happens on:
- Mac Firefox
- Mac Safari (3.0.3)
- Windows Firefox
I cannot pinpoint it yet to one cause.
But overall it looks like the "remember" setting is not carried through:
- when I close the browser and open it again, I am not remembered at all
- perhaps this is because the "remember" setting is stored in a session cookie, so it is not stored permanently
--
TWiki:Main.ArthurClemens - 08 Oct 2007
It is not the browser which saves the cookie, it is TWiki. All the browser does exchange with TWiki is the session id, which serves as a key to the file name.
I can not reproduce your observation - for me, remembering works with both Firefox on Linux and Epiphany. I can hardly see why the browser could have an effect on what TWiki will write into its session file. Could you describe in some more detail what you actually observe?
BTW: There's a browser setting in Firefox which allows to clear all cookies when "I close Firefox". But that should not prevent
login, just "remembering" can't work because the session id (the pointer to the file) is missing.
--
TWiki:Main.HaraldJoerg - 08 Oct 2007
So what does "remember" do when it is working? Where and when are you remembered? And where is that setting (cookie) stored?
--
TWiki:Main.ArthurClemens - 08 Oct 2007
For every request, regardless of the browser, TWiki sends you a cookie with name
TWIKISID
and the content of a "session id". This session id is just a pointer a file name, the part after
working/tmp/cgisess_
, which is stored by TWiki on the server side. The client has just "his" part of the file name, and adds this cookie back to every request to the server.
Now if you have
Remember
set to true, two things happen:
- The string
,Remember => 1
is added to the contents of the file, and it is rewritten.
- The cookie you get has now not only a content (the session id), but also a property "expiration date". The browser has the choice to respect that expiration date, in which case it will write it to a file. Or he can ignore it, i.e. keep it in memory only.
If you restart the browser, and it finds the cookie with an expiration date in the future in his files, it will re-send it to TWiki, which in turn will still have the session file. You are recognized.
If the browser has no cookie for the server, you'll have to login afresh.
--
TWiki:Main.HaraldJoerg - 08 Oct 2007
Thanks for the explanation.
I would like some more people to confirm it is working for them.
--
TWiki:Main.ArthurClemens - 08 Oct 2007
Tested both in IE and FF. Works fine as long as you remember to allow cookies and allow them to be remembered. Which is normally default in IE and FF.
I do not see further actions.
--
TWiki:Main.KennethLavrsen - 15 Oct 2007
I and my users are seeing the same behaviour with FF 2 and 3 on Windows XP, TWiki 4.2.0. No problems with IE 6 or 7. With Firebug and its Cookies extension I am seeing the following behaviour:
- start out on a TWiki page, not logged in, TWIKISID with no expires setting, cgisession file on the server located and opened in notepad++
- login without setting the remember me option, TWIKISID gets updated but it's still just the same SID, the cgisession file gets updated to recognise me and REMEMBER is 'undef'
- logout and TWIKISID gets updated but remains the same (as before), cgisession file gets updated to reflect the fact that I've logged out
- here's the 'funny bit' - I log back in with the remember me option set, the TWIKISID cookie that's been with me all this time is deleted and a new TWIKISID created, on the server the original cgisession file still exists and has been updated to recognise me as being logged in and REMEMBER is 1, the new cgisession file to match the new cookie is also there and indicates a non-logged in session
- using the Net tab of Firebug I can see that when the Remember me option is set, the current TWIKISID is not part of the Request Header, but when the Remember me option is not set, the TWIKISID cookie is part of the Request header.
--
TWiki:Main.DavidPatterson - 08 Aug 2008
I ran the above sequence again but with FF set to ask my permission for any cookie related activities - the request every time was "The site wants to modify an existing cookie" until after one of these requests the session cookie gets deleted and the next request is "The site wants to set another cookie" and the new 'empty' session cookie gets set.
I'm running my TWiki server on a virtual machine with access to it through a proxy.
--
TWiki:Main.DavidPatterson - 08 Aug 2008
I have the same problem in TWiki 4.2.4 and FF 3.0.3 on XP. I can see the same TWIKISID cookie problem. Logging in with remember me sets the REMEMBER => 1 in the old cookie, but the response sends a new cookie TWIKISID without the remember flag. So I'm still not logged into TWiki. I both tried it with mod_perl and without mod_perl.
I also turned on the trace in
LoginManager and compared what happens.
The IE7 trace log
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Subroutine Benchmark::mytime redefined at /usr/lib/perl5/5.8.8/Benchmark.pm line 459., referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Sessionunknown(c): URL http://test-twiki/bin/login, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Sessionunknown(c): Cookie TWIKIPREF=%7CTwistyContrib_edithelp%3D0%7CTwistyContrib_topicattachmentslist%3D1; TWIKISID=17cf2b1eb2d4a4cddd59466d2b0e37c4, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): Opened session, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): session says user is undef, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): Session is NOT authenticated, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): Flushed, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): Session is authenticated, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): converting from guest to ss, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): Flushed, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): Redirect to /bin/view/PE/WebHome?twiki_redirect_cache=9aa12b67a02e6c833efc0d37dc67a497 with cookie, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): Flushed, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] , referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] | Count | Min | Max | Total | Method |, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] , referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Subroutine Benchmark::mytime redefined at /usr/lib/perl5/5.8.8/Benchmark.pm line 459., referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Sessionunknown(c): URL http://test-twiki/bin/view, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Sessionunknown(c): Cookie TWIKIPREF=%7CTwistyContrib_edithelp%3D0%7CTwistyContrib_topicattachmentslist%3D1; TWIKISID=17cf2b1eb2d4a4cddd59466d2b0e37c4, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): Opened session, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): session says user is ss, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): Session says user is ss - , referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): Session is authenticated, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): converting from undef to ss, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:19 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): Flushed, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:20 2008] [error] [client 194.49.3.68] Session17cf2b1eb2d4a4cddd59466d2b0e37c4(c): Flushed, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:20 2008] [error] [client 194.49.3.68] , referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:19:20 2008] [error] [client 194.49.3.68] | Count | Min | Max | Total | Method |, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
The FF 3.0.3 trace file: The difference to IE7 begins with
Sessionunknown and
Sessionunknown: No cookie messages below. After that a new session will be created. In FF Firebug I've seen that the cookie is sent to the server, but TWiki server says that there is no cookie.
[Thu Dec 11 10:31:20 2008] [error] [client 194.49.3.68] Subroutine Benchmark::mytime redefined at /usr/lib/perl5/5.8.8/Benchmark.pm line 459., referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Sessionunknown(c): URL http://test-twiki/bin/login, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Sessionunknown(c): Cookie TWIKISID=2e195621e9e6c803e776caeab1d2aa4d, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session2e195621e9e6c803e776caeab1d2aa4d(c): Opened session, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session2e195621e9e6c803e776caeab1d2aa4d(c): session says user is undef, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session2e195621e9e6c803e776caeab1d2aa4d(c): Session is NOT authenticated, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session2e195621e9e6c803e776caeab1d2aa4d(c): Flushed, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session2e195621e9e6c803e776caeab1d2aa4d(c): Session is authenticated, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session2e195621e9e6c803e776caeab1d2aa4d(c): converting from guest to ss, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session2e195621e9e6c803e776caeab1d2aa4d(c): Flushed, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session2e195621e9e6c803e776caeab1d2aa4d(c): Redirect to /bin/view/PE/WebHome?twiki_redirect_cache=34c31b25ebdc342e8e10da0d6ffd85e5 with cookie, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session2e195621e9e6c803e776caeab1d2aa4d(c): Flushed, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] , referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] | Count | Min | Max | Total | Method |, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] , referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Subroutine Benchmark::mytime redefined at /usr/lib/perl5/5.8.8/Benchmark.pm line 459., referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Sessionunknown: URL http://test-twiki/bin/view, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Sessionunknown: No cookie , referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session01618681d966d300a0c7e9773acb51f6: Opened session, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session01618681d966d300a0c7e9773acb51f6: session says user is undef, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session01618681d966d300a0c7e9773acb51f6: Session is NOT authenticated, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session01618681d966d300a0c7e9773acb51f6: Flushed, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] Session01618681d966d300a0c7e9773acb51f6: Flushed, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] , referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
[Thu Dec 11 10:31:21 2008] [error] [client 194.49.3.68] | Count | Min | Max | Total | Method |, referer: http://test-twiki/bin/login/PE/WebHome?origurl=/bin/view/PE/WebHome
--
TWiki:Main.StefanScherer - 11 Dec 2008
I've just changed the ticket back to New, because I still have the problem with Firefox 3.0.5.
I've found out that the cookie is sent calling the login CGI script. But after the redirect to the next view CGI script the cookie is lost and not sent again from the browser. I've seen in Firebug that the cookie expire date looks very strange: cookie->expires("3, 08-Mar-17 18:17:05 GMT"), so Firefox would propably throw away this cookie and not sending it for the next view URL again. I've tested it on 2008-12-11 and not 2008-03-17 (???)
--
TWiki:Main.StefanScherer - 11 Dec 2008
I think I've found the 'bug'. If had the following value in my
LocalSite.cfg: $TWiki::cfg{Sessions}{ExpireCookiesAfter} = 26000000; But this seems to be too big for the expire calculation function TWiki::Time::formatTime(). But is it not just possible to use the expiration date "+10d" in cookies as well? So that calculation could be removed.
--
TWiki:Main.StefanScherer - 11 Dec 2008
I've just changed the state to New again, so that the Core team sees that there still is a bug here. I still have problems with logging in and the remember flag. My settings are {Sessions}{ExpireAfter} = -2600000 and {Sessions}{ExpireCookiesAfter} = 2600000 with the tick_twiki.pl cronjob running. Logging in with FF 3.0.5 and remember me sends a cookie with
TWIKISID=374fa1f87fbe462c1f863595256b1565; path=/; expires
0, 08-Feb-09 10:24:32 GMT= but FF 3.0.5 still shows again the login button and I'm not logged in.
I will try to fix the code for the cookie expire by changing the calculation into a simpler perl code to produce 2600000 = +30d which is OK for IE and FF. There seems to be a problem with the "0, " in the expire date.
I've fixed it for me by using the $wday instead of $dow in the cookie calculation. This is the change of
LoginManager.pm
717c717
< '$dow, $day-$month-$ye $hours:$minutes:$seconds GMT');
---
> '$wday, $day-$month-$ye $hours:$minutes:$seconds GMT');
And the cookie now looks like this: TWIKISID=e1776322e31b09534e4cd88bf25dfc13; path=/; expires=
Sun, 08-Feb-09 10:17:27 GMT
This is now OK for Firefox 3. But there still could be the calculation problem in December 2009 where the expire date will be calculated as January 2009 istead of January 2010. Perhaps the TWiki/Time.pm should be tested for this wrap around.
--
TWiki:Main.StefanScherer - 09 Jan 2009
A trivial thinking - The Cookie helps to identify the session stored on the server. The session decides -which user is suppose to allow to continue as logged in user, allows not to force user to authenticate again from the same client-box.
So we need to pass the appropriate html form variable to make changes/setup proper session to have appropriate "REMEMBER=>" hash value. Yes,
$TWiki::cfg{Sessions}{ExpireAfter}
and
$TWiki::cfg{Sessions}{ExpireCookiesAfter}
has role to play.
I am attaching the image - which shows the current html login form, gmail login form and what my Firefox shows. The firefox buttons - which are shown in this image play role only to cache the form values, does not play any role to cookies. Remember cookies for domain is handled by Firefox==>tools==>Privacy==>cookies ==> (check selection) Accept Cookies from sites option. This just helps to remember the cookies for the sites on disk, so when browser closed/started again, the cookies are picked-up from the disk and use them while interacting with the sites (send them with Header of the request).
Any way - my conclusion is - we need to defined the proper form/document it and then make the changes in the code of
Login.pm
to create the session to fix this requirement.
This feature will be extremely helpful if my TWiki instance is configured to use ==TemplateLogin", to run the command line jobs for example for backup, mailnotify etc..they need not create the new sessions for every run or for every "use TWiki" stuff in the scripts.
The priority of the ticket - i am reducing this to normal, please feel free to change the priority if you would like to get implemented this issue as soon as possible.
--
TWiki:Main.SopanShewale - 12 Feb 2009
I ran into FF not sending a cookie in subsequent requests when it had been set with a Set-Cookie header containing "expires=0, 07-Jun-09 12:42:29 GMT". This manifested itself with TWiki 4.3 (patched for CVE-2009-1339) used with FF 3.0.10 upon logging in when the "Remember me on this computer" box is ticked, and when the dates align - so the time on the server and the
ExpireCookiesAfter value produce an expires value with "0,".
StefanScherer's patch to
LoginManager.pm (above) fixed the problem, wday seems more widely accepted than dow, so thank you. I just checked:
http://svn.twiki.org/svn/twiki/trunk/core/lib/TWiki/LoginManager.pm and I noticed dow is (still) used.
--
TWiki:Main.PeterJEdwards - 04 Jun 2009
The fact that the cookie is malformed without the above fix to
LoginManager.pm is a fairly major bug. Different browsers cope with it in different ways. Firefox 10 refuses to log in altogether. Opera 11, IE7 and Safari 5 treat the cookie as a session cookie (rather than a regular expiring cookie). iOS Safari treats the cookie as a very short-lived session cookie - expires as soon as the Safari app is closed.
--
TWiki:Main.LadislavSnizek - 2012-03-12
Thank you
TWiki:Main.StefanScherer for providing a fix. Not sure why dropped the ball on this proposed fix for such a long time. Now in SVN trunk and 51. branch.
--
TWiki:Main.PeterThoeny - 2012-04-12