Session cookie is actually persistant

[davidpede]

Summary

The system setting 'session_cookie_lifetime' is by default set to '604800' (one week) and the description indicates that it is only used if a user selects 'Remember Me' when logging in:

"Use this setting to customize the session cookie lifetime in seconds. This is used to set the lifetime of a client session cookie when they choose the 'remember me' option on login."

However the 'PHPSESSID' session cookie set by MODX for any anonymous user is acually set to expire using the 'session_cookie_lifetime' setting of one week. This interfers with things like a shopping cart that uses session variables as the user uses the same session/session variables for a week.

Leaving the 'session_cookie_lifetime' setting blank fixes this and the 'PHPSESSID' cookie expires on closing the browser, but you lose the 'Remember Me' function.

Is this a bug or expected behavior? If expected perhase the setting desc needs correcting?

Step to reproduce

Clear all browser cookies and visit a MODX website. Using firebug/dev tools inspect the 'PHPSESSID' cookie.

Observed behavior

'PHPSESSID' cookie is set to expire in one week.

Expected behavior

'PHPSESSID' cookie should be set to expire at end of session.

Environment

MODX Revolution 2.3.3-adv, Firefox, Chrome, IE11.

[OptimusCrime]

I thought the PHPSESSID was a cookie that PHP used internally to make sessions etc work?

[davidpede]

It is but MODX takes over the handling of sessions by changing the 'session_handler_class' from PHP to a custom handler 'modSessionHandler'.

By default PHP would write session data to the file system but MODX writes it to a database table instead. The value of the PHPSESSID cookie is the row id for the relevant session data in the 'modx_session' table.

As MODX takes over the handling of sessions, it seems to be setting the session cookie expires incorrectly somewhere which is where the problem is.

[bwente]

I came here looking for a solution. I just found out that my $coupon = $_SESSION['discounts']['coupon'] is not expiring either. If you keep visiting the site once a week it keeps getting reset.

So any snippet you create using a $_SESSION can't be trusted. Use setcookie instead?

[wshawn]

I concur.

The method used to destroy $_SESSIONS is incorrect.

The Method doing the work:

 /**
     * Ends a user session completely, including all contexts.
     *
     * @access public
     */
    public function endSession() {
        $this->removeLocks();
        $_SESSION = array();
        if (ini_get("session.use_cookies")) {
            $params = session_get_cookie_params();
            setcookie(
                session_name(),
                '',
                time() - 42000,
                $params["path"],
                $params["domain"],
                $params["secure"],
                $params["httponly"]
            );
        }
        session_destroy();
    }

Per PHP docs:

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. 

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

I also notice a large amount of Sessions remaining in the modx_session table, though these could be drop offs.

In short, user information remains with them after log out which is not the desired effect.

I would like to see the entire session destroyed, not just context information.

Example unwanted $_SESSION after current logout:

array ( 'modx.user.0.resourceGroups' => array ( 'web' => array ( 0 => '11', 1 => '12', ), ),
'modx.user.0.attributes' => array ( 'operations' => array ( 'modAccessContext' => array ( 'operations' 
=> array ( 0 => array ( 'principal' => 0, 'authority' => '0', 'policy' => array ( 'load' => true, 'list' => true, 
'view' => true, ), ), ), 'HIDDEN-HOLD' => array ( 0 => array ( 'principal' => 0, 'authority' => '0', 'policy' 
=> array ( 'load' => true, ), ), ), 'web' => array ( 0 => array ( 'principal' => 0, 'authority' => '0', 'policy' 
=> array ( 'load' => true, 'list' => true, 'view' => true, ), ), ), ), 'modAccessResourceGroup' => array ( 
8 => array ( 0 => array ( 'principal' => 0, 'authority' => '0', 'policy' => array ( 'load' => true, ), ), ), ), 
'modAccessCategory' => array ( ), 'sources.modAccessMediaSource' => array ( ), ), 'web' => array ( 
'modAccessContext' => array ( 'operations' => array ( 0 => array ( 'principal' => 0, 'authority' => '0', 
'policy' => array ( 'load' => true, 'list' => true, 'view' => true, ), ), ), 'HIDDEN-HOLD' => array ( 0 => 
array ( 'principal' => 0, 'authority' => '0', 'policy' => array ( 'load' => true, ), ), ), 'web' => array ( 0 => 
array ( 'principal' => 0, 'authority' => '0', 'policy' => array ( 'load' => true, 'list' => true, 'view' => true, 
), ), ), ), 'modAccessResourceGroup' => array ( 11 => array ( 0 => array ( 'principal' => 0, 'authority' 
=> '0', 'policy' => array ( 'load' => true, 'list' => true, 'view' => true, ), ), ), 12 => array ( 0 => array ( 
'principal' => 0, 'authority' => '0', 'policy' => array ( 'load' => true, 'list' => true, 'view' => true, ), ), ), ), 
'modAccessCategory' => array ( ), 'sources.modAccessMediaSource' => array ( ), ), ), 
'modx.user.contextTokens' => array ( 'operations' => 1, ), 'modx.user.0.userGroupNames' => array ( 
), 'modx.operations.user.token' => 'modx54cb79e6d9f883.93539893_15553a653a09488.53960853', 
'modx.operations.session.cookie.lifetime' => 604800, 'modx.operations.user.config' => array ( ), 
'modx.user.1.userGroupNames' => array ( 0 => 'Administrator', 1 => 'Affiliate', 2 => 'HIDDEN', 3 => 
'Operations', ), 'clientId' => 100000, 'clientCompanyProgramId' => 1, 'clientDisplayName' => 
'ClientName', 'clientRef' => 'ATE6EWF7QGXC', 'modx.user.100000.userGroupNames' => array ( 0 
=> 'Affiliate', 1 => 'Customer', ), 'deviceId' => 53, 'displayName' => 'DeviceName', 'enrollerID' => 99, 
'enrollerName' => 'enqueue', 'programType' => 'Affiliate', 'enrolledByName' => 'enqueue', 
'teamLeaderName' => 'TeamLeaderName', 'modx.user.100000.resourceGroups' => array ( 'web' => 
array ( 0 => '4', 1 => '5', 2 => '6', ), ), 'modx.user.100000.attributes' => array ( 'web' => array ( 
'modAccessContext' => array ( 'web' => array ( 0 => array ( 'principal' => '5', 'authority' => '1000', 
'policy' => array ( 'load' => true, 'list' => true, 'view' => true, 'save' => true, 'remove' => true, 'copy' => 
true, 'view_unpublished' => true, ), ), 1 => array ( 'principal' => '7', 'authority' => '3000', 'policy' => 
array ( 'load' => true, 'list' => true, 'view' => true, 'save' => true, 'remove' => true, 'copy' => true, 
'view_unpublished' => true, ), ), ), ), 'modAccessResourceGroup' => array ( 4 => array ( 0 => array ( 
'principal' => '5', 'authority' => '1000', 'policy' => array ( 'add_children' => true, 'create' => true, 
'copy' => true, 'delete' => true, 'list' => true, 'load' => true, 'move' => true, 'publish' => true, 'remove' 
=> true, 'save' => true, 'steal_lock' => true, 'undelete' => true, 'unpublish' => true, 'view' => true, ), ), 
), 5 => array ( 0 => array ( 'principal' => '5', 'authority' => '1000', 'policy' => array ( 'add_children' => 
true, 'create' => true, 'copy' => true, 'delete' => true, 'list' => true, 'load' => true, 'move' => true, 
'publish' => true, 'remove' => true, 'save' => true, 'steal_lock' => true, 'undelete' => true, 'unpublish' 
=> true, 'view' => true, ), ), ), 6 => array ( 0 => array ( 'principal' => '5', 'authority' => '1000', 'policy' 
=> array ( 'add_children' => true, 'create' => true, 'copy' => true, 'delete' => true, 'list' => true, 'load' 
=> true, 'move' => true, 'publish' => true, 'remove' => true, 'save' => true, 'steal_lock' => true, 
'undelete' => true, 'unpublish' => true, 'view' => true, ), ), 1 => array ( 'principal' => '7', 'authority' => 
'3000', 'policy' => array ( 'add_children' => true, 'create' => true, 'copy' => true, 'delete' => true, 'list' 
=> true, 'load' => true, 'move' => true, 'publish' => true, 'remove' => true, 'save' => true, 'steal_lock' 
=> true, 'undelete' => true, 'unpublish' => true, 'view' => true, ), ), ), ), 'modAccessCategory' => array 
( ), 'sources.modAccessMediaSource' => array ( ), ), ), )

What we should be seeing:

array ( 'modx.user.0.resourceGroups' => array ( 'web' => array ( 0 => '11', 1 => '12', ), ), 
'modx.user.0.attributes' => array ( 'web' => array ( 'modAccessContext' => array ( 'operations' => 
array ( 0 => array ( 'principal' => 0, 'authority' => '0', 'policy' => array ( 'load' => true, 'list' => true, 
'view' => true, ), ), ), 'HIDDEN-HOLD' => array ( 0 => array ( 'principal' => 0, 'authority' => '0', 'policy' 
=> array ( 'load' => true, ), ), ), 'web' => array ( 0 => array ( 'principal' => 0, 'authority' => '0', 'policy' 
=> array ( 'load' => true, 'list' => true, 'view' => true, ), ), ), ), 'modAccessResourceGroup' => array ( 
11 => array ( 0 => array ( 'principal' => 0, 'authority' => '0', 'policy' => array ( 'load' => true, 'list' => 
true, 'view' => true, ), ), ), 12 => array ( 0 => array ( 'principal' => 0, 'authority' => '0', 'policy' => array 
( 'load' => true, 'list' => true, 'view' => true, ), ), ), ), 'modAccessCategory' => array ( ), 
'sources.modAccessMediaSource' => array ( ), ), ), 'modx.user.0.userGroupNames' => array ( ), 
'modx.user.contextTokens' => array ( ), ) 

Part of this may be browser specific.
Internet Explorer 11 clears it correctly.
Google Chrome 42.0.2311.152 m retains the extra information
Firefox 37.0.2 Appears to clear it correctly also.
Safari also clears the $_SESSION.

Please make sure the $_SESSION Is completely destroyed across all devices.

I just verified the $_SESSIONs are indeed left in the database after logout.

If I clear Chrome's browser cache, I can log in and back out with a clean session. Evidently, MODX is restoring old session information from local cookies as I made changes in the class I am using and those cosmetic changes did not appear, but the old $_SESSION values did.

[OptimusCrime]

Can anyone with better insight in this shed some light on what is going on here?

[jsears]

Was or will this ever be resolved? This issue is causing my current site to fail webinspect Cookie Security: Persistent Cookie ( 4728 )

[davidpede]

I'll take a proper look at this soon as still causing issues. Seems to be around here that its getting set wrong:

revolution/core/model/modx/modx.class.php

Line 2511 in 9ba171e

setcookie(session_name(), session_id(), $cookieExpiration, $cookiePath, $cookieDomain,

[Ibochkarev]

@davidpede Could you figure it out?

[wshawn]

You can create a "pseudo hook" (autonomous snippet) placed on the landing page that on logout looks for the service=logout in the $_POST and destroys the cookie and the session after the Login package "completes" its process.