Cookies being set to the wrong time?

Get help with installation and running phpBB 3.3.x here. Please do not post bug reports, feature requests, or extension related questions here.
User avatar
MarkDHamill
Registered User
Posts: 4243
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Cookies being set to the wrong time?

Post by MarkDHamill »

This board appears to be setting cookies awry. Tell me if I'm right. After logging in I see most of the cookies have an expiration date in 1970.
Screen Shot 2020-07-09 at 5.48.05 PM.png
The effect seems to be that you are logged in but your cookie almost immediately expires.

I sniffed the phpBB code and found this in /phpbb/session.php:

Code: Select all

		if (!$bot)
		{
			$cookie_expire = $this->time_now + (($config['max_autologin_time']) ? 86400 * (int) $config['max_autologin_time'] : 31536000);

			$this->set_cookie('u', $this->cookie_data['u'], $cookie_expire);
			$this->set_cookie('k', $this->cookie_data['k'], $cookie_expire);
			$this->set_cookie('sid', $this->session_id, $cookie_expire);

			unset($cookie_expire);
and found $this->time_now is set to time() earlier in the code. If time() returned 0, this would explain it but it appears to present a current timestamp.

This made $config['max_autologin_time'] suspect. It was set to 30. I changed it to 0. (Unless I'm missing it, I can't find the setting in the ACP, so I did it via the database then purged the cache.)

Same result. A timestamp 31536000 seems to evaluate to a time in 1970, so I think that's the issue.

To get in I must manually delete the board cookies. But I often can't get into the ACP without a HTTP 401 error because I can't get in fast enough, probably because the cookie expired.

My puzzler is sore. Am I on the right track? Any idea of how to fix this?
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
jimsmiths
Registered User
Posts: 1
Joined: Thu Jul 09, 2020 10:12 pm

Re: Cookies being set to the wrong time?

Post by jimsmiths »

In other words, you'll most likely set this with the time() function plus the number of seconds before you want it to expire. Or you might use mktime(). time()+60*60*24*30 will set the cookie to expire in 30 days. If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes).
Last edited by thecoalman on Thu Jul 09, 2020 10:42 pm, edited 1 time in total.
Reason: Removed unnecessary full quote, please use quote box appropriately. Thanks
User avatar
MarkDHamill
Registered User
Posts: 4243
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Cookies being set to the wrong time?

Post by MarkDHamill »

It may be the cookie is a red herring. If would think if a cookie expires then it should not trigger a 401 error going into the ACP. Perhaps it has something to do with session management. Unfortunately, I can't seem to find a PHP error log for more clues, and there's nothing in phpBB's error log.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
User avatar
MarkDHamill
Registered User
Posts: 4243
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Cookies being set to the wrong time?

Post by MarkDHamill »

So I looked to see what cookies are created on localhost, and it's the same thing. Seems strange that the _u, _k and _sid cookies would all be set for a date in 1970. Any idea why this would be? I'm guessing it's to make these session cookies?
Screen Shot 2020-07-10 at 3.15.45 PM.png
This at least suggests to me that the cause of the HTTP 401 error lies elsewhere.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
User avatar
RMcGirr83
Recognised Extension Developer
Posts: 21283
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr

Re: Cookies being set to the wrong time?

Post by RMcGirr83 »

A timestamp 31536000 seems to evaluate to a time in 1970, so I think that's the issue.
That isn't a timestamp, it is the number of seconds in a 365 day year.

My local cookies, per FF debugger, are set to expire next year and max_autologin_time is set to 0 on the local forums.
Appreciate the extensions/mods/support then buy me a beer Image
In times of change, learners inherit the earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists - Eric Hoffer
Former Modifications/Extensions Team Member | My extensions | My extensions are updated regularly on github
All requests for support via PM will be ignored
User avatar
EA117
Registered User
Posts: 1765
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Cookies being set to the wrong time?

Post by EA117 »

MarkDHamill wrote:
Fri Jul 10, 2020 7:19 pm
Any idea why this would be? I'm guessing it's to make these session cookies?
I'm pretty sure you would have had to modify phpBB in order to make "session-only cookies" though, since they wouldn't work the way phpBB intends if "they only persisted until the web browser was closed." I believe you can make phpBB set the cookies without a domain (such that they are explicitly "only for the current domain"), but not "without a time" (to make them only for the current browser session).


What is the user interface you're even viewing the cookies with there? It might be common, but I don't recognize it. My first guess would be that whatever this UI is "simply doesn't have access to what the cookie expiration time is", and is showing a zero-based time epoch for that reason.

The place I see explicitly what cookie expiration, domain and other details are being set by phpBB is to delete my current cookies using the web browser's interface for doing this, and then open the F12 Network tab and reload page. (And/or login if I want to see the "_u" and "_k" cookies set to their final values, too.)

The "Set-Cookie" headers you see phpBB sending in the response shown in the F12 Network tab is definitively what ended up being sent from the server; even if those cookies were for the wrong domain, invalid time, or any other condition that would make the web browser immediately choose to not even use the cookies that were sent & wouldn't have displayed them as valid cookies for the site you're viewing.


Have you described what the HTTP 401 problem scenario is? I'm not sure exactly what you're seeing overall, before going after specifically the cookies as a potential cause.

"A phpBB ACP login which fails with a permissions error after successfully finishing the ACP login" does happen to be a symptom several "form invalid" customers also saw. Because if phpBB can't match you back to the same session again on your next visit, that can give you a "no permissions" on the ACP login redirect, same as it can give you "form invalid" even on the initial login.

But I think that ACP login case returned HTTP 403 under those circumstances, not HTTP 401. I do see where session.php will issue an HTTP 401 if NEED_SID is set (which is true for /adm/index.php) and either there isn't any SID in the URL, or that SID in the URL doesn't match the SID which would have been learned from the "_sid" cookie.

So that does seem like "its possible that cookie problems could be causing this HTTP 401", but it remains unclear whether the cookie time stamp is actually the culprit there.
Last edited by EA117 on Fri Jul 10, 2020 8:52 pm, edited 1 time in total.
User avatar
MarkDHamill
Registered User
Posts: 4243
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Cookies being set to the wrong time?

Post by MarkDHamill »

So if no max_autologin_time is set (value is 0), the cookie will expire in a year. But the cookie shows an expiration date in 1970. The Unix timestamp for 1970-01-19 14:37 is 1625820. Then it seems that in /phpbb/session.php, $this->time evaluates to 0 which it shouldn't because it is set to time() earlier in the program. It just seems off, like this is a bug in phpBB. The first post shows the code. A Unix timestamp is required to set the expiration date.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
User avatar
MarkDHamill
Registered User
Posts: 4243
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Cookies being set to the wrong time?

Post by MarkDHamill »

EA117 wrote:
Fri Jul 10, 2020 8:51 pm
"A phpBB ACP login which fails with a permissions error after successfully finishing the ACP login" does happen to be a symptom several "form invalid" customers also saw. Because if phpBB can't match you back to the same session again on your next visit, that can give you a "no permissions" on the ACP login redirect, same as it can give you "form invalid" even on the initial login.
I think you are right that is issue may be related to sessions disappearing. I would think that would case a 401 (unauthorized) error. The only thing I can think of that could cause this error is if the file in the /cache/production folder cannot overwrite the cached instance of session.php as sessions are refreshed. Not sure which file that would be. Most files in that folder have 666 permissions but some have 644 permissions.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
User avatar
3Di
Former Team Member
Posts: 15846
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Cookies being set to the wrong time?

