Destroyed session won't allow new logins

masimies

Hello, any session gurus?
I have a strange problem with sessions.
I updated my member-pages to this new version:
https://github.com/ug2215/RegistrationForm

From start, created a new members with new sanize-functions, login was succesful. And after session lifetime, it destroyed session, but did not create a new-one.
After this session lifetime, new logins cannot be made. It just flash on screen, and keep login-page on.

But,
As i have still the old site alive, with old version of member-pages. When i login thru it, login works normally. Logout there, and login again to new-site, login goes thru normally!
So the old-site login somehow clears the destroyed session, cookies???

Something is wrong with this code. Tried to replace session parts from old code to this new, but no luck with my coding skills....
Any idea, what could be wrong in this part of code?

    function CheckLogin()
    {
        // Check that they at least have a session, and if not, create it
        if(!isset($_SESSION)){ 
            session_set_cookie_params(3600,'/','',true,true); // make it expire after 1 hour
            session_start(); 
        }

    // If they do not have a CSRF token, set that too; if we are requiring them.
    if ($this->CSRFTokenRequired) {
        if (!isset($_SESSION['CSRFtoken'])) {
            $token = hash("sha512",mt_rand(0,mt_getrandmax()));
            $_SESSION['CSRFtoken'] = $token;
        }
    }

    // This would mean that they are not logged in, as we set this when a user logs in
    if(empty($_SESSION['username']))
    {
        http_response_code(401);
        return false;
    }

    // They were properly logged in, but that was too long ago (sessionLifeTime) so they need to login again
    if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $this->sessionLifeTime)) {
        /* last request was more than sessionLifeTime ago*/
        session_destroy(); // destroy session data in storage
        http_response_code(401);
        return false;
    }

    // They are properly logged in, so let's update their session timers as appropriate.
    $_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
    if (!isset($_SESSION['CREATED'])) {
        $_SESSION['CREATED'] = time();
    } else if (time() - $_SESSION['CREATED'] > $this->sessionLifeTime) {
        /* session started more than sessionLifeTime ago*/
        session_regenerate_id(true); // change session ID for the current session and invalidate old session ID
        $_SESSION['CREATED'] = time(); // update creation time
    }

    return true;
}

masimies

Testing testing...
Jumping over session_set_cookie_params in function Login(), allows login, even it was just a minute ago denied.
This set is again in function CheckLogin(). Im start to thinking that this is some kind of edit copy paste typo....

function Login()
{
    if(empty($_POST['username']))
    {
        $this->HandleError("UserName is empty!");
        return false;
    }

    if(empty($_POST['password']))
    {
        $this->HandleError("Password is empty!");
        return false;
    } 

    if(!isset($_SESSION)) {

// session_set_cookie_params(3600,'/','',true,true); // make it expire after 1 hour
session_start();
if ($this->CSRFTokenRequired) {
$token = hash("sha512",mt_rand(0,mt_getrandmax()));
$POST['CSRFtoken'] = $SESSION['CSRFtoken'] = $token;
}
}

dalecosp

Isn't this a PHP-based login system ... why would you want to send a 401?

Send them a 402 and a redirect to the login page instead.

Derokorian

dalecosp;11054179 wrote:
Isn't this a PHP-based login system ... why would you want to send a 401?

Send them a 402 and a redirect to the login page instead.

https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

w3 wrote:
402 Payment Required

I'm confused, why would you ever send 402 for login problems?

Derokorian

There is a comment on the man page for [man]session_set_cookie_params[/man] that says about the lifetime not getting extended on an already existing session.

final dot wharf at gmail dot com wrote:
As PHP's Session Control does not handle session lifetimes correctly when using session_set_cookie_params(), we need to do something in order to change the session expiry time every time the user visits our site. So, here's the problem.
<?php
  $lifetime=600;
  session_set_cookie_params($lifetime);
  session_start();
?>
This code doesn't change the lifetime of the session when the user gets back at our site or refreshes the page. The session WILL expire after $lifetime seconds, no matter how many times the user requests the page. So we just overwrite the session cookie as follows:
<?php
  $lifetime=600;
  session_start();
  setcookie(session_name(),session_id(),time()+$lifetime);
?>
And now we have the same session cookie with the lifetime set to the proper value.

masimies

Login was working fine from start today, but trying that wharf-method, site was crashed, and the login-page wont appear anymore. Hopefully it works after "$lifetime=600"
Is it wrong way, if i just leave that skipping "// session_set_cookie_params(3600,'/','',true,true); // make it expire after 1 hour" commented out only in login-phase?

dalecosp

Derokorian;11054181 wrote:
I'm confused, why would you ever send 402 for login problems?

Digits, schmidgets ...

UPDATE post set error_code = (error_code - 100) where pagetext like "%send them a 402%";

😉

masimies

Well...
As eMail-functions doesn't work also with this script, i found a fix for that as well.
Skipping all "// $mailer->From = $this->GetFromAddress();" lines, enables sending eMails.
GetFromAddress doesn't work with any combination of using $host or what ever. Doesn't get this variable value to mailer From-tag.
Removing these lines, doesn't put effect to received eMail. From is there anyway.

Oh what a task to put this working. Im now allmost in completion, and happy that i got current level of more secured membersite-pages.
Let's see, if i found still more unstability from fg_membersite ;-)

masimies

More bugs found...
If you want to reset password function work, remove

// BUG: I'm not sure this would work; if the boolean value false was returned, would it still be the boolean value false after being Sanitized?
      $username = SanitizeUsername($this->GetUsernameFromEmail($confirmedemail))

        to
       $username = $this->GetUsernameFromEmail($confirmedemail))

function NotifyOfnewpwd, is not working still, but you know the change of password, because you had the reset-link in eMail allready....