Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[F] Always setting new session (sid from cookie not in DB?)
#1
MyBB 1.2.3
(PHP 5.2.1 with Suhosin + MySQL 4.1) and (PHP 5.1.6 with Hardened Patch + MySQL 5.0)
Firefox 2.0, Opera 9.1

User is logged. MyBB always deletes old session and sets up a new one. Confirmed on raw MyBB (without any modifications - just after installing it). Sample queries:

1.
SELECT title,cache FROM mybb_datacache
2.
SELECT * FROM mybb_sessions WHERE sid='a83004b464706b0dcc4821378dd32764' AND ip='xx.xx.xx.xx'
No rows! (Impossible WHERE noticed after reading const tables)
3.  
SELECT u.*, f.*, b.dateline AS bandate, b.lifted AS banlifted, b.oldgroup AS banoldgroup, b.olddisplaygroup as banolddisplaygroup, b.oldadditionalgroups as banoldadditionalgroups FROM mybb_users u LEFT JOIN mybb_userfields f ON (f.ufid=u.uid) LEFT JOIN mybb_banned b ON (b.uid=u.uid) WHERE u.uid='1'
4.  
DELETE FROM mybb_sessions WHERE uid=1 
5.  
INSERT INTO mybb_sessions (uid, sid, time, ip, location, useragent, location1, location2, nopermission) VALUES ('1', '9fde02482d5cf5721b8da39750c16117', '1173874929', 'xx.xx.xx.xx', '/mybb/forumdisplay.php?fid=2&debug=1', 'Mozilla/5.0 (Windows; U; Windows NT 5.0; pl; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2', '2', '0', '0')

Cookies:
mybbuser - xxxxxxxxxxxx
sid - a83004b464706b0dcc4821378dd32764 (this SID is used in second query)

And as far as I remember it was always like this :/ (since MyBB 1.1.4?). User is properly logged - he do not see any problems. But his session is restarting after every GET request (have not tried POST request).


MyBB settings:
Cookie Domain - empty
Cookie Path - /
Use GZip Page Compression? - Off (server uses output_buffering with zlib)

Need some more information?




Update:
1. After deleting user's cookie sid and users sessions from database the session is properly set up (sid from cookie = sid in DB).
2. But in a few moments it goes back - session in cookie is different then session in DB and this cookie is not updated.

Hmmm... seems that the problem lays here (file: class_session.php):
		// As a token of our appreciation for getting this far, give the user a cookie
		if(!$_COOKIE['sid'] && $this->sid) // Koziolek - But we have a cookie with bad sid :/
		{
			my_setcookie("sid", $this->sid, -1, true);
		}
REPLACE WITH:
		// As a token of our appreciation for getting this far, give the user a cookie
		if((!$_COOKIE['sid'] || !$session['sid']) && $this->sid)
		{
			// User's cookie does not exists or it is bad
			my_setcookie("sid", $this->sid, -1, true);
		}
www.kozik.net.pl
- So... Maybe you shouldn't have hacked it.
- And why don't you try not breathing. Hurts, dunnit. (userfriendly.org)


Messages In This Thread
[F] Always setting new session (sid from cookie not in DB?) - by koziolek - 2007-03-14, 12:28 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)