Skip to content

Instantly share code, notes, and snippets.

@molotovbliss
Created December 21, 2016 21:20
Show Gist options
  • Save molotovbliss/c8d2c92256931db175c6330d2c3fcb28 to your computer and use it in GitHub Desktop.
Save molotovbliss/c8d2c92256931db175c6330d2c3fcb28 to your computer and use it in GitHub Desktop.
Magento v1 SUPEE-7136 Cookies : 'frontend_cid' is never renewed, compared to 'frontend' one. So session often expires.
Sauce: https://community.magento.com/t5/Technical-Issues/Cookies-frontend-cid-is-never-renewed-compared-to-frontend-one/td-p/41077
The core code seems to have forgotten to include the logic to renew the frontend_cid cookie.
I have contacted Magento support regarding this and they provided me a patch - SUPEE-7136, however I'm not seeing it published online anywhere...
The issue lies in this file:
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
What the patch does is replace this:
if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) {
// secure cookie check to prevent MITM attack
$secureCookieName = $sessionName . '_cid';
if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])
&& $_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))
) {
session_regenerate_id(false);
$sessionHosts = $this->getSessionHosts();
$currentCookieDomain = $cookie->getDomain();
foreach (array_keys($sessionHosts) as $host) {
// Delete cookies with the same name for parent domains
if (strpos($currentCookieDomain, $host) > 0) {
$cookie->delete($this->getSessionName(), null, $host);
}
}
$_SESSION = array();
}
if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
$checkId = Mage::helper('core')->getRandomString(16);
$cookie->set($secureCookieName, $checkId, null, null, null, true);
$_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId);
}
}
with this:
if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) {
// secure cookie check to prevent MITM attack
$secureCookieName = $sessionName . '_cid';
if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
if ($_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))) {
session_regenerate_id(false);
$sessionHosts = $this->getSessionHosts();
$currentCookieDomain = $cookie->getDomain();
foreach (array_keys($sessionHosts) as $host) {
// Delete cookies with the same name for parent domains
if (strpos($currentCookieDomain, $host) > 0) {
$cookie->delete($this->getSessionName(), null, $host);
}
}
$_SESSION = array();
} else {
/**
* Renew secure cookie expiration time if secure id did not change
*/
$cookie->renew($secureCookieName, null, null, null, true, null);
}
}
if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) {
$checkId = Mage::helper('core')->getRandomString(16);
$cookie->set($secureCookieName, $checkId, null, null, null, true);
$_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId);
}
}
@avoelkl
Copy link

avoelkl commented Jun 28, 2017

Thanks a lot, this was really helpful!

@cfgalvani
Copy link

Thanks a lot, this was really helpful! [2]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment