Login does not work on PHP 5.5


#1

We use Piwik on a Server with Zend-Server 6.0.3 and PHP 5.5. We noticed that login does not work, despite correct user credentials the Session gets reset and the login screen reappears without message.

We debugged it and found out that Session::regenerateId() is programmed such to destroy the old session, so the login authentication is lost on the browser cookie and a valid login attempt to fail.

A fix for this is:

Add the following to “core/Session.php”:


/* core/Session.php */

    public static function regenerateId()
    {
    	/*--PHP 5.5--*/
    	return;
    }

Also whenever sending the Header(“Location:…”) to redirect the browser to a different URL, please use “session_write_close()” before to write the session data. Because the same effect may appear that on redirection the browser session is lost:


/* core/Plugin/Cntroller.php */

    public function redirectToIndex($moduleToRedirect, $actionToRedirect, $websiteId = null, $defaultPeriod = null,
                                    $defaultDate = null, $parameters = array())
    {

        .....

        if ($websiteId) {
            $url = "Location: index.php?module=" . $moduleToRedirect
                . "&action=" . $actionToRedirect
                . "&idSite=" . $websiteId
                . "&period=" . $defaultPeriod
                . "&date=" . $defaultDate
                . $parametersString;
            
            /*--PHP 5.5--*/
            session_write_close();
            header($url);
            exit;
        }



/* core/Url.php */

    static public function redirectToUrl($url)
    {
        if (UrlHelper::isLookLikeUrl($url)
            || strpos($url, 'index.php') === 0
        ) {
            /*--PHP 5.5--*/
            session_write_close();
            @header("Location: $url");
        } else {
            echo "Invalid URL to redirect to.";
        }
        exit;
    }


On a PHP 5.4 based system Piwik works without these changes for us, but on 2 separate PHP 5.5 based systems (where we are able to confirm that session management works as many other PHP applications work nicely there) Piwik only will keep the current browser session with the above changes applied.

Please check for yourself, and include these changes into the main code if possible (or any other solution to make Piwik work on PHP 5.5).

Thanks.


(Matthieu Aubry) #2

We haven’t been able to reproduce a problem in PHP 5.5 which several team members use. How do you reproduce the issue exactly? maybe it’s a particular session.XXX setting in the PHP configuration?


#3

We came across that during this Process:

Installed Piwik on CentOS 5 server with Zend-Server 6.3 with PHP 5.4 for testing (our development environment). Piwik login worked, Piwik installation worked.

Then installed Piwik on Production Server (CentOS 6 with Zend-Server 6.3 on PHP 5.5), login did not work. We then upgraded our development environment to PHP 5.5 and started debugging using Eclipes and Zend-Debugger.

We monitored the login process and found out that the Session->RegenerateId(true) call (which will clear the old session) did not copy the session over to the new session, wherease the new session ID arrived in the browser cookie and client/server-side the login authentication is lost. The login form returns to itself without message, effectively loosing the authentication.

We then applied the above changes, and voila it works.
We have many other PHP applications running without trouble or session issues, like Magento or Wordpress. Only Piwik (and Dokuwiki) where not able to keep the authenticated session where above changes did resolve it for us.


#4

We have had the same problem.

On Debian Linux 6.0 with Zend-Server 6.3 and PHP 5.5.7 login did not work. With correct user credentials the login screen appears again without any message. After testing the login process without any error-messages in the logs I started to have a look at the sessions. I found the behavior explained above. After changing the file Session.php (now Piwik Version 2.1) with the above fix it was possible to login again.

Thanks a lot to pisc.software.


#5

You’re welcome. Thanks for the +1 on this.

Something else is funny: When running Piwik on Zend Server with PHP 5.4 the Logo has the text “Open Source Web analytics” (the text that points with the arrow to the logo). When running Piwik on Zend Server 6.3 with PHP 5.5 that text changes to “Web analytics”.

It’s no deal-braker, however we find it funny that also this logo text changes… :stuck_out_tongue:


#6

Thanks a lot everyone on this thread! Same issue…

Piwik heartily recommends PHP 5.5 right there in the front page of the docs.

I did upgrade the PHP underneath an existing older Piwik installation, and 5.5 worked fine.

I then upgraded Piwik to 2.1 and ran right into this problem.

I ran a clean install on PHP 5.5 and verified this is a problem, and googled some more…


(Matthieu Aubry) #7

@gis.works @pic software, do you think you could try the following: in the file config/config.ini.php, add:


[General]
session_save_handler = dbtable

This will enable sessions stored in the database rather than the filesystem.

And try this without the patch. Does it fix the login issue?


#8

Hi matt,

thank you for your suggestion.
Actually we work with Piwik 2.2.0 and the patch.

We have removed the patch and made an attempt.
But it doesn’t work.


#9

@MATT:

We tried that and the same effect as before. The relevant piece of code is in here where the Session-ID Rengenaration fails:

If we override the “regenerateId()” function of “Zend_Session” in “core/Session.php” like this it works by actually not regenerating the Session-ID:


public static function regenerateId()
{
    	/* PHP 5.5: */
    	if (!self::$_unitTestEnabled && headers_sent($filename, $linenum)) {
    		throw new Zend_Session_Exception("You must call " . __CLASS__ . '::' . __FUNCTION__ .
    				"() before any output has been sent to the browser; output started in {$filename}/{$linenum}");
    	}
    	
    	if ( !self::$sessionStarted ) {
    		self::start();
    	} else {
    		if (!self::$_unitTestEnabled) {
    			/* PHP-5.5: Regenerate Session-ID WITH keeping session data */
			/* This does not work with Piwik 2.2 anymore:
    			session_regenerate_id(true);
    			$sid = session_id();
    			session_write_close();
    			session_id($sid);
    			session_start();
			*/
    		}
    	}
}    

Not the part of “session_regenerate_id” which is commented out. We made that patch for Piwik 2.1 and it worked for us in that release. For Piwik 2.2 we had to remove the session regeneration again to be able to login.

I think it would be best to drop session ID regeneration at all, as it is prooves unstable and its value for “security” is questionable from our view.

Thanks.


(Matthieu Aubry) #10

Thanks for your help & patch, please see my comment in Investigate Login does not work & Browser Session lost on PHP 5.5 · Issue #4806 · matomo-org/matomo · GitHub


#11

@Matt,

thanks - will test it out on our systems. Please allow a few days to get it through our workload. I will get back to you with our results then.

Thanks.


#12

Tested with Zend-Server 6.3.0 & PHP 5.5.7 and seems to work now on that. Thanks!.