Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[F] Always setting new session (sid from cookie not in DB?)
#1
MyBB 1.2.3
(PHP 5.2.1 with Suhosin + MySQL 4.1) and (PHP 5.1.6 with Hardened Patch + MySQL 5.0)
Firefox 2.0, Opera 9.1

User is logged. MyBB always deletes old session and sets up a new one. Confirmed on raw MyBB (without any modifications - just after installing it). Sample queries:

1.
SELECT title,cache FROM mybb_datacache
2.
SELECT * FROM mybb_sessions WHERE sid='a83004b464706b0dcc4821378dd32764' AND ip='xx.xx.xx.xx'
No rows! (Impossible WHERE noticed after reading const tables)
3.  
SELECT u.*, f.*, b.dateline AS bandate, b.lifted AS banlifted, b.oldgroup AS banoldgroup, b.olddisplaygroup as banolddisplaygroup, b.oldadditionalgroups as banoldadditionalgroups FROM mybb_users u LEFT JOIN mybb_userfields f ON (f.ufid=u.uid) LEFT JOIN mybb_banned b ON (b.uid=u.uid) WHERE u.uid='1'
4.  
DELETE FROM mybb_sessions WHERE uid=1 
5.  
INSERT INTO mybb_sessions (uid, sid, time, ip, location, useragent, location1, location2, nopermission) VALUES ('1', '9fde02482d5cf5721b8da39750c16117', '1173874929', 'xx.xx.xx.xx', '/mybb/forumdisplay.php?fid=2&debug=1', 'Mozilla/5.0 (Windows; U; Windows NT 5.0; pl; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2', '2', '0', '0')

Cookies:
mybbuser - xxxxxxxxxxxx
sid - a83004b464706b0dcc4821378dd32764 (this SID is used in second query)

And as far as I remember it was always like this :/ (since MyBB 1.1.4?). User is properly logged - he do not see any problems. But his session is restarting after every GET request (have not tried POST request).


MyBB settings:
Cookie Domain - empty
Cookie Path - /
Use GZip Page Compression? - Off (server uses output_buffering with zlib)

Need some more information?




Update:
1. After deleting user's cookie sid and users sessions from database the session is properly set up (sid from cookie = sid in DB).
2. But in a few moments it goes back - session in cookie is different then session in DB and this cookie is not updated.

Hmmm... seems that the problem lays here (file: class_session.php):
		// As a token of our appreciation for getting this far, give the user a cookie
		if(!$_COOKIE['sid'] && $this->sid) // Koziolek - But we have a cookie with bad sid :/
		{
			my_setcookie("sid", $this->sid, -1, true);
		}
REPLACE WITH:
		// As a token of our appreciation for getting this far, give the user a cookie
		if((!$_COOKIE['sid'] || !$session['sid']) && $this->sid)
		{
			// User's cookie does not exists or it is bad
			my_setcookie("sid", $this->sid, -1, true);
		}
www.kozik.net.pl
- So... Maybe you shouldn't have hacked it.
- And why don't you try not breathing. Hurts, dunnit. (userfriendly.org)
#2
This bug has been fixed in the latest code.

Please note the latest code is not live on the site or for download. An update will be released which contains this fix.
#3
Can you post here a proper patch (if it is different then mine)?
www.kozik.net.pl
- So... Maybe you shouldn't have hacked it.
- And why don't you try not breathing. Hurts, dunnit. (userfriendly.org)
#4
I also found this bug in MyBB 1.2.3 as I'm working on MKPortal. Another way to fix is just disable or delete :

		// As a token of our appreciation for getting this far, give the user a cookie
		if(!$_COOKIE['sid'] && $this->sid)
		{
//			my_setcookie("sid", $this->sid, $mybb->settings['sessiontimeout'], true);
			my_setcookie("sid", $this->sid, -1, true);
		}


and ADD at the end of function create_session($uid=0):
my_setcookie("sid", $this->sid, -1, true);

Cookie will be set everytime a new session is created.
[Image: vnchannel0.png]

MKP | MKV (EN) | VNC (EN)
#5
koziolek Wrote:Can you post here a proper patch (if it is different then mine)?

It's the same as yours.
#6
Tikitiki

if((!$_COOKIE['sid'] || !$session['sid']) && $this->sid)

this line is same thing that caused me and others to get banned via PHP 5

I just added that and I am banned on my php 5 mybb
#7
That code has NOTHING to do with banning.
#8
Will78, my patch is being used on server with PHP 5... If it has an error please say something more...
www.kozik.net.pl
- So... Maybe you shouldn't have hacked it.
- And why don't you try not breathing. Hurts, dunnit. (userfriendly.org)
#9
all my members that are root admins are now banned

soon as I revert this edit all is back to normal

Tikitiki yes it has plenty as I got the old file here where you edited it and sent me that that was the EXACT line you changed to unban me
#10
No it doesn't.


Forum Jump:


Users browsing this thread: 1 Guest(s)