Moodle

Cookieless Moodle Broken

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Won't Fix
  • Affects Version/s: 1.9.4
  • Fix Version/s: None
  • Component/s: Accessibility, Authentication, Usability
  • Labels:
    None
  • Environment:
    Linux version 2.6.9-023stab046.2-enterprise (root@rhel4-32) (gcc version 3.4.5 20051201 (Red Hat 3.4.5-2)) #1 SMP
    Apache 2.2.3
    PHP 5.2.6
  • Affected Branches:
    MOODLE_19_STABLE

Description

The cookieless functionality of Moodle enabled by setting $CFG->usesid=true; appears to be broken.
We took care to make sure our php.ini follows the guidelines defined in http://docs.moodle.org/en/Cookieless_Sessions
Also there are no mod_security rules or other security systems in place.

Some of the URLs are correctly extended with the sesskey and MoodleSession parameters.
Most notably the "Turn Editing On" button within a course and most of the icons.

The vast majority of the links however is not edited and will lead a user without cookie support to be logged out.

From what we know so far the new moodle_url class introduced in 1.9 does not seem to be integrated with cookieless Moodle.
Unfortunately none of the people on our team are sophisticated PHP programmers so we can't fix it ourself.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Alyson Stibbard added a comment -

We are running Moodle 1.9.3+ (Build: 20081126) and recently upgraded from PHP 5.1.5 to 5.5. This "broke" cookieless mode because, starting with php 5.2, objects are destroyed before output buffer handlers are called (see http://bugs.php.net/bug.php?id=40104). This means that the global $CFG variable is not available to the function sid_process_url in cookieless.php when it is used within a callback during the buffer rewrite. As a consequence internal URLs are treated as external and the session id is not appended. I have put a bandaid on the relevant test by replacing $CFG->(https)wwwroot with 'http(s)://'.$_SERVER['HTTP_HOST'], which is good enough for our purposes. Since these are not the same for all users some people may wish to hardwire the site root into their code instead.

It would be interesting to know whether this problem has been addressed in moodle 2.0.

Show
Alyson Stibbard added a comment - We are running Moodle 1.9.3+ (Build: 20081126) and recently upgraded from PHP 5.1.5 to 5.5. This "broke" cookieless mode because, starting with php 5.2, objects are destroyed before output buffer handlers are called (see http://bugs.php.net/bug.php?id=40104). This means that the global $CFG variable is not available to the function sid_process_url in cookieless.php when it is used within a callback during the buffer rewrite. As a consequence internal URLs are treated as external and the session id is not appended. I have put a bandaid on the relevant test by replacing $CFG->(https)wwwroot with 'http(s)://'.$_SERVER['HTTP_HOST'], which is good enough for our purposes. Since these are not the same for all users some people may wish to hardwire the site root into their code instead. It would be interesting to know whether this problem has been addressed in moodle 2.0.
Hide
Permalink
Petr Škoda (skodak) added a comment -

Hello,
the experimental cookieless mode was removed completely in 2.2dev, no more fixes are planned from older versions.

The purpose of this feature was to support older mobile phone browsers that did not have cookie support. This feature was a security risk and was never recommended for production sites. It was also sometimes abused on incorrectly configured sites to work around some session problems.

Please do not use this experimental feature.

Petr

Show
Petr Škoda (skodak) added a comment - Hello, the experimental cookieless mode was removed completely in 2.2dev, no more fixes are planned from older versions. The purpose of this feature was to support older mobile phone browsers that did not have cookie support. This feature was a security risk and was never recommended for production sites. It was also sometimes abused on incorrectly configured sites to work around some session problems. Please do not use this experimental feature. Petr

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.