Post by 3Di »

Code: Select all

$cookie_expire = $this->time_now + (($config['max_autologin_time']) ? 86400 * (int) $config['max_autologin_time'] : 31536000);
Let's read this ternary operator and their timestamps

Code: Select all

$cookie_expire = $this->time_now
// time() aka the exact timestamp of NOW
// example 1594507918
// GMT: Saturday, July 11, 2020 10:51:58 PM

+ // plus (add)

(
	if ($config['max_autologin_time']) // if it is true (aka > 0)
	{
		86400 * (int) $config['max_autologin_time']
		// https://www.epochconverter.com/timestamp-list
		// PLUS  (1594507918 + (1 day x number of the days set in ACP))
	}
	else
	{
		31536000
		// https://www.epochconverter.com/timestamp-list
		// PLUS 1 year (1594507918 + 31536000)
		// GMT: Sunday, July 11, 2021 10:51:58 PM
);

MarkDHamill wrote:
Thu Jul 09, 2020 9:57 pm
(Unless I'm missing it, I can't find the setting in the ACP, so I did it via the database then purged the cache.)
ACP/server configuration/security settings

2020-07-12 00_51_31-Security settings.png
2020-07-12 00_51_31-Security settings.png (3.89 KiB) Viewed 318 times


I don't know btw how are you exploring cookies with something like Xammp for MAc I guess?
I'd use the browser's development tools instead.
I can say here is everything ok, perhaps you are facing a wrong server configuration like file-system or so on.


2020-07-12 01_14_49-Timestamp list (recent dates, upcoming dates, months, years).png
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
:studio_microphone: Looking for a specific feature or alternative option?
User avatar
MarkDHamill
Registered User
Posts: 4243
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Cookies being set to the wrong time?

Post by MarkDHamill »

I've tested cookies on four websites including localhost, and the _u, _k and _sid cookies all show expiration dates in 1970. It shouldn't be this value because $this->time is set to time() but it is.

Later is session.php in the session_kill() function starting on line 926 there is some other set cookie logic, but it looks like it subtracts a year from the cookie time, its way of telling phpBB to kill the session when it next reads the cookies.

So these should be session cookies but don't seem to disappear when you exit the browser.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
User avatar
MarkDHamill
Registered User
Posts: 4243
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Cookies being set to the wrong time?

Post by MarkDHamill »

Note: these 1970 cookies exist here on phpbb.com's forums too.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
User avatar
3Di
Former Team Member
Posts: 15846
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Cookies being set to the wrong time?

Post by 3Di »

MarkDHamill wrote:
Sat Jul 11, 2020 11:31 pm
Note: these 1970 cookies exist here on phpbb.com's forums too.
I don't see 1970s here. Nor in my localhost or live servers.


2020-07-12 01_33_31-Strumenti di sviluppo - phpBB • Community Home - https___www.phpbb.com_community.png
2020-07-12 01_33_31-Strumenti di sviluppo - phpBB • Community Home - https___www.phpbb.com_community.png (9.28 KiB) Viewed 295 times
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
:studio_microphone: Looking for a specific feature or alternative option?
User avatar
MarkDHamill
Registered User
Posts: 4243
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Cookies being set to the wrong time?

Post by MarkDHamill »

Here's what I see:
Screen Shot 2020-07-11 at 7.46.09 PM.png
I think this is a browser quirk. I am using Vivaldi which may be sanitizing cookies. In Firefox, using the Storage Inspector, the values look right.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
User avatar
3Di
Former Team Member
Posts: 15846
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Cookies being set to the wrong time?

Post by 3Di »

MarkDHamill wrote:
Sat Jul 11, 2020 11:49 pm
I am using Vivaldi which may be sanitizing cookies. In Firefox, using the Storage Inspector, the values look right.
Vivaldi 🤔 Dunno.

The PHP logic is pretty clear, it is... logic.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
:studio_microphone: Looking for a specific feature or alternative option?
User avatar
MarkDHamill
Registered User
Posts: 4243
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: Cookies being set to the wrong time?

Post by MarkDHamill »

Yes, this looks like a Vivaldi bug. In Chrome Developer tools inside Vivaldi it shows the correct cookie values.

So sorry for the red herring. The general issue remains though but it doesn't appear to be cookie related. It's more likely an issue with a session expected to be in the sessions table not being there. That's just a hunch until I can trap the 401 error to get more details.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Kindle and paper versions available.
Post Reply

Return to “[3.3.x] Support Forum”