2007-03-14, 12:28 PM
MyBB 1.2.3
(PHP 5.2.1 with Suhosin + MySQL 4.1) and (PHP 5.1.6 with Hardened Patch + MySQL 5.0)
Firefox 2.0, Opera 9.1
User is logged. MyBB always deletes old session and sets up a new one. Confirmed on raw MyBB (without any modifications - just after installing it). Sample queries:
1.
3.
Cookies:
mybbuser - xxxxxxxxxxxx
sid - a83004b464706b0dcc4821378dd32764 (this SID is used in second query)
And as far as I remember it was always like this :/ (since MyBB 1.1.4?). User is properly logged - he do not see any problems. But his session is restarting after every GET request (have not tried POST request).
MyBB settings:
Cookie Domain - empty
Cookie Path - /
Use GZip Page Compression? - Off (server uses output_buffering with zlib)
Need some more information?
Update:
1. After deleting user's cookie sid and users sessions from database the session is properly set up (sid from cookie = sid in DB).
2. But in a few moments it goes back - session in cookie is different then session in DB and this cookie is not updated.
Hmmm... seems that the problem lays here (file: class_session.php):
(PHP 5.2.1 with Suhosin + MySQL 4.1) and (PHP 5.1.6 with Hardened Patch + MySQL 5.0)
Firefox 2.0, Opera 9.1
User is logged. MyBB always deletes old session and sets up a new one. Confirmed on raw MyBB (without any modifications - just after installing it). Sample queries:
1.
SELECT title,cache FROM mybb_datacache
2. SELECT * FROM mybb_sessions WHERE sid='a83004b464706b0dcc4821378dd32764' AND ip='xx.xx.xx.xx'
No rows! (Impossible WHERE noticed after reading const tables)3.
SELECT u.*, f.*, b.dateline AS bandate, b.lifted AS banlifted, b.oldgroup AS banoldgroup, b.olddisplaygroup as banolddisplaygroup, b.oldadditionalgroups as banoldadditionalgroups FROM mybb_users u LEFT JOIN mybb_userfields f ON (f.ufid=u.uid) LEFT JOIN mybb_banned b ON (b.uid=u.uid) WHERE u.uid='1'
4. DELETE FROM mybb_sessions WHERE uid=1
5. INSERT INTO mybb_sessions (uid, sid, time, ip, location, useragent, location1, location2, nopermission) VALUES ('1', '9fde02482d5cf5721b8da39750c16117', '1173874929', 'xx.xx.xx.xx', '/mybb/forumdisplay.php?fid=2&debug=1', 'Mozilla/5.0 (Windows; U; Windows NT 5.0; pl; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2', '2', '0', '0')
Cookies:
mybbuser - xxxxxxxxxxxx
sid - a83004b464706b0dcc4821378dd32764 (this SID is used in second query)
And as far as I remember it was always like this :/ (since MyBB 1.1.4?). User is properly logged - he do not see any problems. But his session is restarting after every GET request (have not tried POST request).
MyBB settings:
Cookie Domain - empty
Cookie Path - /
Use GZip Page Compression? - Off (server uses output_buffering with zlib)
Need some more information?
Update:
1. After deleting user's cookie sid and users sessions from database the session is properly set up (sid from cookie = sid in DB).
2. But in a few moments it goes back - session in cookie is different then session in DB and this cookie is not updated.
Hmmm... seems that the problem lays here (file: class_session.php):
// As a token of our appreciation for getting this far, give the user a cookie
if(!$_COOKIE['sid'] && $this->sid) // Koziolek - But we have a cookie with bad sid :/
{
my_setcookie("sid", $this->sid, -1, true);
}
REPLACE WITH: // As a token of our appreciation for getting this far, give the user a cookie
if((!$_COOKIE['sid'] || !$session['sid']) && $this->sid)
{
// User's cookie does not exists or it is bad
my_setcookie("sid", $this->sid, -1, true);
}