On login cookie expiration time On login cookie expiration time
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

On login cookie expiration time

Started by flapane, April 18, 2012, 08:51:58 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

flapane

This is a thing I've been noticing since 1.4 (maybe even before than 1.4) and on various Firefox and IE browser versions: after a random time which may vary from some days to a couple of weeks, my cookie login expires, and I have to log-in another time.
I can't understand the reason, considering that I am not deleting my cookies, and the log-in session expiring time is random.
Flapane
www.flapane.com

Gallery
www.gallery.flapane.com

Αndré

I assume you're using 'remember me' sessions? How exactly do you determine, that your 'cookie login' expires? Have you checked your browser's cookies and Coppermine's sessions table?

One part of the cookie is the 'client_id', which is generated the following way:
Code (bridge/coppermine.inc.php) Select
$this->client_id = md5($superCage->server->getRaw('HTTP_USER_AGENT').$CONFIG['site_url']);

This means that you'll be not logged in when the HTTP user agent changes (e.g. after a browser update).

flapane

Quote from: Αndré on April 19, 2012, 09:14:50 AM
I assume you're using 'remember me' sessions?

Yes

Quote from: Αndré on April 19, 2012, 09:14:50 AM
How exactly do you determine, that your 'cookie login' expires?

I assume that the cookie has expired if cpg asks me to login and I haven't deleted my browser cookies, and no other log-in service but cpg logs me out periodically.
I guess that cpg cookie is "cpg132_data", and its expiration is 18-May (that would be one month after login). However it often happens in shorter periods than one month.

Quote from: Αndré on April 19, 2012, 09:14:50 AM
Have you checked your browser's cookies and Coppermine's sessions table?
One part of the cookie is the 'client_id', which is generated the following way:
Code (bridge/coppermine.inc.php) Select
$this->client_id = md5($superCage->server->getRaw('HTTP_USER_AGENT').$CONFIG['site_url']);

This means that you'll be not logged in when the HTTP user agent changes (e.g. after a browser update).

There are two hash codes in that sql table (time columns is about 1334584584). I guess that one it's due to Firefox11 and the other one to IE9.
Last time (yesterday) I was logged out the user agent (Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0) hasn't changed since the previous login (on Easter day), because latest Firefox update was on 13-Mar.
Flapane
www.flapane.com

Gallery
www.gallery.flapane.com

Αndré

Quote from: flapane on April 19, 2012, 09:57:23 AM
I guess that cpg cookie is "cpg132_data"
No. Your session is stored in a cookie with a cryptic name and content (both a 32 character long MD5 hash). Its name may be something like
a580decc18c805e07fba5f5e5b3365d3

I don't know why this method has been chosen in Coppermine (I guess it's more secure than just storing a simpler value). Additionally, I don't know how other software stores its session cookies. Feel free to have a look at Coppermine's internals to understand how exactly the sessions are stored in the cookie and database.

flapane

I think I've found a md5-like cookie on flapane.com (expiration date 2nd-May)... that would mean that the login expiration time is 2 weeks.
It would be nice to understand why it sometimes logs out after just some days.
Flapane
www.flapane.com

Gallery
www.gallery.flapane.com

Αndré

I just played around a little bit with Coppermine's session handling. As you can see, the client_id (which will be also the cookie's name) is generated in bridge/coppermine.inc.php this way:
$this->client_id = md5($superCage->server->getRaw('HTTP_USER_AGENT').$CONFIG['site_url']);

So it shouldn't change unless the HTTP user agent or the site_url config values doesn't change. I also noticed being logged out of my gallery, while I visit it daily. I don't know why it happens (haven't investigated it yet) and I'm not sure how to debug that, as it seems not to be reproducible, so you'll have to check/write down both your cookies and Coppermine's sessions table before you visit your gallery each time.

To exclude the client_id generation as source of error, you could try to replace the above code with something like
$this->client_id = $CONFIG['TABLE_PREFIX']."session";

This will of course make all sessions invalid immediately, but maybe it works on the long term. I don't know if it adds some security flaws, so use at your own risk!


Quote from: flapane on April 19, 2012, 11:50:54 AM
I think I've found a md5-like cookie on flapane.com (expiration date 2nd-May)... that would mean that the login expiration time is 2 weeks.
The 'remember me' expiration time is indeed 2 weeks. If there are more than one cookies with an md5 hash name and an expiration time in about 2 weeks it means, that your client_id has been changed (see above).

flapane

Quote from: Αndré on April 19, 2012, 12:11:36 PM
[CUT...]
This will of course make all sessions invalid immediately, but maybe it works on the long term. I don't know if it adds some security flaws, so use at your own risk!

I'm afraid that tracking down a possible security leak (I'm already battling with my hosting service because of THEIR recent security flaws) could be beyond my knowledge.
You wrote that sometimes you also noticed being logged out... I wonder if maybe this thread should be moved to http://forum.coppermine-gallery.net/index.php/board,85.0.html until some developer finds out what the problem is (I didn't find a proper bug tracker on sf).

Quote from: Αndré on April 19, 2012, 12:11:36 PM
The 'remember me' expiration time is indeed 2 weeks. If there are more than one cookies with an md5 hash name and an expiration time in about 2 weeks it means, that your client_id has been changed (see above).

There's just one of them.
Flapane
www.flapane.com

Gallery
www.gallery.flapane.com

Αndré

Please open bridge/coppermine.inc.php, and replace the whole function session_extraction with
            function session_extraction()
            {
                global $CONFIG;

                $superCage = Inspekt::makeSuperCage();

                // Default anonymous values
                $id = 0;
                $pass = '';

                // Get the session cookie value
                $sessioncookie = $superCage->cookie->getEscaped($this->client_id);

                // Create the session id by concat(session_cookie_value, client_id)
                $session_id = $sessioncookie.$this->client_id;

                // Lifetime of 'remember me' session is 2 weeks
                $rememberme_life_time = time()-(CPG_WEEK*2);

                // Lifetime of normal session is 1 hour
                $session_life_time = time()-CPG_HOUR;

                // Clean up old sessions every 5 minutes at maximum
                if ($CONFIG['session_cleanup'] < time() - 300) {

                    // Delete old sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time < $session_life_time AND remember = 0";
                    cpg_db_query($sql, $this->link_id);

                    // Delete stale 'remember me' sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time < $rememberme_life_time";
                    cpg_db_query($sql, $this->link_id);
                   
                    // Update database entry
                    $sql = "UPDATE {$CONFIG['TABLE_CONFIG']} SET value = ".time()." WHERE name = 'session_cleanup'";
                    cpg_db_query($sql, $this->link_id);
                }
                $step = 0;
                // Check for valid session if session_cookie_value exists
                if ($sessioncookie) {
                    $step = 1;
                    // Check for valid session
                    $sql =  "SELECT user_id, time FROM {$this->sessionstable} WHERE session_id = '" . md5($session_id) . "'";
                    $result = cpg_db_query($sql);

                    // If session exists...
                    if (mysql_num_rows($result)) {
                        $step = 2;
                        $row = mysql_fetch_assoc($result);
                        mysql_free_result($result);

                        $row['user_id'] = (int) $row['user_id'];
                        $this->sessiontime = $row['time'];

                        // Check if there's a user for this session
                        $sql = "SELECT user_id, user_password FROM {$this->usertable} WHERE user_id = {$row['user_id']}";
                        $result = cpg_db_query($sql, $this->link_id);

                        // If user exists, use the current session
                        if ($result) {
                            $row = mysql_fetch_assoc($result);
                            mysql_free_result($result);

                            $pass = $row['user_password'];
                            $id = (int) $row['user_id'];
                            $this->session_id = $sessioncookie;

                        // If the user doesn't exist, use default guest credentials
                        }

                    // If not a valid session exists, create a new session
                    } else {

                        $this->create_session();
                    }

                // No session exists; create one
                } else {

                    $this->create_session();
                }

                if ($step == 0) echo "<span style=\"color:red; font-weight: bold;\">No session cookie found for this client id (".$this->client_id.")! [code 1]</span>";
                if ($step == 1) echo "<span style=\"color:red; font-weight: bold;\">Session cookie exists, but found no matching session in the database! [code 2]</span>";

                return ($id) ? array($id, $pass) : false;
            }


It just adds some debug output to the top of your page if no session cookie exists or if the stored session doesn't match a session stored in the database. Please have a look which message will be displayed immediately when you're logged out from your gallery. Don't refresh the page, as Coppermine will automatically create the new session and the error messages won't be displayed again (until you'll be logged out again).

flapane

I updated the function with the new one, then I logged out, but I couldn't see any message.
I even took a look at the html source and couldn't find the words "session cookie".
Flapane
www.flapane.com

Gallery
www.gallery.flapane.com

flapane

woops, I forgot to upload the screenshoot upon logging out.
Flapane
www.flapane.com

Gallery
www.gallery.flapane.com

Αndré

The messages are just displayed directly after you lost the session. Delete either your session cookie or the corresponding entry in the database (or both) and you'll see one of the error messages. The intention of the mod is to check why the session is lost and not to display useless messages all the time.

flapane

Sorry, I didn't get well its functioning then.

Here's the debug message after having deleted the cookie and the line in the sql table: No session cookie found for this client id (558e360ad403d4707a288f6174cc7999)! [code 1]

The weird thing is that none of the two sessions stored in the sql dbase had the same hash:
('6714c8bfbf248fa371c6946a87e3afe0', 1, 1334584584, 1),
('16d30114d30921493511161896170f52', 1, 1334843839, 1);
Flapane
www.flapane.com

Gallery
www.gallery.flapane.com

Αndré

Quote from: flapane on April 19, 2012, 04:02:55 PM
Here's the debug message after having deleted the cookie and the line in the sql table
Maybe I wasn't clear enough. I don't want you to delete cookies or database entries, but just use your gallery as usual and if you got logged out automatically, then post the displayed message.


Quote from: flapane on April 19, 2012, 04:02:55 PM
The weird thing is that none of the two sessions stored in the sql dbase had the same hash:
Please have a look at bridge/coppermine.inc.php if you want to understand Coppermine's session handling. The client_id isn't stored in the database, but used for calculating the actual hash which you see in the database.

flapane

My bad, everything is clear now. I'll drop a line here as soon as I am logged out.
Flapane
www.flapane.com

Gallery
www.gallery.flapane.com

flapane

Weird, today I found myself logged out for the first time since I wrote here, but I didn't notice the red-text message. The client hasn't changed (still Firefox 12).
Flapane
www.flapane.com

Gallery
www.gallery.flapane.com

Αndré

I use Firefox as primary browser at home and at work. I got logged out from my gallery at both browsers yesterday evening at home and today morning at work. I'm still logged in at my phone using Opera mobile. I haven't installed any updates (still 13.0.1), so I guess Firefox has changed its user agent or whatever without user interaction. That's still just an assumption, maybe it helps to stay logged in at several browsers and if possible, with the same browser at another system.