Topic: CSRF Token, Session Issues

[lunem]

Hi all,

I installed Mibew 1.6.14 today on a dedicated web server running Apache on CentOS. We have PHP 5.4.31 and MySQL 5.5.30.

I was able to log in with the default admin:<empty> credentials, but only when the "Remember" box was checked. Trying to change anything resulted in a CSRF Failure error.

I've seen a couple other threads regarding this issue, so I'll say this up front:

• I've tried logging in through the latest versions of Chrome, Firefox, Opera, and Internet Explorer
• The demo on mibew.org works just fine, and the rest of our PHP applications work
• In php.ini, session.cookie_lifetime is set to 0, session.gc_maxlifetime is set to 1440, and short_open_tags is set to on
• I double checked the file and directory permissions; all files are set to 0644 and directories to 0755

I added a line to common.php to print out the CSRF token in your setcsrftoken() function, and it's generating a different one on every page load.

My only thought is that we're already using session_start() for our own record-keeping and that could be preventing the Mibew session cookie from registering, but it does show up in Chrome's developer tools.

Do you have any other suggestions to fix this, or things to look at?

[Dmitriy Simushev]

Hi,

It seems that Mibew sessions are not stored at server. Are you using a custom session storage on your server? Or may be you've set a custom session save path?

UPD: Is there something in error logs?

[faf]

And my two cents.

Actually, it could be useful if you provide a part of phpinfo() output related to sessions.

Also, I would like to thank you for properly asked question. It's rare these days. 

[lunem]

Thanks for the replies. And no problem asking the question - I have to help you help me, after all.

There's nothing relevant in the error logs, but it does look like we have a custom session save path. For reference, I've attached a screenshot of the "sessions" section from phpinfo().

[faf]

Well... And what will happen if you set session.save_path value to some place where that is definitely exists and is writable for the web server?

For example, one can place the call of session_save_path function in libs/config.php or set it in the appropriate directive in .htaccess.

[lunem]

I made a new directory, changed the permissions/owner, and updated common.php. That seems to have solved it. Thanks again for your help.

[faf]

You're welcome.

Though, I'd recommend to move your custom code into libs/config.php. Otherwise you'll have to manually patch libs/common.php for every future update (though, I doubt that 1.6.x branch will be changing quite often).