session cookie problem / drupal 7&8

[emphazer]

logins are not possible anymore with suhosin loaded. even with default configuration.

[bef]

Thank you for your bug report. Suhosin7 is not production ready yet. Can you post a more detailed description, please, e.g. suhosin logfile, php logfile

[emphazer]

there are no logs. it works just for one access after login. the backend deletes the cookie after another access

here are the headers

> GET /admin/ HTTP/1.1
> Host: example.com
> Pragma: no-cache
> Accept-Encoding: gzip, deflate, sdch, br
> Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Referer: https://example.com/user/login
> Cookie: _pk_id.4.c918=67df4f691762361e.1464013940.1.1464014990.1464013940.; SSESS46129cccf0e01bb90d69023b3fef3efb=24FKTdv1h7LLM-D-WP_f_BWVuWD-BO0VYlL5Y8XrxEA
> Connection: keep-alive
> Cache-Control: no-cache

< HTTP/1.1 403 Forbidden
< Server: Apache
< Date: Thu, 23 Mar 2017 13:53:01 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 2455
< Keep-Alive: timeout=10
< Cache-Control: must-revalidate, no-cache, private
< X-Drupal-Dynamic-Cache: HIT
< X-UA-Compatible: IE=edge
< Content-language: de
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Expires: Sun, 19 Nov 1978 05:00:00 GMT
< Set-Cookie: SSESS46129cccf0e01bb90d69023b3fef3efb=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=example; HttpOnly; secure
< X-XSS-Protection: 1; mode=block
< X-Permitted-Cross-Domain-Policies: master-only
< Vary: Accept-Encoding
< Content-Encoding: gzip
< X-Content-Type-Options: nosniff
< Strict-Transport-Security: max-age=15768000; preload

[bef]

I suspect, that one or more of Suhosin's filters (one of suhosin.cookie.*) get activated, e.g. https://suhosin.org/stories/configuration.html#suhosin-cookie-max-name-length

It might be useful to activate logging and check the logfile, e.g.

suhosin.log.file=511
suhosin.log.file.name=/tmp/suhosin-debug.log

[emphazer]

@bef here is the current config. (i know that some values are oversized)

suhosin.executor.include.whitelist          = "phar vfs"
suhosin.upload.max_uploads                  = 500
suhosin.cookie.max_name_length              = 200
suhosin.get.max_name_length                 = 500
suhosin.get.max_array_index_length          = 500
suhosin.get.max_vars                        = 3000
suhosin.get.max_value_length                = 20000
suhosin.post.max_value_length               = 5000000
suhosin.post.max_name_length                = 5000
suhosin.post.max_array_index_length         = 5000
suhosin.post.max_vars                       = 3000
suhosin.post.max_totalname_length           = 3000
suhosin.post.max_array_depth                = 500
suhosin.request.max_varname_length          = 5000
suhosin.request.max_array_index_length      = 5000
suhosin.request.max_vars                    = 3000

but i will try it again with activated debug logging this week.

[emphazer]

i tried it. still no logs...

[itoffshore]

@emphazer it could be a permissions problem.

to make logging work in a php-fpm chroot with suhosin5 I use:

; Log Options
suhosin.log.file = 511
; log path is absolute inside chroot
suhosin.log.file.name = /logs/suhosin.log
suhosin.log.use-x-forwarded-for = On

the permissions on the log directory also need to be writable for the user php-fpm runs as.

[emphazer]

@itoffshore no, we are an internet service hoster. We have hundreds of instances working very well with 5.6. A permission problem is definetly not possible. And in drupal the session information are normally saved in the sql database and not on the filesystem.

[emphazer]

solved it! the answer was:

suhosin.session.encrypt = off