Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-16640

Sesskey change after relogin results in lost forum posts in other open windows

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_19_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      I posted about this issue on the Moodle forums, and corresponded with Petr Skoda... here's the thread:
      http://moodle.org/mod/forum/discuss.php?d=105891

      And here's the short summary:

      Several of our users have lost forum posts when they got an "Incorrect sesskey" message. The error message is in the formslib.php... it is thrown when Moodle believes the form they are submitting was not generated for them. (I.e., sesskey in the hidden form field does not match sesskey stored in the user's session data.)

      The error is happening because, for some reason, the login/index.php page is being requested by these users when they open a second browser tab or window. In Firefox, all browser windows and tabs share the same session.. and somehow the second browser ends up passing through the SSO sign-in process, and executing the code in login/index.php. You can reproduce this on any Moodle site with or without SSO, by opening a second browser window, requesting the login/php.php page yourself, and entering your username and password.

      The downstream code in /login/index.php sets a random sesskey, and stores it in the session. So the users are having the sesskey changed for their existing session... and when they try to submit a forum post that they left open in the first browser window, it fails with the sesskey mismatch.

      The fix is very simple:

      In login/index.php, add this, around line 45 (after the auth_instructions stuff).

      // check if the user is already logged in
      // if so, skip the login process... otherwise we can mess up
      // the existing sesskey and other session data

      if (isloggedin()) {
      redirect($CFG->wwwroot.'/index.php');
      }

      After implementing this fix on our site, the sesskey errors have stopped. (We were previously seeing about six a day).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                skodak Petr Skoda
                Reporter:
                garretg Garret Gengler
                Participants:
                Component watchers:
                Jake Dallimore, Jun Pataleta, Jake Dallimore, Jun Pataleta, Andrew Nicols, Mathew May, Michael Hawkins, Shamim Rezaie, Simey Lameze
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  24/Nov/10