Moodle
  1. Moodle
  2. MDL-31248

Change in rc4encrypt key is causing cookies encrypted before the change to produce garbage text

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.9.16, 2.0.7, 2.1.4, 2.2.1
    • Fix Version/s: 1.9.17, 2.0.8, 2.1.5, 2.2.2
    • Component/s: Libraries
    • Labels:
    • Testing Instructions:
      Hide

      1) Start with a fresh install of an old version (eg 1.9.14).
      2) Log out and log in a few times.
      3) Upgrade to the current version (pre-patch) logout and observe the garbled characters. Log back in.
      4) Install the patch.

      [TEST] When you log into the site the username field should be blank, or it may possibly have your login details (depends on the browser). Make sure that there is no garbled text.

      Show
      1) Start with a fresh install of an old version (eg 1.9.14). 2) Log out and log in a few times. 3) Upgrade to the current version (pre-patch) logout and observe the garbled characters. Log back in. 4) Install the patch. [TEST] When you log into the site the username field should be blank, or it may possibly have your login details (depends on the browser). Make sure that there is no garbled text.
    • Workaround:
      Hide

      Removing the proposed workaround. Sorry, I thought this was a newly introduced setting, but it was not.

      Show
      Removing the proposed workaround. Sorry, I thought this was a newly introduced setting, but it was not.
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE
    • Fixed Branches:
      MOODLE_19_STABLE, MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      wip-MDL-31248-master-v3
    • Rank:
      37709

      Description

      The fix for MDL-28948 (changing the rc4encrypt key for moodle cookies) is causing the prepopulated username field in the login form to display garbage when a moodle cookie exists from a previous moodle version. So this will occur for the first visit to the site on any browser with the cookie saved after the last moodle upgrade.

      To prevent the previous cookie being misread (as the encryption key will have now changed), I suggest appending the cookie name with "_V2" (hat tip to Matt Clarkson for the suggestion).

        Issue Links

          Activity

            People

            • Votes:
              6 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: