Session conflict with other service at the same IP

[rhandsch]

Versions

From docker container startup "Version info":

• Pi-hole: v6.0.4
• AdminLTE: v6.0.1
• FTL: v6.0.3

Platform

Docker on Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-133-generic x86_64).

Expected behavior

• The session does not expire (when showing the dashboard) or expires in rare cases
• Login should succeed

Actual behavior / bug

• The session expires after about half an hour

• After entering the valid password the login is denied with the message ""

• A cookie "sid" is created with the value "deleted"

Steps to reproduce

Steps to reproduce the behavior:

1. Login to /admin
2. Let the dashboard page open in the background for about 30 mins
3. Session expires and login page is shown
4. Enter valid password
5. Login page is still shown
6. Open dev tools and delete the cookie "sid" with value "deleted"
7. Enter password
8. Login is successful and dashboard is shown

Debug Token

Screenshots

Additional context

This behaviour started with one of the last docker container updates (about 3 weeks ago).
Tested with Brave and Firefox.

[DL6ER]

The session does not expire (when showing the dashboard) or expires in rare cases
[...]
The session expires after about half an hour

Please note that the dashboard only updates when it is visible. If you have the tab open but are not actively using it, there is little point in updating it all the time, waiting resources on this. But yes, this means that when you don't use the page in more than half an hour, it may have expired. This is desired behavior.

A cookie "sid" is created with the value "deleted"

Do you have any other plugins in your browsers possibly influencing cookie behavior?

I'm asking because it can only get the value "deleted" when FTL invalidate the session via this header:

FTL/src/api/auth.h

Line 46 in 37f9a96

#define FTL_DELETE_COOKIE "Set-Cookie: sid=deleted; SameSite=Strict; Path=/; Max-Age=-1\r\n"

settings the Expires=-1 which seems to be missing in your screenshot.

[DL6ER]

Please try whether the issue is fixed after running

sudo pihole checkout ftl tweak/session_expiry

#2336

[rhandsch]

pihole runs in a docker container and sudo docker exec pihole pihole checkout ftl tweak/session_expiry says "Function not supported in Docker images".
It seems I need to build a custom image. Will try later...

[yubiuser]

See here how to do this

https://github.com/pi-hole/docker-pi-hole?tab=readme-ov-file#building-the-image-locally

---

It boils down to

./build.sh -f tweak/session_expiry

[yubiuser]

I tried to reproduce the issue with chrome/firefox

Login to /admin
Let the dashboard page open in the background for about 30 mins
Session expires and login page is shown
Enter valid password
Login page is still shown
Open dev tools and delete the cookie "sid" with value "deleted"

When I got auto-logged out, the cookie was still there with all it's values, but I could successfully re-login.

Maybe I have to wait longer until the sid is set to deleted?

[PromoFaux]

See also this thread.

It could be possible in this case that the session is being expired because another web application (which is accessed via the same IP/hostname - even if a different port) also had a cookie named sid.

The one way to be sure to avoid collisions here is to use http(s)://pi.hole/admin

[rhandsch]

I tried to reproduce the issue with chrome/firefox

Login to /admin
Let the dashboard page open in the background for about 30 mins
Session expires and login page is shown
Enter valid password
Login page is still shown
Open dev tools and delete the cookie "sid" with value "deleted"

When I got auto-logged out, the cookie was still there with all it's values, but I could successfully re-login.

Maybe I have to wait longer until the sid is set to deleted?

Hi! I observed this behaviour as well. Sometimes I could successfully login.
But in the error case first the cookie gets deleted completely, and then after the next login the "delete" cookie was created and stays. I'm not sure what makes the difference. I'll try to figure it out.
But first I'm trying the proposed fix:

To answer an initial question

Do you have any other plugins in your browsers possibly influencing cookie behavior?

No, there is only the KeePassXC-Browser plugin.

Thx so far!

[rhandsch]

It could be possible in this case that the session is being expired because another web application (which is accessed via the same IP/hostname - even if a different port) also had a cookie named sid.

That was the problem! E.g. "webmin" uses "sid" as well.

The one way to be sure to avoid collisions here is to use http(s)://pi.hole/admin

In my case I need to follow these hints: pi-hole/docker-pi-hole#1769 (comment)

[DL6ER]

I set this to "no bug" as the issue is interference with other services hosted on the same domain. This is - in general - an issue and would have been one before v6.0 as well if the second application would have been using PHP as backend. The conflict would then have been in the PHPSESSID cookie. With v6.0, this conflict lies now in the (somewhat standardized) sid cookie.

TL;DR: The solution is to use your Pi-hole at http://pi.hole/admin, not via its IP address.

This will resolve all the problems and comes at no extra costs. DNS is there so you don't have to remember IP addresses and pi.hole will definitely be shorter than any 192.168.x.y addresses ;-)