lifetime of ssl session cookie

If you run tt-rss on an officially unsupported platform (shared hosting, Windows, etc.) post here
Tobi
Bear Rating Trainee
Bear Rating Trainee
Posts: 13
Joined: 17 Mar 2013, 19:35
Location: Hanover, Germany

lifetime of ssl session cookie

Postby Tobi » 28 Apr 2014, 00:13

Hi all,

I just encountered a problem: While browsing my ttrss reader through an unencrypted connection, the cookie lifetime is being set correctly (value in config.php).
When browsing my ttrss reader instance through a ssl encrypted connection, the session cookie "ttrss_sid_ssl" expires 'at end of session'. Is there a reason for this behaviour or is this a bug?

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: lifetime of ssl session cookie

Postby fox » 28 Apr 2014, 01:12

there is no separate mechanism to set cookie lifetime for ssl, the only difference is the name. check your browser/etc settings.

Tobi
Bear Rating Trainee
Bear Rating Trainee
Posts: 13
Joined: 17 Mar 2013, 19:35
Location: Hanover, Germany

Re: lifetime of ssl session cookie

Postby Tobi » 28 Apr 2014, 02:10

Are you sure? I got the same behaviour with Firefox and Safari.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: lifetime of ssl session cookie

Postby fox » 28 Apr 2014, 08:33

nah, just talking out of my ass here

https://github.com/gothfox/Tiny-Tiny-RS ... ns.php#L13

Zorchenhimer
Bear Rating Trainee
Bear Rating Trainee
Posts: 8
Joined: 07 Apr 2014, 05:45

Re: lifetime of ssl session cookie

Postby Zorchenhimer » 28 Apr 2014, 13:12

It's possible a third party is messing with your connection (eg, firewall at the office). I noticed today that my SSL cert was being spoofed at my work's firewall. It was signed by sslcert.companyname.org instead of the CA I had originally registered with and had a different length. Something similar could be happening here, and nothing in TT-RSS would be able to stop that.

Tobi
Bear Rating Trainee
Bear Rating Trainee
Posts: 13
Joined: 17 Mar 2013, 19:35
Location: Hanover, Germany

Re: lifetime of ssl session cookie

Postby Tobi » 03 May 2014, 14:33

Ok, so I tried different operating systems and different browsers: IE, Firefox, Chrome, Opera.
Finally I've found a solution: I disabled OTP for my account (beacuse I wanted to know, if this issue has something to do with the OTP functionality) and enabled it afterwards. And guess what? Now the expire date of the ssl session cookie is being set correctly.

//edit: Now it's not working anymore, arghh... :evil:

//edit2: It's indeed the OTP feature. With OTP disabled, the expire date is set correct. If I'm using a non-encrypted connection with OTP turned on, the expire date is also set correctly. Can you fix that up or is that a "feature"? :twisted:

JustAMacUser
Bear Rating Overlord
Bear Rating Overlord
Posts: 373
Joined: 20 Aug 2013, 23:13

Re: lifetime of ssl session cookie

Postby JustAMacUser » 03 May 2014, 19:36

I'm not saying you're not having the issue, but I can't see anything in the OTP code that remotely affects cookies. It's literally just checking two integers to see if they match:

https://github.com/gothfox/Tiny-Tiny-RS ... l/init.php

Could you try running without OTP for a little bit to see if the issue recurs?

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: lifetime of ssl session cookie

Postby fox » 03 May 2014, 19:59

Maybe remember me is being reset because of otp. I'll take a look later.

e: yeah I think that's why, i'll fix it later

JustAMacUser
Bear Rating Overlord
Bear Rating Overlord
Posts: 373
Joined: 20 Aug 2013, 23:13

Re: lifetime of ssl session cookie

Postby JustAMacUser » 03 May 2014, 21:47

I think I also remember looking into why the low bandwidth and profile options weren't working and remember the OTP form not carrying those settings over either... Now that you mention it. I was going to do a pull request for those but forgot about it till now.

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: lifetime of ssl session cookie

Postby fox » 03 May 2014, 22:37


Tobi
Bear Rating Trainee
Bear Rating Trainee
Posts: 13
Joined: 17 Mar 2013, 19:35
Location: Hanover, Germany

Re: lifetime of ssl session cookie

Postby Tobi » 05 May 2014, 22:38



Return to “Unsupported platforms”

Who is online

Users browsing this forum: No registered users and 2 guests