Session variables & External authentication. (Trac #562) about elgg HOT 15 CLOSED

trac user marcus wrote on 38929356-07-21

There should be nothing that does this however you may be falling victim of the elgg_fingerprint in session_init.

from elgg.

trac user marcin wrote on 38940186-03-19

Just to note, while developing a plugin I was able to replicate this problem.

on one page I set $_SESSION['my_var'] = 'dsds';
then depending which pages i click next, this var is lost inbetween.

from elgg.

trac user marcin wrote on 38941658-04-24

I've added
session_write_close();
just after setting SESSION var, and it helped, session var was persisted.

var seems to be lost somwhere in these functions :
elgg_view_title
elgg_view
elgg_view_layout
page_draw

what is funny though, is that it was only missing for specific content. In my case it couldnt save 233 int, others int like 18, 188, 114 were saved with no problem, really strange.

from elgg.

trac user marcus wrote on 38999856-07-20

To be clear, specific content is getting wiped? What variable names are you using?

from elgg.

trac user staticred wrote on 39016187-11-30

Define "content". No site content as I'd describe it (ie: data written to the screen) is affected. This effects only the $_SESSION variable.

To be more specific, the CAS authentication plugin works along the following lines. First, in order to interface with the external CAS server, a php library (phpCAS) is imported into the Elgg plugin. This library acts somewhat like a proxy for CAS authentication, checking the user against the CAS server and either passing them through to the CAS server for authentication (which returns the user back to the Elgg plugin) or reading the preexisting CAS authentication data from a cookie.

The phpCAS library makes use of an array stored in $_SESSION['phpcas'] to track the user's authentication status. Ennumerating the contents of $_SESSION in both the Elgg plugin and within engine/lib/sessions.php shows that the $_SESSION['phpcas'] is missing. The same test outside of Elgg 1.x shows the $_SESSION['phpcas'] set.

from elgg.

trac user marcus wrote on 39027486-09-10

What I meant by "content" was referring to marcin, basically I wanted to clarify the behaviour that a $_SESSION variable was being deleted depending on the specific content inside.

from elgg.

trac user marcin wrote on 39037346-06-26

Hi marcus,

this is a piece of code from
groupprofile.php

...
set_page_owner($group_guid);

if($group_guid > 0)
{
$_SESSION['falcon_ref'] = $group_guid;
}
else
{
$_SESSION['falcon_ref'] = 0;
}
// reassure that it is saved - this data was lost so we needed to save session here
session_write_close();
...
problem appears when i visit group profile page (which should save the group guid int) and then go to blogs for instance. $_SESSION['falcon_ref'] is no longer there, suprisingly for some values it is persisted.

Unfortunetly I didn't save svn ver number of elgg which I was using then.

Saludos

Marcin

from elgg.

Attachment added by trac user staticred on 39038464-06-29: cas_auth.zip

from elgg.

trac user staticred wrote on 39038465-12-25

To help move this forward, I've attached the source for the CAS module.

from elgg.

trac user marcus wrote on 39065158-09-16

(In [svn:2605]) Refs #562: Configuration flag to disable database sessions.

from elgg.

trac user marcus wrote on 39065161-10-24

You could try updating to latest SVN and seeing if setting $CONFIG->use_file_sessions = true in settings.php makes any difference.

This flag disables database sessions which is the one major change elgg makes to session handling code.

from elgg.

trac user staticred wrote on 39065632-12-28

No difference with the latest version in the subversion trunk. The session data from CAS is still destroyed with $CONFIG->use_file_sessions = true set.

from elgg.

trac user staticred wrote on 39194278-11-05

To move this ahead a little further, it not appears that this might not be a session issue, but rather an issue of the ?ticket parameter being lost in the actions handler (when it is redirecting from /action/cas_auth/login to /mod/cas_auth/login.php). Here's debug output from the phpCAS module, which shows the ?ticket query parameter being lost somewhere between the time the CAS server returns from authentication and it arrives at the login.php file. The CAS server returns the user to http://elggsite/elgg15/action/cas_auth/login?ticket=ST-67278-NOiaHXkSfzzcsHQh2a5k. However, you can see in the phpCAS debug information that ?ticket=<...> is lost by the time it gets to login.php. I've added extra trace() calls to phpCAS to try and figure this out.

F265 .START ****************** [CAS.php:398]
F265 .=> phpCAS::client('2.0', 'secure3.athabascau.ca', 443, '/cas', false) [lib.php:21]
F265 .| => CASClient::CASClient('2.0', false, 'secure3.athabascau.ca', 443, '/cas', false) [CAS.php:299]
F265 .| <= ''
F265 .<= ''
F265 .=> phpCAS::forceAuthentication() [lib.php:26]
F265 .| => CASClient::forceAuthentication() [CAS.php:895]
F265 .| | Session: Elgg [client.php:626]
F265 .| | session data: 4 [client.php:627]
F265 .| | __elgg_fingerprint: 156710a08757b190ebc250830a7db77d [client.php:629]
F265 .| | __elgg_session: 52253f8083309ace056c5689c74db72f [client.php:629]
F265 .| | view: default [client.php:629]
F265 .| | msg: Array [client.php:629]
F265 .| | => CASClient::isAuthenticated() [client.php:631]
F265 .| | | Entering isAuthenticated [client.php:733]
F265 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:737]
F265 .| | | | no user found [client.php:841]
F265 .| | | <= false
F265 .| | | no ticket found [client.php:771]
F265 .| | <= false
F265 .| | Session not authenticated. [client.php:637]
F265 .| | => CASClient::redirectToCas(false) [client.php:639]
F265 .| | | => CASClient::getServerLoginURL(false) [client.php:858]
F265 .| | | | => CASClient::getURL() [client.php:330]
F265 .| | | | | CGI Params: http://localhost/elgg15/action/cas_auth/login [client.php:2005]
F265 .| | | | <= 'http://localhost/elgg15/action/cas_auth/login'
F265 .| | | <= 'https://secure3.athabascau.ca:443/cas/login?service=http%3A%2F%2Flocalhost%2Felgg15%2Faction%2Fcas_auth%2Flogin'
F265 .| | | exit()
F265 .| | | -
F265 .| | -
F265 .| -

from elgg.

trac user staticred wrote on 39194531-08-17

Solution found - posting here for reference.

The problem was due to Elgg moving the additional query parameters into the $vals array. The fix for this specific problem was to place

$_REQUEST['ticket'] = $vals[svn:1];

into the start of the login.php file so that phpCAS could find the query parameter.

from elgg.

trac user marcus wrote on 39344508-11-29

Closed as this appears to be an isolated issue with one use case rather than a systemic problem.

from elgg.