We use Piwik on a Server with Zend-Server 6.0.3 and PHP 5.5. We noticed that login does not work, despite correct user credentials the Session gets reset and the login screen reappears without message.
We debugged it and found out that Session::regenerateId() is programmed such to destroy the old session, so the login authentication is lost on the browser cookie and a valid login attempt to fail.
A fix for this is:
Add the following to “core/Session.php”:
/* core/Session.php */
public static function regenerateId()
{
/*--PHP 5.5--*/
return;
}
Also whenever sending the Header(“Location:…”) to redirect the browser to a different URL, please use “session_write_close()” before to write the session data. Because the same effect may appear that on redirection the browser session is lost:
/* core/Url.php */
static public function redirectToUrl($url)
{
if (UrlHelper::isLookLikeUrl($url)
|| strpos($url, 'index.php') === 0
) {
/*--PHP 5.5--*/
session_write_close();
@header("Location: $url");
} else {
echo "Invalid URL to redirect to.";
}
exit;
}
On a PHP 5.4 based system Piwik works without these changes for us, but on 2 separate PHP 5.5 based systems (where we are able to confirm that session management works as many other PHP applications work nicely there) Piwik only will keep the current browser session with the above changes applied.
Please check for yourself, and include these changes into the main code if possible (or any other solution to make Piwik work on PHP 5.5).
We haven’t been able to reproduce a problem in PHP 5.5 which several team members use. How do you reproduce the issue exactly? maybe it’s a particular session.XXX setting in the PHP configuration?
Installed Piwik on CentOS 5 server with Zend-Server 6.3 with PHP 5.4 for testing (our development environment). Piwik login worked, Piwik installation worked.
Then installed Piwik on Production Server (CentOS 6 with Zend-Server 6.3 on PHP 5.5), login did not work. We then upgraded our development environment to PHP 5.5 and started debugging using Eclipes and Zend-Debugger.
We monitored the login process and found out that the Session->RegenerateId(true) call (which will clear the old session) did not copy the session over to the new session, wherease the new session ID arrived in the browser cookie and client/server-side the login authentication is lost. The login form returns to itself without message, effectively loosing the authentication.
We then applied the above changes, and voila it works.
We have many other PHP applications running without trouble or session issues, like Magento or Wordpress. Only Piwik (and Dokuwiki) where not able to keep the authenticated session where above changes did resolve it for us.
On Debian Linux 6.0 with Zend-Server 6.3 and PHP 5.5.7 login did not work. With correct user credentials the login screen appears again without any message. After testing the login process without any error-messages in the logs I started to have a look at the sessions. I found the behavior explained above. After changing the file Session.php (now Piwik Version 2.1) with the above fix it was possible to login again.
Something else is funny: When running Piwik on Zend Server with PHP 5.4 the Logo has the text “Open Source Web analytics” (the text that points with the arrow to the logo). When running Piwik on Zend Server 6.3 with PHP 5.5 that text changes to “Web analytics”.
It’s no deal-braker, however we find it funny that also this logo text changes…
We tried that and the same effect as before. The relevant piece of code is in here where the Session-ID Rengenaration fails:
If we override the “regenerateId()” function of “Zend_Session” in “core/Session.php” like this it works by actually not regenerating the Session-ID:
public static function regenerateId()
{
/* PHP 5.5: */
if (!self::$_unitTestEnabled && headers_sent($filename, $linenum)) {
throw new Zend_Session_Exception("You must call " . __CLASS__ . '::' . __FUNCTION__ .
"() before any output has been sent to the browser; output started in {$filename}/{$linenum}");
}
if ( !self::$sessionStarted ) {
self::start();
} else {
if (!self::$_unitTestEnabled) {
/* PHP-5.5: Regenerate Session-ID WITH keeping session data */
/* This does not work with Piwik 2.2 anymore:
session_regenerate_id(true);
$sid = session_id();
session_write_close();
session_id($sid);
session_start();
*/
}
}
}
Not the part of “session_regenerate_id” which is commented out. We made that patch for Piwik 2.1 and it worked for us in that release. For Piwik 2.2 we had to remove the session regeneration again to be able to login.
I think it would be best to drop session ID regeneration at all, as it is prooves unstable and its value for “security” is questionable from our view.
