Project

General

Profile

Actions

Bug #2283

closed

J1.6 : Session expired bug

Added by beat over 10 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Start date:
03 February 2011
Due date:
% Done:

100%

Estimated time:
6:00 h

Description

As reported here:
http://www.joomlapolis.com/forum/153-professional-member-support/152956-cb-14-joscoreaclaro-not-there-names-gone

There seems to be a time/timezone session issue in Joomla 1.6.

If you comment to this thread with additional information, please make sure to include following infos for the session expired issue:

  1. which time of day does that happen (in your local browser timezone) ?
  2. what is your local browser timezone ? (UTC+?)
  3. what is the timezone of your server location ? and its timezone setting ?
  4. what is the offset and offset_user setting in configuration.php ?

Files

2283.patch (948 Bytes) 2283.patch krileon, 04 February 2011 22:07
2283a.patch (1014 Bytes) 2283a.patch krileon, 11 February 2011 23:51
2283b.patch (613 Bytes) 2283b.patch krileon, 11 February 2011 23:51
2283c.patch (2.17 KB) 2283c.patch krileon, 11 February 2011 23:51
2283d.patch (1.16 KB) 2283d.patch krileon, 11 February 2011 23:51
2283e.patch (1.4 KB) 2283e.patch krileon, 11 February 2011 23:51
Actions #1

Updated by krileon over 10 years ago

  • Assignee set to krileon

Related issue at following thread.

http://www.joomlapolis.com/forum/153-professional-member-support/152845-2283-joomla-16--cb-14-login-problem#152845

Definitely seams date/time related during session/cookie comparison.

Actions #2

Updated by krileon over 10 years ago

$_CB_framework->getCfg( 'offset' ) in Joomla 1.6 does not return the actual offset. This is throwing off all datetimes and times significantly. Within Joomla 1.5.x for example "-5" is returned, but in Joomla 1.6.x "UTC" is returned.

Actions #3

Updated by krileon over 10 years ago

  • File 2283.patch 2283.patch added
  • Assignee changed from krileon to beat
  • % Done changed from 0 to 50

Added new case (with fall through so doesn't affect other CMS) to translate timezone to offset. Don't know if this exactly will fix the session issue, but it should cause their datetimes to match up MUCH better then before.

Actions #4

Updated by beat over 10 years ago

  • Status changed from New to Assigned
  • Assignee changed from beat to krileon

r1422 implements first part of fix : timezone was returned as region instead of number on joomla 1.6:

as suggested with following differences:

  • Comment "NO break; on purpose for fall-through on other CMS:" is not correct, fall-through is not needed, as there is a break below anyway, it's better for phplint to avoid fallthroughs
  • not sure that all php versions do optimize /60/60 into /3600, so let's do the math ourselves.
  • added caching for the result in static var.

However, the session issue will still be there if timezone is set incorrectly, compared to server's timezone.

Kyle,
Please try doing following:

Edit plugin_foundation.php and return an offset of 25 !!!

Then see if session bug appears.

That will help find and fix that one.

Actions #5

Updated by krileon over 10 years ago

  • Assignee changed from krileon to beat

Was never able to duplicate even with a offset of 25. Perhaps is a linux based issue? Am operating on a windows server (localhost).

Actions #6

Updated by beat over 10 years ago

  • Assignee changed from beat to krileon
Actions #7

Updated by krileon over 10 years ago

  • Status changed from Assigned to Feedback
  • Assignee changed from krileon to beat

Could not confirm even on Linux based install. Can be tested http://cb14.tafix.com/ where I have completely remove the offset fix. Could not duplicate. After waiting designated times the session issue never happened. At time of expiration of session I was simply logged out, no error. Logging back in presented no error either.

Actions #8

Updated by krileon over 10 years ago

Spoof checking not entirely compatible with all browsers, hosts, or installs. Too easy to conflict. Patchs will turn the spoof checking into a parameter allowing admin to determine its usage. Default is now also disabled for best compatibility and stability.

Actions #9

Updated by beat over 10 years ago

  • Status changed from Resolved to Closed

Implemented as suggested in r1441 : Setting to disable spoofing protection if needed by bad server config

But set default to 1 and not to 0, as otherwise existing installations might experiment much more spam.

Actions

Also available in: Atom PDF