Session remnants on logout

[apmuthu]

In both v4.5 and v4 of nuBuilder, after logout, there is still the following remnants of the $_SESSION variable:

Code: Select all

Array
(
    [nubuilder_session_data] => Array
        (
            [GLOBEADMIN] => 
            [GLOBEADMIN_NAME] => globeadmin
            [GLOBEADMIN_PASS] => nu
            [USER_LOGIN] => 
            [USER_PASS] => 
            [USER_EMAIL] => 
            [USER_DISPLAY_NAME] => 
            [USER_ROLES] => 
            [DB_NAME] => nubuilder45
            [DB_USER] => root
            [DB_PASSWORD] => 
            [DB_HOST] => 127.0.0.1
            [DB_CHARSET] => utf8
            [NU_SITE_URL] => 
            [IS_DEMO] => 
            [SESSION_ID] => s16121346474973
            [SESSION_TIMESTAMP] => 1612134649
            [IsDemo] => 
            [translation] => Array
                (
                )

            [isGlobeadmin] => 1
        )

)

This can be seen by
1. logging into a nuBuilder install,
2. logging out and
3. keeping the browser open and
4. altering the index.php as below and then visiting the login page again before actually logging in again.

Temporary code change before point 4 above:

Session_debug_code.png

It is hence essential for the function logout() defined in nudata.php to have the following at the end inside the said function:

Code: Select all

unset($_SESSION['nubuilder_session_data']);

In v4, this should be considered with it's ramifications for WordPress plugin as well in lines 11 and 53 (JQ_PATH availability) in index.php.

The actual values of the session variable is as follows - before and after login:

nubuilder_session_data_values_v4.png

[apmuthu]

The above may not be sufficient at all since on logout, the session gets populated with that of the pre-logout instance as far as the above variables are concerned when the login screen appears.

A new session is loaded in nuchoosesetup.php only if the variable $_SESSION['nubuilder_session_data'] is not available yet. This means that if a stale session or initialised session is present, a new session will not get created!

Hence, the above session variable should not only be destroyed on logout, it must not get set when a login screen appears.
Therefore, all data taken from the session (path, etc) that is necessary for the login screen should be taken from the nuconfig.php file only.
Furthermore, when a login screen is displayed, the said session variable should be absent.

Consider this setup:
We have one instance of nuBuilder (v4, v4.5) being operated on a browser - say /nubuilder4.
We then logout of that instance but keep the browser open.
We attempt to login into another different instance of nuBuilder on the same machine, say /nubuilder45.
In the current dispensation, we get the stale session from the previous instance!

Although different installations can have different title names, if the stale session cache is in operation, all will be wasted.

Early in the initial script, say index.php, if we compute the current nuBuilder path and keep it in a non session variable and compare with a session variable that is computed and stored during initialisation in the class nubuilder_session_data, all we need is to compare the two and create a new session if they are different!

[apmuthu]

This feature has been added to v4 in my updated repo.

The changed files for v4.5 commit 317 are attached here:

nb_v4.5_multi_nb_feature_for_C317.zip

[apmuthu]

The commits made for this issue has the following caveats.

1. Different subdomains for each instance is the best practice.
2. This code commit allows one install at a time from being accessed even without logging out from another install in a single window's single tab.
3. If different instances are used in different browser windows / tabs, session hijacking by last login will occur and hence it is advised to refrain from doing so and will require closure of all browser instances (windows and tabs) before going onto another install.

Afterall the $_SESSION variable for nuBuilder is the same for all browser tabs/windows and so is the cookie and that for the nudb as well.

Without this commit, Point 2 could not be used and suffered the same issues as Point 3.

[kev1n]

Thanks, v4.5. updated