Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-12084

Incomplete session loading on first request when using autologin_method

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.10
    • Fix Version/s: 3.1.12-RC1
    • Component/s: Authentication
    • Labels:
      None
    • Environment:
      PHP Version 5.4.4-14+deb7u5

      Description

      When using the autologin_method of a custom authentication plugin, the internal data of the $user object is not fully loaded on the first request to the forum (which is the same request that triggers the authentication / autologin_method()).

      This results in a number of elements on the forum not being rendered or not being rendered correctly.

      On the second request (when the user already has a valid session active), everything is rendered correctly and all variables are correctly set.


      After some debugging i found that this is caused by the order in which things are set in session_begin().

      The usual flow goes as:
      1) session_begin() is called
      2) if $this->session_id is not empty, it loads the according entry of USER_TABLE + SESSION_TABLE into $this->data
      3) if no session is found, it delegates to session_create()

      In session_create() the autologin_method() gets called, which by definition should return a USER_TABLE row. This row is then loaded into $this->data. After that a new session for the returned user is created (but i guess not merged into $this->data).

      One random result of this is that no FORUM_LAST_VISITED variable is set to the template, because $user->data['date_format'] is null on that first request. CURRENT_TIME also does not get set correct for the same reason. Further all forums show "no recent posts", leaving the forum deserted.

      The second request (e.g. plain reloading the page) then triggers point (2) and everything goes as expected.

      I partly came to find a workaround by placing the following at the end of session_begin() in sessions.php:

      // If we reach here then no (valid) session exists. So we'll create a new one
      $result = $this->session_create();
       
      // Reload $this->data with USER and SESSION data
      $sql = 'SELECT u.*, s.*
       FROM ' . SESSIONS_TABLE . ' s, ' . USERS_TABLE . " u
       WHERE s.session_id = '" . $db->sql_escape($this->session_id) . "'
       AND u.user_id = s.session_user_id";
      $result = $db->sql_query($sql);
      $this->data = $db->sql_fetchrow($result);
      $db->sql_freeresult($result);
       
      return $result;
      

      Obviously this is not enough.

      It fixed the above mentioned issues with date related thing, but I still dont have an administration area link rendered, nor the amount of private messages on the board overview on the first request.

      I can easily reproduce this on my phpBB 3.0.10 by deleting all cookies and thus forcing a new session to be created upon my autologin_method().

      My autologin_method() also follows the documentation and returns a full USER_TABLE row, which is retrieved from the database.

        Attachments

          Activity

            People

            • Assignee:
              CHItA CHItA
              Reporter:
              semom semom [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: