" for the requested URL. So, with that in mind, I haven't been able to replicate this naturally, but I have been able to replicate it with a slight hack to force a bad path session header to be generated during the vulnerable period. 1. Set up your Mahara site so that in your config.php you have a $cfg->wwwroot with no path component or trailing slash (e.g.: $cfg->wwwroot = 'http://mahara';) 2. In htdocs/init.php, on line 201 (right after the call to "$SESSION = Session::singleton()"), add a line that reads: $SESSION->set('foo', 'bar'); 3. Log out of Mahara. 4. Go to http://mahara/admin/index.php 5. Because you're logged out, you'll see the transient login page. Log in here. 6. Now you're logged in, click around and everything should work. 7. Log out. You should now see the standard "logged out" homepage. 8. Log back in from the "Logged out" homepage. 9. Click on the Administration link. Expected result: You should see the admin home page. Actual result: You see the login screen again, as if you weren't logged out. If you examine your browser's cookie store now, you will see a mahara session cookie for the path "/" and another for the path "/admin/". -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1592236 Title: Sessions: constantly asked to log in to access the Users Admin screen Status in Mahara: Triaged Bug description: Mahara: 16.04.1 DB: Postgres OS: Linux Browser: Firefox I think there may be something funny with sessions happening. When the session times out (it's currently set to 2 hours) and I'm on the /admin/users/search.php, I think it doesn't correctly update the session once I log in again. This is what I think the steps are to reproduce it: 1. leave screen on /admin/users/search.php 2. have the session time out 3. try to do something on the screen (i.e. search for a user) 4. It will redirect to the login screen. 5. Login correctly 6. user search screen is displayed. 7. click on the Configure Site menu link 8. Click back on the Users menu link 9. It will ask you to log back in again. It seems to only happen on the Users (and Group - I think) menu links. Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1592236/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
