Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-31248

Change in rc4encrypt key is causing cookies encrypted before the change to produce garbage text

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 1.9.16, 2.0.7, 2.1.4, 2.2.1
    • 1.9.17, 2.0.8, 2.1.5, 2.2.2
    • Libraries
    • MOODLE_19_STABLE, MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE
    • MOODLE_19_STABLE, MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE
    • wip-MDL-31248-master-v3
    • Hide

      Removing the proposed workaround. Sorry, I thought this was a newly introduced setting, but it was not.

      Show
      Removing the proposed workaround. Sorry, I thought this was a newly introduced setting, but it was not.
    • Hide

      1) Start with a fresh install of an old version (eg 1.9.14).
      2) Log out and log in a few times.
      3) Upgrade to the current version (pre-patch) logout and observe the garbled characters. Log back in.
      4) Install the patch.

      [TEST] When you log into the site the username field should be blank, or it may possibly have your login details (depends on the browser). Make sure that there is no garbled text.

      Show
      1) Start with a fresh install of an old version (eg 1.9.14). 2) Log out and log in a few times. 3) Upgrade to the current version (pre-patch) logout and observe the garbled characters. Log back in. 4) Install the patch. [TEST] When you log into the site the username field should be blank, or it may possibly have your login details (depends on the browser). Make sure that there is no garbled text.

    Description

      The fix for MDL-28948 (changing the rc4encrypt key for moodle cookies) is causing the prepopulated username field in the login form to display garbage when a moodle cookie exists from a previous moodle version. So this will occur for the first visit to the site on any browser with the cookie saved after the last moodle upgrade.

      To prevent the previous cookie being misread (as the encryption key will have now changed), I suggest appending the cookie name with "_V2" (hat tip to Matt Clarkson for the suggestion).

      Attachments

        Issue Links

          Activity

            People

              abgreeve Adrian Greeve
              sry_not4sale Aaron Barnes
              Ankit Agarwal Ankit Agarwal
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              Rajesh Taneja Rajesh Taneja
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Sara Arjona (@sarjona)
              Votes:
              6 Vote for this issue
              Watchers:
              17 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                12/Mar/12