[ZBX-8339] The frontend always sends a zbx_sessionid cookie Created: 2014 Jun 11  Updated: 2017 May 30  Resolved: 2014 Jun 20

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 2.3.2
Fix Version/s: 2.3.2

Type: Incident report Priority: Minor
Reporter: Pavels Jelisejevs (Inactive) Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: authentication, cookie, frontend
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

If you login with the "Remember me for 30 days" checkbox checked, each page will send the "zbx_sessionid" cookie to prolong its lifetime. This is correct. But the same thing happens when logging in without the "Remember me for 30 days": each page sets the cookie without setting its lifetime. This is unnecessary.

 Comments   
Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 17 ]

RESOLVED in r46568.

Comment by Ivo Kurzemnieks [ 2014 Jun 18 ]

(1) Session is not set for Guest user if autologin in profile is off.

andrewtch RESOLVED in r46673.

iivs CLOSED.

Comment by Ivo Kurzemnieks [ 2014 Jun 18 ]

(2)

  • ZBase.php: 732 variable name $sessiond, I assume it was meant to be $sessionid;
  • class.webuser.php: 60 unnecessary empty space;
  • class.webuser.php: 26 since parameter $autoLogin is added, would be nice to add function description, so we know that these parameters are.

andrewtch RESOLVED in r46673.

iivs I renamed session cookie get and set functions to more similar names. Also described functions and it's parameters. Please, review r46716.

andrewtch Please keep function names sane - it's not "sessionId", it's a session cookie, yet it may not be connected to actual session. Otherwise good, RESOLVED.

iivs REOPENED.
Having more that one ternary operator in one condition is hard to read and we don't use that, and there is an easier way to write this. Please, change the code

$autoLogin = self::isGuest() ? false :
			self::$data && self::$data['autologin'] ? true : false;

to following:

$autoLogin = self::isGuest() ? false : (bool) self::$data['autologin'];

andrewtch RESOLVED, thanks.

iivs CLOSED.

Comment by Ivo Kurzemnieks [ 2014 Jun 18 ]

(3) Disabling autologin from current user profile, session expire time should be updated again.

andrewtch RESOLVED in r46673.

iivs REOPENED. Same thing should be done when editing own user data through users.php

andrewtch RESOLVED. After talking with Pavel we returned to original behavior (setting cookie on each request) yet keeping all the refactoring already done.

iivs CLOSED.

Comment by Pavels Jelisejevs (Inactive) [ 2014 Jun 19 ]

(4) The auto-login and auto-logout checkboxes must not be displayed while editing guest user profile as they make no sense there.

andrewtch RESOLVED in r46673.

iivs CLOSED.

Comment by Ivo Kurzemnieks [ 2014 Jun 20 ]

TESTED.

Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 20 ]

CLOSED for pre-2.3.2.

Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 20 ]

(5) Martins, please document that there are no more auto login/logout controls while editing guest user profile. Cookie behavior left as-is.

martins-v RESOLVED, added to: https://www.zabbix.com/documentation/2.4/manual/introduction/whatsnew240#miscellaneous_improvements

andrewtch CLOSED.

Generated at Wed May 14 08:01:24 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.