14766: Limesurvey doesn't correctly handle multiple PHPSESSID cookies

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

14766	Bug reports	Authentication	public	2019-04-10 21:54	2020-05-19 11:44

Reporter	voteref	Assigned To	c_schmitz
Priority	high	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	3.17.x
Fixed in Version	3.20.x

Summary	14766: Limesurvey doesn't correctly handle multiple PHPSESSID cookies
Description	Hello, On one of my browsers, I suddenly became unable to log into limesurvey, and trying to answer a survey invariably led, with that same browser, to an error message stating that my session had expired. I found out that on that browser, I had a PHPSESSID cookie set by my self-hosted limesurvey instance (let's say that its domain name is limesurvey.mydomain.org), and another PHPSESSID cookie set by another website, but associated with the higher level domain name "mydomain.org", and having "/" as its path. When accessing my limesurvey instance after visiting the other website, the browser sends both cookies, which is the expected behaviour per RFC6265 (https://tools.ietf.org/html/rfc6265). After deleting the PHPSESSID cookie associated with the "mydomain.org" domain, the behaviour of limesurvey is back to normal. So, it looks like limesurvey is mistaking one PHPSESSID cookie for the other. This might be due to the fact that it is not expecting more than 1 PHPSESSID cookie to be sent. In §4.2.2, RFC6265 states: "Although cookies are serialized linearly in the Cookie header, servers SHOULD NOT rely upon the serialization order. In particular, if the Cookie header contains two cookies with the same name (e.g., that were set with different Path or Domain attributes), servers SHOULD NOT rely upon the order in which these cookies appear in the header." It looks like limesurvey's behaviour is somewhat disturbed by the presence of 2 cookies with the same name.
Steps To Reproduce	1) open a session on the limesurvey instance (this sets a PHPSESSID cookie associated with limesurvey.mydomain.org); 2) using the developer tools on Chrome or Firefox (or by any other appropriate means), add a "PHPSESSID" cookie associated with the domain name just above the limesurvey instance, so here "mydomain.org", and "/" as the path; 3) logout from the limesurvey instance; 4) try to log back in (it should fail).
Additional Information	There is an easy workaround: in "config.php", just tell limesurvey to use another name for its session cookie, via the following code snippet: session' => array ( 'sessionName' => "MyOwnPrivateCookieName", ),
Tags	No tags attached.

Bug heat	18
Complete LimeSurvey version number (& build)	3.17.1+190408
I will donate to the project if issue is resolved	Yes
Browser	Chrome 73
Database type & version	MySQL 5.7.25
Server OS (if known)	Ubuntu 18.04
Webserver software & version (if known)	Apache 2.4.29
PHP Version	7.2

User List	DenisChenu, voteref, somako

cdorin 2019-04-11 17:21 reporter ~51443	Thank you for reporting it. We will further investigate it.

jelo 2019-04-12 11:24 partner ~51453 Last edited: 2019-04-12 11:28	I would be surprised to see a change here. https://www.limesurvey.org/forum/development/113910-cookies-sessions-why-is-limesurvey-using-the-default-sessionname

~~LouisGac~~ 2019-04-12 11:39 developer ~51455	we could at least do it on limesurvey pro. Carsten, an opinion on this one?

jelo 2019-04-12 11:41 partner ~51456	The random setup of a cookie/session name is mentioned in the LS hardening ticket. https://bugs.limesurvey.org/view.php?id=14621#c51047

cdorin 2019-07-15 12:38 reporter ~52882	tag @c_schmitz

DenisChenu 2019-07-15 15:43 developer ~52885	Since it can be done in config.php , i think we must create a random one when install.

~~LouisGac~~ 2019-07-18 13:01 developer ~52923	I go with denis

DenisChenu 2019-07-18 13:48 developer ~52924	~~@LouisGac~~ : it‘s in project … but didn't start on install currently ;) With allowing set another dir for runtime :) But i want to have a config-base.php file to be copied/updated. More easy for us to update and add new feature when install …

c_schmitz 2019-11-11 14:53 administrator ~54517	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29229

lime_release_bot 2019-11-14 17:40 administrator ~54589	Fixed in Release 3.20.1+191114

Date Modified	Username	Field	Change
2019-04-10 21:54	voteref	New Issue
2019-04-11 11:57	voteref	Issue Monitored: voteref
2019-04-11 17:21	cdorin	Assigned To	=> LouisGac
2019-04-11 17:21	cdorin	Priority	none => normal
2019-04-11 17:21	cdorin	Status	new => acknowledged
2019-04-11 17:21	cdorin	Note Added: 51443
2019-04-11 17:24	cdorin	Priority	normal => high
2019-04-12 11:24	jelo	Note Added: 51453
2019-04-12 11:28	jelo	Note Edited: 51453
2019-04-12 11:39	~~LouisGac~~	Note Added: 51455
2019-04-12 11:39	~~LouisGac~~	Assigned To	LouisGac => c_schmitz
2019-04-12 11:41	jelo	Note Added: 51456
2019-04-12 12:50	DenisChenu	Relationship added	related to 14769
2019-07-15 12:38	cdorin	Note Added: 52882
2019-07-15 15:43	DenisChenu	Issue Monitored: DenisChenu
2019-07-15 15:43	DenisChenu	Note Added: 52885
2019-07-18 13:01	~~LouisGac~~	Note Added: 52923
2019-07-18 13:48	DenisChenu	Note Added: 52924
2019-09-23 12:18	c_schmitz	Status	acknowledged => confirmed
2019-11-11 14:53	c_schmitz	Changeset attached	=> LimeSurvey master 9dd11ec3
2019-11-11 14:53	c_schmitz	Note Added: 54517
2019-11-11 14:53	c_schmitz	Resolution	open => fixed
2019-11-11 14:59	c_schmitz	Status	confirmed => resolved
2019-11-11 14:59	c_schmitz	Fixed in Version	=> 3.20.x
2019-11-14 17:40	lime_release_bot	Note Added: 54589
2019-11-14 17:40	lime_release_bot	Status	resolved => closed
2020-05-19 11:44	somako	Issue Monitored: somako

LimeSurvey: master 9dd11ec3 2019-11-11 15:52 c_schmitz Details Diff	Fixed issue 14766: Possible collision with PHPSESSID cookies on the same domain		Affected Issues 14766
	mod - application/controllers/InstallerController.php		Diff File

View Issue Details

Relationships

Users monitoring this issue

Activities

Related Changesets

Issue History