Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sessions are not persisted across restarts #2134

Open
provokateurin opened this issue Jun 6, 2024 · 0 comments
Open

Sessions are not persisted across restarts #2134

provokateurin opened this issue Jun 6, 2024 · 0 comments
Assignees
@provokateurin
Labels
needs info Further information is requested

Comments

@provokateurin
Copy link
Member

provokateurin commented Jun 6, 2024
edited
Loading

Related to #1492

I have an endpoint that remembers the last password confirmation. It works just fine if you call the endpoint, confirm the password and then retry. On subsequent tries you never have to confirm again, so the server knows the session is "good". After restarting the app you always have to confirm the password again after the first try. This could also come down to the way how php tracks sessions, but I wouldn't know how it identifies the session other than with the cookies. From a quick check with Wireshark it seems the oc_sessionPassphrase is the same across restarts but there is another one which is has the instance id as the key and that one changed across restarts. Looking into the cookies db it seems both have the same settings:

account,name,value,expiry-time,domain,path,creation-time,last-access-time,persistent-flag,host-only-flag,secure-only-flag,http-only-flag
ea8e7a33e80de9ad197e9972c3727987949cecad,oc_sessionPassphrase,ub9DznO0SM%2FqKP%2B4raxIWiutoBkssI4nq%2FZ3bYACkmxpdFdFkO8cmfBQtg5UzlTKhyHBhvWCSlpj8ICc1DsoHmjFcStZMXLDUK%2F9Q3bSpkIspHSJ7S4Y8gQexjMjdfR0,8640000000000,localhost,/,1717332510,1717661533,0,1,0,1
ea8e7a33e80de9ad197e9972c3727987949cecad,nc_sameSiteCookielax,true,4133980799,localhost,/,1717332510,1717661533,1,1,0,1
ea8e7a33e80de9ad197e9972c3727987949cecad,nc_sameSiteCookiestrict,true,4133980799,localhost,/,1717332510,1717661533,1,1,0,1
ea8e7a33e80de9ad197e9972c3727987949cecad,oct0eepa9jdv,de37152d76b7e6707e566891adfa6125,8640000000000,localhost,/,1717332510,1717661533,0,1,0,1

I also checked with with Wireshark what happens on app restart and in the beginning we send all the correct cookies from the previous "session", but after a few requests the cookie with the instance id as key gets a new value assigned. This doesn't happen just once, but even multiple times (might also be some race condition with the network requests though). This basically rules out that our cookie handling is wrong.
So I'll probably have to dig into the server to figure out under which conditions a new value is assigned to the cookie and how to prevent it. I hope that will make this work so the password confirmation is saved across restarts (although I don't consider it as problematic as it doesn't cause any troubles and you're also not entering the password confirmation in too many places anyway).
@provokateurin provokateurin added the needs info Further information is requested label Jun 6, 2024
@provokateurin provokateurin self-assigned this Jun 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@provokateurin provokateurin

Labels
needs info Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@provokateurin