Created
December 21, 2016 21:20
-
-
Save molotovbliss/c8d2c92256931db175c6330d2c3fcb28 to your computer and use it in GitHub Desktop.
Magento v1 SUPEE-7136 Cookies : 'frontend_cid' is never renewed, compared to 'frontend' one. So session often expires.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sauce: https://community.magento.com/t5/Technical-Issues/Cookies-frontend-cid-is-never-renewed-compared-to-frontend-one/td-p/41077 | |
The core code seems to have forgotten to include the logic to renew the frontend_cid cookie. | |
I have contacted Magento support regarding this and they provided me a patch - SUPEE-7136, however I'm not seeing it published online anywhere... | |
The issue lies in this file: | |
app/code/core/Mage/Core/Model/Session/Abstract/Varien.php | |
What the patch does is replace this: | |
if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) { | |
// secure cookie check to prevent MITM attack | |
$secureCookieName = $sessionName . '_cid'; | |
if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY]) | |
&& $_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName)) | |
) { | |
session_regenerate_id(false); | |
$sessionHosts = $this->getSessionHosts(); | |
$currentCookieDomain = $cookie->getDomain(); | |
foreach (array_keys($sessionHosts) as $host) { | |
// Delete cookies with the same name for parent domains | |
if (strpos($currentCookieDomain, $host) > 0) { | |
$cookie->delete($this->getSessionName(), null, $host); | |
} | |
} | |
$_SESSION = array(); | |
} | |
if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) { | |
$checkId = Mage::helper('core')->getRandomString(16); | |
$cookie->set($secureCookieName, $checkId, null, null, null, true); | |
$_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId); | |
} | |
} | |
with this: | |
if (Mage::app()->getFrontController()->getRequest()->isSecure() && empty($cookieParams['secure'])) { | |
// secure cookie check to prevent MITM attack | |
$secureCookieName = $sessionName . '_cid'; | |
if (isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) { | |
if ($_SESSION[self::SECURE_COOKIE_CHECK_KEY] !== md5($cookie->get($secureCookieName))) { | |
session_regenerate_id(false); | |
$sessionHosts = $this->getSessionHosts(); | |
$currentCookieDomain = $cookie->getDomain(); | |
foreach (array_keys($sessionHosts) as $host) { | |
// Delete cookies with the same name for parent domains | |
if (strpos($currentCookieDomain, $host) > 0) { | |
$cookie->delete($this->getSessionName(), null, $host); | |
} | |
} | |
$_SESSION = array(); | |
} else { | |
/** | |
* Renew secure cookie expiration time if secure id did not change | |
*/ | |
$cookie->renew($secureCookieName, null, null, null, true, null); | |
} | |
} | |
if (!isset($_SESSION[self::SECURE_COOKIE_CHECK_KEY])) { | |
$checkId = Mage::helper('core')->getRandomString(16); | |
$cookie->set($secureCookieName, $checkId, null, null, null, true); | |
$_SESSION[self::SECURE_COOKIE_CHECK_KEY] = md5($checkId); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks a lot, this was really helpful! [2]