Page 1 of 1

lifetime of ssl session cookie

Posted: 28 Apr 2014, 00:13
by Tobi
Hi all,

I just encountered a problem: While browsing my ttrss reader through an unencrypted connection, the cookie lifetime is being set correctly (value in config.php).
When browsing my ttrss reader instance through a ssl encrypted connection, the session cookie "ttrss_sid_ssl" expires 'at end of session'. Is there a reason for this behaviour or is this a bug?

Re: lifetime of ssl session cookie

Posted: 28 Apr 2014, 01:12
by fox
there is no separate mechanism to set cookie lifetime for ssl, the only difference is the name. check your browser/etc settings.

Re: lifetime of ssl session cookie

Posted: 28 Apr 2014, 02:10
by Tobi
Are you sure? I got the same behaviour with Firefox and Safari.

Re: lifetime of ssl session cookie

Posted: 28 Apr 2014, 08:33
by fox
nah, just talking out of my ass here

https://github.com/gothfox/Tiny-Tiny-RS ... ns.php#L13

Re: lifetime of ssl session cookie

Posted: 28 Apr 2014, 13:12
by Zorchenhimer
It's possible a third party is messing with your connection (eg, firewall at the office). I noticed today that my SSL cert was being spoofed at my work's firewall. It was signed by sslcert.companyname.org instead of the CA I had originally registered with and had a different length. Something similar could be happening here, and nothing in TT-RSS would be able to stop that.

Re: lifetime of ssl session cookie

Posted: 03 May 2014, 14:33
by Tobi
Ok, so I tried different operating systems and different browsers: IE, Firefox, Chrome, Opera.
Finally I've found a solution: I disabled OTP for my account (beacuse I wanted to know, if this issue has something to do with the OTP functionality) and enabled it afterwards. And guess what? Now the expire date of the ssl session cookie is being set correctly.

//edit: Now it's not working anymore, arghh... :evil:

//edit2: It's indeed the OTP feature. With OTP disabled, the expire date is set correct. If I'm using a non-encrypted connection with OTP turned on, the expire date is also set correctly. Can you fix that up or is that a "feature"? :twisted:

Re: lifetime of ssl session cookie

Posted: 03 May 2014, 19:36
by JustAMacUser
I'm not saying you're not having the issue, but I can't see anything in the OTP code that remotely affects cookies. It's literally just checking two integers to see if they match:

https://github.com/gothfox/Tiny-Tiny-RS ... l/init.php

Could you try running without OTP for a little bit to see if the issue recurs?

Re: lifetime of ssl session cookie

Posted: 03 May 2014, 19:59
by fox
Maybe remember me is being reset because of otp. I'll take a look later.

e: yeah I think that's why, i'll fix it later

Re: lifetime of ssl session cookie

Posted: 03 May 2014, 21:47
by JustAMacUser
I think I also remember looking into why the low bandwidth and profile options weren't working and remember the OTP form not carrying those settings over either... Now that you mention it. I was going to do a pull request for those but forgot about it till now.

Re: lifetime of ssl session cookie

Posted: 03 May 2014, 22:37
by fox

Re: lifetime of ssl session cookie

Posted: 05 May 2014, 22:38
by Tobi
fox wrote:https://github.com/gothfox/Tiny-Tiny-RSS/commit/a0dfd7ef88dc164042fc8f6dff60458fdc36ce83

This fix works, thanks for the quick response.