Closed Bug 458763 Opened 11 years ago Closed 11 years ago
Session IDs are not being preserved across requests
Also see bug 455516. Same error through different means.
AMO's session IDs are not being preserved across requests. As far as I can tell, this is not related to the user deletion code. It seems to occur particularly often with JS disabled, but if bug 455516 is related, it happens with JS on as well. If you debug() the output of session_id() and reload the page, you will notice that it changes on almost every request (for me, on almost every reload with JS off, on about every tenth reload with JS on). Consequently, the CSRF code throws an error when a POST form is submitted. CCing both Wil and Ryan, who have patched Cake's session code a while ago, and may remember something that could help us figure out the cause of this?
Assignee: fwenzel → nobody
No longer blocks: 432614
Another observation: This phenomenon does not seem to lead to a logout of the user (otherwise we'd have noticed it decades ago) -- that means, the cookie sent by the browser is analyzed, considered *valid*, and after that, the session ID is regenerated and the new cookie is sent back to the user. In my DB's session table, I notice that the same row is being replaced by a new ID when this occurs. That looks like, instead of spawning *new* sessions over and over, the *same* session persists but constantly receives a newly generated ID.
Laura pointed out that this behavior is intentional, and it is our CSRF check that's broken, because it compares the secret with its supposed value after the session ID is regenerated, not before. If that code is put into cake's session code (cake/lib/session) before the session ID regeneration, the problem will be fixed. Taking bug, marking for 4.0.2.
Assignee: nobody → fwenzel
Target Milestone: --- → 4.0.2
This patch preserves a (legitimately) regenerated session ID and checks against that instead of the new one in the CSRF checking code.
Attachment #342301 - Flags: review?(laura)
Fixed in r18942. Thanks for pointing me into the right direction, Laura!
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.