[PHPBB3-16207] Require cookies for sessions

Discuss requests for comments/changes posted in the Issue Tracker for the development of phpBB. Upcoming releases are 3.2/Rhea and 3.3.
Post Reply
User avatar
EA117
Registered User
Posts: 12
Joined: Tue Apr 30, 2019 12:54 pm

[PHPBB3-16207] Require cookies for sessions

Post by EA117 »

https://tracker.phpbb.com/browse/PHPBB3-16207

The change in phpBB 3.2.6 which made "you must have the same session ID between receiving the login form and submitting the login form" a requirement (albeit indirectly via add_form_key() and check_form_key()) seems like it may have given us a preview for some of the challenges phpBB users could encounter here.

We now routinely have "I cannot login due to form invalid" reported in the public forum, even when cookie settings are correct, as though there is still some lurking behavior if not bug that still puts people into a "guest doesn't get the same session twice" scenario.  Or, we see cases where even though the cookie settings were already correct, we have to delete the current cookies before login starts working.  As though logic for "the existing cookie needs to be updated" was either missing or misfiring, or something more subtle we're just not identifying yet.

The point being, we have an initial taste or "warning" of how sensitive new requirements in the login area can be.  Handling the implementation of PHPBB3-16207 well could prevent an unnecessary additional fundamental frustration for phpBB operators, when something as basic as "I just want to login to my new board" potentially becomes more brittle "due to increased security."

Ideas that come to mind for trying to mitigate against this:
  • Make installation actually test the cookie settings, and don't allow advancing to next install phase without achieving a working cookie configuration as confirmed by Set-Cookie and subsequent cookie values received by the install app's own pages.  If something is blocking the cookies from working correctly, you'll be unable to proceed with the installation until you identify and eliminate this.  Not just "Here is where you enter your cookie settings. Next."
  • Make the login itself actually test cookies, and if they're not working, create a very clear description of why the login is failing.  Even going so far as the PHP-side code checking what we think the current board URL, path, and access protocol are, and advising whether the issue appears to be in the phpBB cookie configuration (something the user definitely cannot solve), versus the cookie settings "look fine for how you're accessing this board" and there may be some local browser blocking or issue (not withstanding that it could also be a server-side issue even in that case, too).
  • When in the guest session scenario like login, if the site cookie settings look correct yet we seem unable to get the correct canary/test values we're using to verify cookie operation, have phpBB issue a deletion of the cookies as a standard part of the failed login response. i.e. Don't wait for the user to be frustrated and finally start looking for troubleshooting steps. It may or may not resolve whatever issue is actually happening, but its something we could be trying programmatically instead of waiting for the user to be educated enough to try this same action.
  • Perhaps ship some kind of non-session-based bare metal UI (like the cookies.php script the KB article offers) which can be enabled on-demand (e.g. "rename shipped fix_cookes.disabled to fix_cookies.php") long enough for the site operator to use a simple form to change cookie configuration.  To give admins a readily accessible, if not still less-than-ideal, in-box method to address cookie configuration changes.  Since once the new sessions-need-cookies and no-append_sid-fallback changes have been implemented, the admin can no longer use ACP to fix cookie configuration settings.

Lady_G
Registered User
Posts: 35
Joined: Sun Aug 31, 2014 3:02 pm

Re: [PHPBB3-16207] Require cookies for sessions

Post by Lady_G »

Since updating to phpBB 3.2.8, I consistently receive the error message when attempting a login from the board index on my production server (high traffic volume). I can not reproduce the problem with my localhost test environment (single user).

Can this problem be emulated with a localhost test environment? For example, Is there a delay that can be inserted in the source code to force the error message?
EA117 wrote:
Sun Nov 10, 2019 2:58 pm
  • When in the guest session scenario like login, if the site cookie settings look correct yet we seem unable to get the correct canary/test values we're using to verify cookie operation, have phpBB issue a deletion of the cookies as a standard part of the failed login response. i.e. Don't wait for the user to be frustrated and finally start looking for troubleshooting steps. It may or may not resolve whatever issue is actually happening, but its something we could be trying programmatically instead of waiting for the user to be educated enough to try this same action.
I prefer this approach, as it requires no user interaction.

Does this solution consider users who login on more than one device (or browser)? For example, I can login from my Firefox browser as one session, then login from Chrome as a second session.

========================
When entering a quick reply to this topic as "Full Editor & Preview", I received the error message at the top of the post edit area.
Screenshot from 2019-12-08 20-51-48.png

User avatar
EA117
Registered User
Posts: 12
Joined: Tue Apr 30, 2019 12:54 pm

Re: [PHPBB3-16207] Require cookies for sessions

Post by EA117 »

Lady_G wrote:
Mon Dec 09, 2019 2:17 am
Can this problem be emulated with a localhost test environment? For example, Is there a delay that can be inserted in the source code to force the error message?
Not that I'm aware of. I'm not saying it "can't" be duplicated there; only that have not been able to duplicate the blatant or persistent "form invalid" against my local XAMPP installs or even my live site. Best I've been able to see is that "sometimes" I randomly get the SID added to the URL during actions which shouldn't have required it to be added. Making me suspect this could be a clue to some underlying decision mechanism or cookie retrieval mechanism which isn't being as consistent as expected.

Lady_G wrote:
Mon Dec 09, 2019 2:17 am
I prefer this approach, as it requires no user interaction.
Indeed; the question is whether it really solves anything; or perhaps more directly, why it solves anything in the cases where it does. If what my browser was sending wasn't the correct session and phpBB had matched me up or created a new session, why weren't new Set-Cookie headers sent to give me the correct information? Why did I ultimately have to delete the existing cookies to trigger the new Set-Cookie, if phpBB already knew the session I was sending wasn't the session it was using for me?

But regardless of the reason, the point for this specific mitigation is that if the login attempt has failed with "form invalid", any k_cookie value, any u_cookie value, and possibly even the sid_cookie value are already wrong or meaningless. Because you're by definition not logged in from this browser at that point. If our recommendation in this situation will be "well then delete the cookies", why not just make that our programmatic action by redirecting them through a delete-cookies operation before presenting the retry login form.

It's not that we assume "that fixes 100% of cases", because we suspect there is still some other underlying problem. But for the cases it does solve, why wait until the user figures out what to do.

Lady_G wrote:
Mon Dec 09, 2019 2:17 am
Does this solution consider users who login on more than one device (or browser)? For example, I can login from my Firefox browser as one session, then login from Chrome as a second session.
Yes, the "delete cookies when login fails" action would still be appropriate if multiple browsers or devices were in use. By the time you're looking at a login form, let alone if that login form them fails with "form invalid" or not, you're not logged in from the current device and browser. The action can only delete the cookies that exist for the browser and device you're in when performing the action, same as invoking the "delete cookies" link manually.

Lady_G wrote:
Mon Dec 09, 2019 2:17 am
When entering a quick reply to this topic as "Full Editor & Preview", I received the error message at the top of the post edit area.
The most straight-forward answer if I saw that happen to one of my posts is "I spent a long time writing the message." In addition to session ID, "age" is a reason for returning "form invalid" too. In a default phpBB installation I believe this is 60 minutes, although it will be whatever interval has been configured for the board's "Maximum time to submit forms" configuration.

Technically it could also be "phpBB didn't give me my same session ID upon submission of the form." And the fact that you were given a new session could have been otherwise "hidden" from you (i.e. you didn't end up being dumped to a logged-out state) due to that fact that "Remember Me" was selected during login and your k_cookie value gets you automatically logged in again on the new session. Meaning if you hadn't have been in the middle of a form submission, you probably wouldn't have even noticed that it happened. But because the differing session ID is important to form verification, it resulted in "form invalid."

User avatar
P_I
Registered User
Posts: 79
Joined: Fri Oct 31, 2014 4:56 am

Re: [PHPBB3-16207] Require cookies for sessions

Post by P_I »

Thank you for your tireless efforts to get to the bottom of this issue and all the questions you have answered about it on the phpBB/community forums. Much appreciated.

Post Reply