View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|14766||Bug reports||Authentication||public||2019-04-10 21:54||2020-05-19 11:44|
|Fixed in Version||3.20.x|
|Summary||14766: Limesurvey doesn't correctly handle multiple PHPSESSID cookies|
On one of my browsers, I suddenly became unable to log into limesurvey, and trying to answer a survey invariably led, with that same browser, to an error message stating that my session had expired.
I found out that on that browser, I had a PHPSESSID cookie set by my self-hosted limesurvey instance (let's say that its domain name is limesurvey.mydomain.org), *and* another PHPSESSID cookie set by another website, but associated with the higher level domain name "mydomain.org", and having "/" as its path.
When accessing my limesurvey instance after visiting the other website, the browser sends both cookies, which is the expected behaviour per RFC6265 (https://tools.ietf.org/html/rfc6265).
After deleting the PHPSESSID cookie associated with the "mydomain.org" domain, the behaviour of limesurvey is back to normal.
So, it looks like limesurvey is mistaking one PHPSESSID cookie for the other. This might be due to the fact that it is not expecting more than 1 PHPSESSID cookie to be sent.
In §4.2.2, RFC6265 states:
"Although cookies are serialized linearly in the Cookie header, servers SHOULD NOT rely upon the serialization order. In particular, if the Cookie header contains two cookies with the same name (e.g., that were set with different Path or Domain attributes), servers SHOULD NOT rely upon the order in which these cookies appear in the header."
It looks like limesurvey's behaviour is somewhat disturbed by the presence of 2 cookies with the same name.
|Steps To Reproduce||1) open a session on the limesurvey instance (this sets a PHPSESSID cookie associated with limesurvey.mydomain.org);|
2) using the developer tools on Chrome or Firefox (or by any other appropriate means), add a "PHPSESSID" cookie associated with the domain name just above the limesurvey instance, so here "mydomain.org", and "/" as the path;
3) logout from the limesurvey instance;
4) try to log back in (it should fail).
|Additional Information||There is an easy workaround: in "config.php", just tell limesurvey to use another name for its session cookie, via the following code snippet:|
session' => array (
'sessionName' => "MyOwnPrivateCookieName",
|Tags||No tags attached.|
|Complete LimeSurvey version number (& build)||3.17.1+190408|
|I will donate to the project if issue is resolved||Yes|
|Database & DB-Version||MySQL 5.7.25|
|Server OS (if known)||Ubuntu 18.04|
|Webserver software & version (if known)||Apache 2.4.29|
|Thank you for reporting it. We will further investigate it.|
I would be surprised to see a change here.
we could at least do it on limesurvey pro.
Carsten, an opinion on this one?
The random setup of a cookie/session name is mentioned in the LS hardening ticket.
|Since it can be done in config.php , i think we must create a random one when install.|
|I go with denis|
With allowing set another dir for runtime :)
But i want to have a config-base.php file to be copied/updated. More easy for us to update and add new feature when install …
|Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29229|
|Fixed in Release 3.20.1+191114|
|2019-04-10 21:54||voteref||New Issue|
|2019-04-11 17:21||cdorin||Assigned To||=> LouisGac|
|2019-04-11 17:21||cdorin||Priority||none => normal|
|2019-04-11 17:21||cdorin||Status||new => acknowledged|
|2019-04-11 17:21||cdorin||Note Added: 51443|
|2019-04-11 17:24||cdorin||Priority||normal => high|
|2019-04-12 11:24||jelo||Note Added: 51453|
|2019-04-12 11:28||jelo||Note Edited: 51453||View Revisions|
||Note Added: 51455|
||Assigned To||LouisGac => c_schmitz|
|2019-04-12 11:41||jelo||Note Added: 51456|
|2019-04-12 12:49||DenisChenu||Relationship added||related to 14772|
|2019-04-12 12:50||DenisChenu||Relationship added||related to 14769|
|2019-07-15 12:38||cdorin||Note Added: 52882|
|2019-07-15 15:43||DenisChenu||Note Added: 52885|
||Note Added: 52923|
|2019-07-18 13:48||DenisChenu||Note Added: 52924|
|2019-09-23 12:18||c_schmitz||Status||acknowledged => confirmed|
|2019-11-11 14:53||c_schmitz||Changeset attached||=> LimeSurvey master 9dd11ec3|
|2019-11-11 14:53||c_schmitz||Note Added: 54517|
|2019-11-11 14:53||c_schmitz||Resolution||open => fixed|
|2019-11-11 14:59||c_schmitz||Status||confirmed => resolved|
|2019-11-11 14:59||c_schmitz||Fixed in Version||=> 3.20.x|
|2019-11-14 17:40||lime_release_bot||Note Added: 54589|
|2019-11-14 17:40||lime_release_bot||Status||resolved => closed|