Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Session conflict with other service at the same IP #2322

Closed
rhandsch opened this issue Mar 3, 2025 · 9 comments
Closed

Session conflict with other service at the same IP #2322

rhandsch opened this issue Mar 3, 2025 · 9 comments
Labels

Comments

@rhandsch
Copy link

rhandsch commented Mar 3, 2025

Versions

From docker container startup "Version info":

  • Pi-hole: v6.0.4
  • AdminLTE: v6.0.1
  • FTL: v6.0.3

Platform

Docker on Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-133-generic x86_64).

Expected behavior

  • The session does not expire (when showing the dashboard) or expires in rare cases
  • Login should succeed

Actual behavior / bug

  • The session expires after about half an hour

  • After entering the valid password the login is denied with the message ""

  • A cookie "sid" is created with the value "deleted"

Steps to reproduce

Steps to reproduce the behavior:

  1. Login to /admin
  2. Let the dashboard page open in the background for about 30 mins
  3. Session expires and login page is shown
  4. Enter valid password
  5. Login page is still shown
  6. Open dev tools and delete the cookie "sid" with value "deleted"
  7. Enter password
  8. Login is successful and dashboard is shown

Debug Token

Screenshots

Image Image

Additional context

This behaviour started with one of the last docker container updates (about 3 weeks ago).
Tested with Brave and Firefox.

@DL6ER DL6ER transferred this issue from pi-hole/pi-hole Mar 3, 2025
@DL6ER
Copy link
Member

DL6ER commented Mar 3, 2025

The session does not expire (when showing the dashboard) or expires in rare cases
[...]
The session expires after about half an hour

Please note that the dashboard only updates when it is visible. If you have the tab open but are not actively using it, there is little point in updating it all the time, waiting resources on this. But yes, this means that when you don't use the page in more than half an hour, it may have expired. This is desired behavior.

A cookie "sid" is created with the value "deleted"

Do you have any other plugins in your browsers possibly influencing cookie behavior?

I'm asking because it can only get the value "deleted" when FTL invalidate the session via this header:

#define FTL_DELETE_COOKIE "Set-Cookie: sid=deleted; SameSite=Strict; Path=/; Max-Age=-1\r\n"

settings the Expires=-1 which seems to be missing in your screenshot.

@DL6ER
Copy link
Member

DL6ER commented Mar 5, 2025

Please try whether the issue is fixed after running

sudo pihole checkout ftl tweak/session_expiry

#2336

@rhandsch
Copy link
Author

rhandsch commented Mar 6, 2025

pihole runs in a docker container and sudo docker exec pihole pihole checkout ftl tweak/session_expiry says "Function not supported in Docker images".
It seems I need to build a custom image. Will try later...

@yubiuser
Copy link
Member

yubiuser commented Mar 6, 2025

See here how to do this

https://github.com/pi-hole/docker-pi-hole?tab=readme-ov-file#building-the-image-locally


It boils down to

./build.sh -f tweak/session_expiry

@yubiuser
Copy link
Member

yubiuser commented Mar 6, 2025

I tried to reproduce the issue with chrome/firefox

Login to /admin
Let the dashboard page open in the background for about 30 mins
Session expires and login page is shown
Enter valid password
Login page is still shown
Open dev tools and delete the cookie "sid" with value "deleted"

When I got auto-logged out, the cookie was still there with all it's values, but I could successfully re-login.

Maybe I have to wait longer until the sid is set to deleted?

@PromoFaux
Copy link
Member

See also this thread.

It could be possible in this case that the session is being expired because another web application (which is accessed via the same IP/hostname - even if a different port) also had a cookie named sid.

The one way to be sure to avoid collisions here is to use http(s)://pi.hole/admin

@rhandsch
Copy link
Author

rhandsch commented Mar 6, 2025

I tried to reproduce the issue with chrome/firefox

Login to /admin
Let the dashboard page open in the background for about 30 mins
Session expires and login page is shown
Enter valid password
Login page is still shown
Open dev tools and delete the cookie "sid" with value "deleted"

When I got auto-logged out, the cookie was still there with all it's values, but I could successfully re-login.

Maybe I have to wait longer until the sid is set to deleted?

Hi! I observed this behaviour as well. Sometimes I could successfully login.
But in the error case first the cookie gets deleted completely, and then after the next login the "delete" cookie was created and stays. I'm not sure what makes the difference. I'll try to figure it out.
But first I'm trying the proposed fix:

Image

To answer an initial question

Do you have any other plugins in your browsers possibly influencing cookie behavior?

No, there is only the KeePassXC-Browser plugin.

Thx so far!

@rhandsch
Copy link
Author

rhandsch commented Mar 13, 2025

It could be possible in this case that the session is being expired because another web application (which is accessed via the same IP/hostname - even if a different port) also had a cookie named sid.

That was the problem! E.g. "webmin" uses "sid" as well.

The one way to be sure to avoid collisions here is to use http(s)://pi.hole/admin

In my case I need to follow these hints: pi-hole/docker-pi-hole#1769 (comment)

@DL6ER DL6ER added No bug and removed Unclear labels Mar 16, 2025
@DL6ER
Copy link
Member

DL6ER commented Mar 16, 2025

I set this to "no bug" as the issue is interference with other services hosted on the same domain. This is - in general - an issue and would have been one before v6.0 as well if the second application would have been using PHP as backend. The conflict would then have been in the PHPSESSID cookie. With v6.0, this conflict lies now in the (somewhat standardized) sid cookie.

TL;DR: The solution is to use your Pi-hole at http://pi.hole/admin, not via its IP address.

This will resolve all the problems and comes at no extra costs. DNS is there so you don't have to remember IP addresses and pi.hole will definitely be shorter than any 192.168.x.y addresses ;-)

@DL6ER DL6ER changed the title Session expires, cannot login Session conflict with other service at the same IP Mar 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants