search

salesagility / SuiteCRM-Core

SuiteCRM - Open source CRM for the world
https://www.suitecrm.com
GNU Affero General Public License v3.0
173 stars 118 forks source link

Session Headers Repeated #509

Open DisabledMonkey opened 1 month ago

DisabledMonkey commented 1 month ago

Issue

The PHPSESSID and LEGACYSESSID cookies are repeated a crazy number of times in the response headers

image

This causes problems when hosting SuiteCrm behind a proxy such as nginx that has default max sizes allowed for the response headers.

Possible Fix

Make sure PHPSESSID and LEGACYSESSID are only returned once in the headers like would be expected

Steps to Reproduce the Issue

1. Make a request
2. Look at chrome devtools and see all the headers that are returned.

Context

We run suitecrm on kubernetes which proxies via NGINX Gateway Fabric Currently you can't configure it to allow larger response headers, so it errors. So basically can't run suite crm 8.6.1 on there until this is resolved. Was working in 8.5.1 (still might have been returning multiple times, but was few enough that the proxy didn't complain)

Version

8.6.1

What browser are you currently using?

Chrome

Browser Version

No response

Environment Information

PHP 8.2

Operating System and Version

Debian 12

chris001 commented 1 month ago

Does this also happen on the suite 8 online demo ? User will pass will

DisabledMonkey commented 1 month ago

Online demo appears to be working as expected. Not seeing the problem there.

chris001 commented 1 month ago

It looks like a similar Repeated Headers issue was fixed in 2022 in Nginx Gateway Fabric. Could you possibly troubleshoot whether the repeated session headers are coming at the Nginx Gateway Fabric? The simplest way might be to re-post your original post from here as a new issue on the NGF github and ask for input from users there. Please post back here with replies you receive, if any.

DisabledMonkey commented 1 month ago

No, this is not caused by Nginx Gateway Fabric. IE. the issue also happens when hitting the webserver directly, not behind any proxy.

What i'm seeing is that the application keeps switching between the legacy sugar session, and the symfony session. hitting LegacyHandler::startSymfonySession and LegacyHandler::startLegacySession multiple times. https://www.github.com/salesagility/SuiteCRM-Core/blob/f483bec4cffb267840725af5c022a7e8f2599934/core/backend/Engine/LegacyHandler/LegacyHandler.php#L295-L327

Each time it switches between them, it writes that session cookie back to the browser.

Switching the code there to only start the symfony session, and not restart it results with the session cookie being sent more like anticipated (only if it changes and not multiple times).

protected function startSymfonySession(): void
{
    if ($this->session->isStarted()) {
        return;
    }

    $this->session->setName($this->defaultSessionName);

    if (isset($_COOKIE[$this->defaultSessionName])) {
        $this->session->setId($_COOKIE[$this->defaultSessionName]);
    }

    $this->session->start();
}

protected function startLegacySession(): void
{
    $this->startSymfonySession();
    return;
}

But does result in some odd behaviour when visiting certain portions of the website then though.

chris001 commented 1 month ago

Nice! It looks like you found the cause of this issue.

DisabledMonkey commented 1 month ago

To get stuff working as expected across the board with the code change above, I also had to swap out any places in code that had LEGACYSESSID to be PHPSESSID to make everywhere in code reference just that single session name.

So all this to say, I do feel like something weird is going on with suite crm's session juggling there that results in this problem, but don't feel like my code changes are necessarily the appropriate way to fix the underlying problem.

I am curious as to how the demo server is configured as it doesn't seem to present this problem?