Session timed out issue in 9.15.

[theralse]

I'v upgrade password-manager from 9.14 to 9.15. When I login, It will immediate logout and shows the error message "Session timed out".

Clear the browser cookies or use the private mode to login Password-Manager could not solve the problem.

How to fix this issue?

[zeruniverse]

1. There's nothing called 9.14. The previous version is 9.13. I think you meant it.

2. Pay attention that the table structures of the database are changed. You'll need to destroy the database and re-import initial.sql (of course, you should back up first)

3. If 2 isn't your problem, please try 9.15 on the demo site first. The demo is: pas.jeffery.cc See if your problem can be produced there.

On Tue, Apr 25, 2017 at 9:51 PM theralse notifications@github.com wrote:

I'v upgrade password-manager from 9.14 to 9.15. When I login, It will immediate logout and shows the error message "Session timed out".

Clear the browser cookies or use the private mode to login Password-Manager could not solve the problem.

How to fix this issue?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/zeruniverse/Password-Manager/issues/173, or mute the thread https://github.com/notifications/unsubscribe-auth/AEbvNABWeyIHOevHIHFU0MdHXmfwYT_Nks5rzfp2gaJpZM4NHg_n .

[BenjaminHae]

And you should clear your cookies.

[BenjaminHae]

...and possibly the browser cache.

[theralse]

1. My mistake, I am upgrade from 9.13 to 9.15.
2. After use 9.13_removeEncryption.php to upgrade the old database, I'v compared the table structure which are the same with the new one import by initial.sql.
3. 9.15 demo site could not duplicate my problem.
4. I have clear my browser cookies and caches many times and tried the private mode of browser. Neither could solve the issue.

Finally, I do a fresh install and import the new sql to database. But the issue still exist. http://ralse.myddns.com

Browser: Chrome with latest version. Password manager version: 9.15 and the lastest commit 0f0a181.

[zeruniverse]

Please note From v9.13, Password-Manager only supports HTTPS

[zeruniverse]

And I strongly recommend you to use standard backup method. When you export CSV (or RAW file), you can at least check whether the exported passwords/accounts are correct.

[BenjaminHae]

I just noticed that there is one upgrade script missing from the release information: You also need to execute https://github.com/BenjaminHae/Password-Manager/blob/upgrades/upgrade_9.15_pbkdf.php after _9.13removeEncryption.php.

[zeruniverse]

Updated On Wed, Apr 26, 2017 at 12:52 PM Benjamin Häublein notifications@github.com wrote:

I just noticed that there is one upgrade script missing from the release information: You also need to execute https://github.com/BenjaminHae/Password-Manager/blob/upgrades/upgrade_9.15_pbkdf.php after 9.13_removeEncryption.php.

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/zeruniverse/Password-Manager/issues/173#issuecomment-297237516, or mute the thread https://github.com/notifications/unsubscribe-auth/AEbvNGX2nkU5PWNaY92AOqE0TClAGNgVks5rzs2ngaJpZM4NHg_n .

[theralse]

Now I do a clean install.

New Password-Manager 9.15 New SQL account and database import by initial.sql. Use https to connect the Password-Manager. https://ralse.myddns.com

I can see the new user added in database table pwdusrrecord after sign up. But after login, the same issue occurred. "Session timed out"

Will "date_default_timezone_set" in config.php cause the "Session timed out" issue?

[zeruniverse]

OK I knew the problem. ServerRenew is set to be httponly while it shouldn't

[zeruniverse]

@theralse did you do any special configuration to your PHP? The following screenshot is the set-cookie header of my server's response.

The image below shows yours.

I don't know why your web server adds an httponly flag to the ServerRenew cookie. This httponly flag caused this problem.

[zeruniverse]

@theralse It seems to me that your server automatically adds an Httponly flag to every set-cookie header entry. For example, the PHPSESSID has two Httponly flags. One is from the PHP script we wrote and I don't know why there's another one at the end.

Maybe the redundant HttpOnly at the end is from your apache settings. For example, you might have this sentence in your httpd.conf: Header set Set-Cookie HttpOnly;

[theralse]

@zeruniverse I checked my server provider's maintenance log. They upgrade apache to 2.4.25 recently. And for security issue, they add the Header always edit Set-Cookie ^(.)$ $1;HttpOnly* in apache.conf

I comment out this line and then restart apache server, this issue resolved. I will write Q-NAP to ask them "why do this change in apache.conf".

Many thanks.

apache.conf IfModule headers_module Header always append X-Frame-Options SAMEORIGIN

Header always edit Set-Cookie ^(.*)$ $1;HttpOnly

/IfModule

[BenjaminHae]

In theory setting sensitive cookies to httponly is a good idea. So that malicious scripts can't read these cookies. But that should be decided by the application as some cookies need to be shared between the backend and frontend.

[theralse]

Apache configuration could use the setting below.

Header always edit Set-Cookie "(?i)^((?:(?!ServerRenew=|;\s?HttpOnly).)+)$" "$1; HttpOnly"

Keep add HttpOnly to all cookies except ServerRenew.