Search

Friends

Atomspheric CO2 (PPM)

Archives

Blather

Uptime verified by Wormly.com

22 March 2012

ExpressionEngine Logout Bug

ExpressionEngine has a pretty brittle session mechanism. It has all sorts of devices for making it more secure and harder to spoof. But it causes issues with quite a few of our clients. Today we found a weird problem with what turned out to be a proxy-related issue. Some requests would be be sent through the proxy and some weren't, so the IP address would change. Strangely, no one was ever logged out but some requests would fail (and be redirected back to the login screen with no message).

In system/expressionengine/libraries/Session.php ExpressionEngine includes a check for the IP address when it gets the session data. Commenting out the line for the IP address and turning off IP address checks in the configuration seems to have fixed it for me.

public function fetch_session_data()
{
    // Look for session.  Match the user's IP address and browser for added security.
    $this->EE->db->select('member_id, admin_sess, last_activity')
        ->where('session_id', (string) $this->sdata['session_id'])
        //->where('ip_address', $this->sdata['ip_address'])
        ->where('user_agent', $this->sdata['user_agent']);
...
  • 5:27pm
  •  
  • PHP

Comments

  1. I have a client with a really bizarre issue too. They try to login to the CP and get sent back to the login screen with no error message, which sounds like what you’re reporting. They can, however, login in the front-end of the site through the User module, then go to the CP that way. I haven’t been able to figure it out, but will look into this and confirm if its the same issue. Thanks for sharing.

    Brian / 9:08am / 27 March 2012

  2. Similar symptoms, although it sounds like something else is causing the logout. It looks like whenever anything makes the EE session look unusual the effect is to bounce the user back to the login screen with no error. Even deliberate logouts end up at the same line, so it could be almost anything causing it.

    It might be worth checking if a session gets created and/or destroyed when logging in through the CP. Different sorts of session mismatches will destroy the session, but others will just reject the current request.

    Ryan / 1:52pm / 27 March 2012

  3. You had me at spoof.

    gem / 7:59pm / 5 April 2012

  4. Phonohom!!!!!!!

    Jem / 8:01pm / 5 April 2012

  5. OMG! Yes. It is one. Nice work Jem.

    Ryan / 11:46pm / 5 April 2012

  6. Send a one-worder text to Lib with that one. See if she gets it.

    Jem / 8:30pm / 12 April 2012

  7. I told Lib. She denied it was a phonohom for a while. Then she typed spoof into the internet. Now she acknowledges it as genuine.

    Ryan / 6:43am / 13 April 2012

  8. I had upgraded to 2.5 and this must be the fix they attempted… unsuccessfully. The line you show to comment out is no longer in the session library file.

    LD / 11:34pm / 14 May 2012

Leave a comment

Markdown

0.087 seconds