08384: impossible to have survey session lifetime greater than default PHP value

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

08384	Bug reports	Survey taking	public	2013-11-18 17:25	2013-11-24 19:05

Reporter	abezverkhyy	Assigned To	abezverkhyy
Priority	normal	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	2.05 RC
Target Version	2.05+	Fixed in Version	2.00+

Summary	08384: impossible to have survey session lifetime greater than default PHP value
Description	The global parameter "Session lifetime" sets PHP value session.gc-maxlifetime in the survey pages. At the same time, the administration side of LS uses sessions with default session.gc_maxlifetime value 1440, each time a session is used in the administration, it has a chance (depending on session.gc_probability) of triggering the session garbage collector which will erase all sessions older than the default PHP value. Quote from php.net : "If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data. In this case, use this directive together with session.save_path." http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
Steps To Reproduce	set session.gc_maxlifetime = 120 in order to have very short sessions by default set session.gc_probability = 100 and session.gc_divisor = 100 in order to trigger the bug each time (otherwise it will be random) in LS, set Session lifetime to 7200 seconds open a survey wait for at least 120 seconds do something the admin go back to the survey, your session will be gone although it should have last two hours
Additional Information	I'm not really sure about how to correct this issue, we have several options : have a separate folder for survey sessions, we'll have to set it with session.save_path along with session.gc_maxlifetime set session.gc_maxlifetime to Session lifetime everywhere in LS, even the admin, it must be done before any session_start() call, and it won't protect us from other applications calling session_start() with smaller session.gc_maxlifetime
Tags	No tags attached.

Bug heat	8
Complete LimeSurvey version number (& build)	935b2857c4e7800d4f09303c806d
I will donate to the project if issue is resolved	No
Browser
Database type & version	not relevant
Server OS (if known)	not relevant
Webserver software & version (if known)	Apache 2.4.6-3
PHP Version	PHP 5.5.3+dfsg-1

User List	There are no users monitoring this issue.

sammousa 2013-11-18 20:33 reporter ~27222	Solution 1 sounds good to me, we will need different cookie name too then; but that's not a bad thing in my opinion.

abezverkhyy 2013-11-19 10:29 reporter ~27223	Here is an attempt of a fix : https://github.com/Grapsus/LimeSurvey/commit/aedf007eb639f547c65fd4a24108e8aa38ec2804 Could you see if it fixes the problem for you too and tell me if you see any security issues with this patch ?

DenisChenu 2013-11-19 13:05 developer ~27226 Last edited: 2013-11-19 13:07	I set my session save path in my virtualhost. And save path MUST be inaccessible by http, if we use ls directory : it's accessible by http (and .htaccess can not allways block). Then : if(Yii::app()->getConfig('sessiondir') and is_writable(Yii::app()->getConfig('sessiondir')) only ... ( and explain why sessiondir MUST NOT BE in limesurvey path). And it's not a LS bug, it's a server misconfiguration. PS: I think leave it by default is the good way : the server admin can set session.savepath if needed)

abezverkhyy 2013-11-19 15:54 reporter ~27232 Last edited: 2013-11-19 16:03	After talking to the LS team, here is what was decided for this issue : do not attempt to change save_path in LS, it's way too troublesome only display and use Session lifetime setting when using a DB session, in which case each session has its own expiration time for regular file-based sessions it's up to the server admin to set appropriate PHP ini values Here is the new fix code : https://github.com/Grapsus/LimeSurvey/commit/7cc1842c30bad2b479b6bd46e98b6a6b3ef87ea9

c_schmitz 2013-11-19 16:09 administrator ~27233	Looks good, please don't forget to update the documentation, too.

abezverkhyy 2013-11-21 18:34 reporter ~27303	Fix committed to 2.05 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13485

sammousa 2013-11-22 09:30 reporter ~27308	I don't agree with differing behavior based on the database backend though. In my opinion we should change the session save path to the runtime directory. Which by default is better protected than /tmp anyway. That way we can have 2 folders for sessions: 1 for admin and 1 for survey. Please do not "resolve" this issue but instead confirm and set goal to 2.05+ so we can do a proper fix then. (For now your solution looks ok)

DenisChenu 2013-11-22 09:43 developer ~27309 Last edited: 2013-11-22 09:44	sammousa : the danger is to set a session_save_path inside limesurvey directory. It's a real security issue. I think session_save_path must be managed by server admin and not limesurvey admin. PS: Maybe in config.php only, but not in LS admin web.

c_schmitz 2013-11-22 09:56 administrator ~27310 Last edited: 2013-11-22 10:40	There won't be any changes to session_save_path - it is a really bad idea to give anyone control over that except for the server admin - as it can be a huge security issue (as it has been repeatedly pointed out). I would also not know of any web application seriously changing that.

DenisChenu 2013-11-22 13:57 developer ~27322	Hi, http://phpsec.org/projects/phpsecinfo/tests/save_path.html In a linux web server all files in /tmp have the sticky bit : http://en.wikipedia.org/wiki/Sticky_bit the no probem to leave SESSION here

c_schmitz 2013-11-24 19:05 administrator ~27344	2.00+ Build 131122 released

LimeSurvey: 2.05 00d94e81 2013-11-21 17:33:21 abezverkhyy Details Diff	Fixed issue 08384: impossible to have survey session lifetime greater than default PHP value Dev: Only display and use session lifetime setting when using a DB backend for sessions. Dev: If using regular file-based sessions, it's up to the admin to change php ini values.	Affected Issues 08384
	mod - application/controllers/survey/index.php	Diff File
	mod - application/views/admin/globalSettings_view.php	Diff File

Date Modified	Username	Field	Change
2013-11-18 17:25	abezverkhyy	New Issue
2013-11-18 20:33	sammousa	Note Added: 27222
2013-11-19 10:29	abezverkhyy	Note Added: 27223
2013-11-19 13:05	DenisChenu	Note Added: 27226
2013-11-19 13:07	DenisChenu	Note Edited: 27226
2013-11-19 13:07	DenisChenu	Note Edited: 27226
2013-11-19 15:54	abezverkhyy	Note Added: 27232
2013-11-19 16:03	c_schmitz	Note Edited: 27232
2013-11-19 16:09	c_schmitz	Note Added: 27233
2013-11-19 16:11	c_schmitz	Assigned To	=> abezverkhyy
2013-11-19 16:11	c_schmitz	Status	new => assigned
2013-11-21 18:34	abezverkhyy	Changeset attached	=> LimeSurvey 2.05 00d94e81
2013-11-21 18:34	abezverkhyy	Note Added: 27303
2013-11-21 18:34	abezverkhyy	Resolution	open => fixed
2013-11-22 09:30	sammousa	Note Added: 27308
2013-11-22 09:43	DenisChenu	Note Added: 27309
2013-11-22 09:44	DenisChenu	Note Edited: 27309
2013-11-22 09:56	c_schmitz	Note Added: 27310
2013-11-22 09:56	c_schmitz	Status	assigned => resolved
2013-11-22 09:56	c_schmitz	Fixed in Version	=> 2.00+
2013-11-22 10:40	c_schmitz	Note Edited: 27310
2013-11-22 11:28	c_schmitz	Target Version	=> 2.05+
2013-11-22 13:57	DenisChenu	Note Added: 27322
2013-11-24 19:05	c_schmitz	Note Added: 27344
2013-11-24 19:05	c_schmitz	Status	resolved => closed

View Issue Details

Users monitoring this issue

Activities

Related Changesets

Issue History