Serendipity is now saving your entry...

Post by **garvinhicking** » Wed May 30, 2007 10:46 am

Hi!

According to the config session files should go to /var/lib/php5. Sometimes there is no session file when I log into the admin area, I guess there should always be a session file after login, right?

Exactly. Right after the login, a file needs to exist with the Session ID that your client browser gets set as a Session Cookie.

If you say sometimes sessions are written and sometimes not, that sounds hard to reproduce. Could it be a browser problem? Please try to find out which cause will make the file to exist, and when it doesn't exist.

Remember that additional authentication methods like ".htaccess" can disturb the login. Also make sure to clear your cookies to exclude any problems coming from the browser.

Best regards,
Garvin

o.h1 · Post by **o.h1** » Wed May 30, 2007 10:52 am

As said, the php session is destroyed when i logout through the log out link, but after that i can enter the admin area without a new login.

And now i'm in the admin area without a valid php session, everything seems to work unless i try to modify data (like edit an useraccount, oder post an entry).

The login code should detect, that the user logged out, an the browser cookie is not valid for a login anymore, right?

TIA,
Oliver

Post by **garvinhicking** » Wed May 30, 2007 11:01 am

Hi!

When you are "logged out" but still have the session cookie, which HTTP does your Browser send to Serendipity (check a tool like LiveHTTPHeaders for Firefox)?

Do you maybe use your blog on a domain like "localhost"? That can cause cookie issues on some browser configurations.

Also please check which HTTP headers the s9y installation sends when you click on "Logout"?

Which event plugins do you have installed? Some might mess with the session/cookie lookup, like the htaccess or externalauth plugins.

Regards,
Garvin

o.h1 · Post by **o.h1** » Wed May 30, 2007 3:35 pm

When you are "logged out" but still have the session cookie, which HTTP does your Browser send to Serendipity (check a tool like LiveHTTPHeaders for Firefox)?

I cannot reproduce the Problem right now since I cleared my cookie cache

But I suspect it to happen again, as I was only trying to reproduce a problem an user reported.

Do you maybe use your blog on a domain like "localhost"? That can cause cookie issues on some browser configurations.

No it's a real world domain.

In my understanding of app security the app should check if the session is still valid, so after the session is destroyed it should not display the admin area, no matter what headers where sent by the client. Only exception was if the post data contains valid login credentials, because then a new auth session is established.

Also please check which HTTP headers the s9y installation sends when you click on "Logout"?

As soon as I can reproduce it.

Which event plugins do you have installed? Some might mess with the session/cookie lookup, like the htaccess or externalauth plugins.

* Textformatierung: Serendipity
* Textformatierung: Smilies
* Textformatierung: NL2BR
* Browser-Kompatibilität
* Spamschutz

So there should be no problem with that, right?

I will report if the problem happens again, thanks so far!

Post by **garvinhicking** » Wed May 30, 2007 3:41 pm

Hi!

Are you sure you're using s9y 1.1.2 and not the 1.2 versions? I was just able to reproduce it in 1.2 and fixed it there; but the reason for this should only be in the 1.2 snapshots, not in the stable 1.1 branch?

Best regards,
Garvin