Mantis Bugtracker 

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0007190TestLinkInternal issuepublic2015-07-09 15:282015-07-09 15:28
Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
PlatformOSOS Version
Product Version1.9.13 (2015 #1) 
Fixed in Version 
Summary0007190: CSRF code starts sessions too early and too often
DescriptionThe standard code for starting sessions, lib/functions/common.php::doSessionStart(), calls session_set_cookie_params(99999) (which makes the session cookie expire after about a day) before calling session_start().

However, the act of including lib/functions/common.php also includes lib/functions/csrf.php, which directly calls session_start() before the cookie parameters have been specified, resulting in the session cookie having the default lifetime (as specified in php.ini).

It also causes a new session to be created for EVERY page load - as a result, large quantities of XMLRPC calls will cause PHP's session directory to fill up with empty session files (and trigger garbage collection more often than necessary).

This bug is also hiding additional bugs in at least 3 other pages:
* lib/results/resultsTC.php initializes TLSmarty (whose constructor reads session variables) before starting the session (via init_args())
* lib/results/tcCreatedPerUserOnTestProject.php initializes TLSmarty before starting the session (via init_args())
* login.php accesses session variables in init_gui() before starting the session (via doSessionStart(true))
Additional InformationDouble-checked against latest code in GitHub and confirmed that it still happens.
TagsNo tags attached.
Database (MySQL,Postgres,etc)MySQL
PHP Version5.4.16
QA Team - Task Workflow Status
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2015-07-09 15:28 quietust New Issue

Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker