User gets "You need to be logged in to view this page" after succesful login
|Reported by:||coldtrick||Owned by:|
After a succesful login some users got the gatekeeper message "You need to be logged in to view this page". So no wrong username or password.
After days of digging and logging this resulted in the following conclusion.
On some browsers (mostly IE8 in our case) the session cookie was too late (or not at all) updated on the client side. When arriving on the page (after a succesfull login) the session id of Elgg is not matching the session id in the cookie and therefore you are not logged in.
This behaviour is caused by the session_regenerate_id function in the login function. You can read about these issues in the comments on this function (http://php.net/manual/en/function.session-regenerate-id.php).
I don't consider this a bug as it prevents Session Fixation (http://en.wikipedia.org/wiki/Session_fixation). I just report this here so it may benefit others.
Our client decided to drop this extra security feature so all users had no issues logging in. There were extra security measures in place that should prevent unwanted site usage.
If you decided to disable this session_regenerate_id function in the elgg login function i strongly advice to add the following to your htaccess (or php.ini)
session.use_only_cookies = 1;
This also makes session fixation harder http://www.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies
Change History (8)
comment:6 Changed 2 years ago by cash
- Priority changed from normal to low
- Severity changed from minor to major