|
Duplicate |
|||
| is duplicated by |
|
unique constraint violation in sessio... | Closed |
Team A
[ZBX-9358] Zabbix API session ID generation produces non-unique IDs Created: 2015 Mar 02 Updated: 2024 Apr 10 Resolved: 2017 Mar 27 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | API (A) |
| Affects Version/s: | None |
| Fix Version/s: | 2.2.18rc1, 3.0.9rc1, 3.2.5rc1, 3.4.0alpha1 |
| Type: | Incident report | Priority: | Major |
| Reporter: | Alina Ivchenko | Assignee: | Unassigned |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | authentication, sessions, sid | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Team: | Team A |
||||||||
| Sprint: | Sprint 4 | ||||||||
| Story Points: | 0.5 | ||||||||
| Description |
|
We have observed problems with session IDs being non-unique if a user has several sessions during the same second. If two sessions get the same ID, a disconnect on one of those sessions will also unexpectedly disconnect another session. We have traced the non-unique ID problem to this line in the CUser.php file of the Zabbix API: $sessionid = md5(time().$password.$name.rand(0, 10000000)); time() is second-based, and rand with the same seed has been known to return the same value repeatedly. This appears to be the root of the problem. Since we create a significant number of sections, duplicate IDs and resulting problems are a frequent occurrence. |
| Comments |
| Comment by Valdis Murzins [ 2017 Mar 17 ] |
|
(1) No translation strings changed. sasha CLOSED |
| Comment by Valdis Murzins [ 2017 Mar 17 ] |
|
Fixed in svn://svn.zabbix.com/branches/dev/ZBX-9358 |
| Comment by Alexander Vladishev [ 2017 Mar 20 ] |
|
(2) Using mt_rand() function instead of rand() does not give any changes. The number of non-unique sessions are not decreased (~25000-50000 non-unique sessions per 1000000 attempts). Using microtime() function instead of time() solve this problem. After this fix I can't produce non-unique sessions. Index: frontends/php/api/classes/CUser.php =================================================================== --- frontends/php/api/classes/CUser.php (revision 66496) +++ frontends/php/api/classes/CUser.php (working copy) @@ -1140,7 +1140,7 @@ } // start session - $sessionid = md5(time().$password.$name.rand(0, 10000000)); + $sessionid = md5(microtime().$password.$name.rand(0, 10000000)); DBexecute('INSERT INTO sessions (sessionid,userid,lastaccess,status) VALUES ('.zbx_dbstr($sessionid).','.$userInfo['userid'].','.time().','.ZBX_SESSION_ACTIVE.')'); add_audit(AUDIT_ACTION_LOGIN, AUDIT_RESOURCE_USER, _s('Correct login "%s".', $name)); vmurzins RESOLVED in r66543 sasha CLOSED |
| Comment by Valdis Murzins [ 2017 Mar 22 ] |
|
Fixed in svn://svn.zabbix.com/branches/dev/ZBX-9358_3.4 (for 3.4) |
| Comment by Valdis Murzins [ 2017 Mar 27 ] |
|
Fixed in 2.2.18rc1 r66749, 3.0.9rc1 r66755, 3.2.5rc1 r66756, 3.4.0alpha1 r66765,66799 |