-
-
Save cfgalvani/919e8a6f3501caca394e0fe00c756895 to your computer and use it in GitHub Desktop.
Magento v1 SUPEE-7136 Cookies : 'frontend_cid' is never renewed, compared to 'frontend' one. So session often expires.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sauce: https://community.magento.com/t5/Technical-Issues/Cookies-frontend-cid-is-never-renewed-compared-to-frontend-one/td-p/41077 | |
| The core code seems to have forgotten to include the logic to renew the frontend_cid cookie. | |
| I have contacted Magento support regarding this and they provided me a patch - SUPEE-7136, however I'm not seeing it published online anywhere... | |
| The issue lies in this file: | |
| app/code/core/Mage/Core/Model/Session/Abstract/Varien.php | |
| What the patch does is replace this: | |
| if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) { | |
| // secure cookie check to prevent MITM attack | |
| $secureCookieName = $sessionName . '_cid'; | |
| if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY]) | |
| && $_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName)) | |
| ) { | |
| session_regenerate_id(false); | |
| $sessionHosts = $this->getSessionHosts(); | |
| $currentCookieDomain = $cookie->getDomain(); | |
| foreach (array_keys($sessionHosts) as $host) { | |
| // Delete cookies with the same name for parent domains | |
| if (strpos($currentCookieDomain, $host) > 0) { | |
| $cookie->delete($this->getSessionName(), null, $host); | |
| } | |
| } | |
| $_SESSION = array(); | |
| } | |
| if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) { | |
| $checkId = Mage::helper('core')->getRandomString(16); | |
| $cookie->set($secureCookieName, $checkId, null, null, null, true); | |
| $_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId); | |
| } | |
| } | |
| with this: | |
| if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) { | |
| // secure cookie check to prevent MITM attack | |
| $secureCookieName = $sessionName . '_cid'; | |
| if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) { | |
| if ($_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))) { | |
| session_regenerate_id(false); | |
| $sessionHosts = $this->getSessionHosts(); | |
| $currentCookieDomain = $cookie->getDomain(); | |
| foreach (array_keys($sessionHosts) as $host) { | |
| // Delete cookies with the same name for parent domains | |
| if (strpos($currentCookieDomain, $host) > 0) { | |
| $cookie->delete($this->getSessionName(), null, $host); | |
| } | |
| } | |
| $_SESSION = array(); | |
| } else { | |
| /** | |
| * Renew secure cookie expiration time if secure id did not change | |
| */ | |
| $cookie->renew($secureCookieName, null, null, null, true, null); | |
| } | |
| } | |
| if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) { | |
| $checkId = Mage::helper('core')->getRandomString(16); | |
| $cookie->set($secureCookieName, $checkId, null, null, null, true); | |
| $_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment