Sessions initialized for all users

  • Charles Fulton

    (@mackensen)


    5 years ago

    We’ve encountered the same issue described in Early session initialization:

    Session initialization happens too early in this plug-in. It sets a cookie for every user regardless of whether they need to log in or not.

    https://plugins.trac.ww.wp.xz.cn/browser/wp-cassify/tags/2.0.4/classes/wp_cassify_plugin.php#L140

    This line binds the “wp_cassify_session_start” action to “init”, when it should probably be bound to “wp_authenticate”.

    Starting a session for every user makes caching difficult.

    With the 2.2.5 release it hooks into wp_loaded, but that still fires for all users regardless of whether they’re logging in or logged-in. See https://serverfault.com/a/979915 for more about PHP sessions and caching. I tried swapping in wp_authenticate for wp_loaded and auth seemed to work, but the ticket stayed in the address bar so something wasn’t right.

Viewing 3 replies - 1 through 3 (of 3 total)
  • zitoa

    (@zitoa)

    5 years ago

    I have a candidate patch that fixes this: https://gist.github.com/azito122/503c9fc5006c71922e94ae014db597dc

    Basically we just attach session_start to wp_authenticate instead of wp_loaded. I also had to throw in a session_start() call in the logout action to prevent an error.

    damien_vancouver

    (@damien_vancouver)

    4 years, 10 months ago

    This bug just took down a customer’s server by using up over 1.75 Million inodes on the file system. The server ran out of disk space with 80% of its disk space free.
    The root cause was wp-cassify and it binding its session start to init, as described in this post.

    I see it’s been updated to wp_loaded which is the exact same problem.

    The root issue is that the top level plugin page (plugins/wp-cassify/wp-cassify.php) is loading up an instance of the public class *and* the admin class on every single page load. This (among other things) creates a PHP session, which not only breaks cachign (bad) but can fill up the entire filesystem by using up all the inodes (also really bad, crashes the entire server).

    In the top level wp-cassify.php we have:

    $GLOBALS['wp-cassify'] = new \wp_cassify\WP_Cassify_Plugin();
$GLOBALS['wp-cassify']->init_parameters(
        $wp_cassify_network_activated,
                $wp_cassify_default_xpath_query_to_extact_cas_user,
                $wp_cassify_default_xpath_query_to_extact_cas_attributes,
                $wp_cassify_default_redirect_parameter_name,
                $wp_cassify_default_service_ticket_parameter_name,
                $wp_cassify_default_service_service_parameter_name,
                $wp_cassify_default_gateway_parameter_name,
                $wp_cassify_default_bypass_parameter_name,
                $wp_cassify_default_cachetimes_for_authrecheck,

    The WP_Cassify_Plugin::init_parameters() method calls the session_start that creates all the problems.

    This is easily fixed becgause you only need a session for users that have submitted the login page! Only if someone *submits* the login form do you need a session. All other instances should have no session started, so that caching can work, and so that the disk is not filled with zero byte session files.

    This bug means that any site with wp-cassify on has zero caching active, which leads to overloads and downtime. the fact that every bot HTTP hit can create a php session leads to a DDoS vulnerability and site outages. Please fix!

    Plugin Author Alain-Aymerick FRANCOIS

    (@aaf017)

    4 years, 7 months ago

    Hi Damien,

    Thank you for your explanation. But, i’m not sure. But i think i needs to keep early PHP Session initialization to process CAS Client gateway mode. (=> Automatic login if user has already authenticated by CAS). And to implement this mecanism, i’ve ported phpCas implementation based on PHP Session.
    For the moment, I have not found any other way to implement this feature.

    Take a look at this and you will understand that i said.
    https://github.com/apereo/phpCAS/blob/master/source/CAS/Client.php#L1515

    Best regards.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Sessions initialized for all users’ is closed to new replies.