Problems, need help? Have a tip or advice? Post it here.
29 posts Page 1 of 3
My client has encountered a serious and frustrating bug in CouchCMS.
She was writing an article for the website and working hard throughout the day.
She tends to forget to press "Save" button every 5 minutes and has a habit to leave her computer for more than 20 minutes, which means that her session in CouchCMS has probably expired.
Then she was very frustrated when whe came back to her PC, finished the article (there was no any kind of notification that she wasn't already logged in) pressed Save button and was greeted with CouchCMS's login screen.
After logging in she saw that most of her today's work is gone.

Now I'm looking how to fix this bug and I think the solution is to have a cookie expire not in a Session, but a year, and a side effect will be that she won't have to login every time she wants to edit or post something.

And no, we don't care much about security, because the work is being done on a test server and we have a separate login system for regular visitors.
OK, I've fixed the bug myself.

It was in auth.php in function set_cookie:
Before:
Code: Select all
setcookie($this->cookie_name, $cookie, 0, $this->cookie_path, null, null, true);

After:
Code: Select all
setcookie($this->cookie_name, $cookie, $cookie_expiry, $this->cookie_path, null, null, true);


I wanted to create a pull request on GitHub, but then I saw that it's already fixed there.

We are using CouchCMS 1.4, NOT 1.4.5RC2 because I thought that what I download on the main page is always more stable and free of stupid and frustrating bugs like this.
OK, I've installed the 1.4.5RC2 and believe it or not, THE BUG IS STILL THERE.

SO I've made a commit on GitHub and expect it to be pulled.
https://github.com/CouchCMS/CouchCMS/pull/6/files

Please tell me that there are no more serious issues. If there are, I'll help in any way I can.
Hi @eklipse2009. Sorry to hear about your bad experience. No one likes to have their work eaten by a computer. I'm just a user of Couch, so I'm in no position to speak about the issue you encountered or your fix for it.

But I do want to warn you that's not the only way to lose your work in Couch. If you close the browser window or hit the back button or refresh the page, there's no check to see if you have unsaved data. It's just gone. That issue will be addressed in the new admin panel that is scheduled for the next release. But for the time being, users should be very careful about saving their work.

Of course, it's probably not a good practice to do a lot of original work in a browser-based application anyway, particularly without regular saving. Something like a power outage or network error could also destroy your work. Where I live, my network is sometimes unreliable. I've had my work disappear when I hit the save button and the network times out. Instead of saving the page, it gets irretrievably replaced by "Page Not Found." I've learned the hard way, and I prefer to compose most of my work in a text editor first.

Losing work has probably been my biggest point of pain with Couch, and anything that can be done to prevent it gets my approval. Thanks for contributing.
Funny ...

I have this the other way around sometimes ...somehow I stay logged-in even after a day or two (randomly)
I load frameworks and write bugs on top of them, after that I rearrange the code so that it looks like a cool product.
@KK can comment on this matter with more authority, but in my estimation there is no bug here, the relevant code is working as intended. Whether it could be improved in some way is up for debate...

It is important to distinguish between two aspects - the life of the cookie in your browser (the expire value), and the length of time the cookie can remain valid for authentication purposes.

Currently Couch sets the cookie to expire at the end of the session (when the browser closes). The cookie therefore could theoretically live on indefinitely, that is of course if your browser doesn't close. Couch will however not allow that cookie to successfully authenticate beyond a period of one day (there is a timestamp present in the cookie).

The remember capability is present in the set_cookie function because it is used for extended users on the front end, see addons/extended/extended-users.php#L636.

Data loss is highly regrettable and we certainly want to minimize the chance of it occurring. As Tim pointed out, the new admin panel makes some progress in this area. More could be done though; perhaps we could warn the user (with a modal message) if their login is effectively about to expire behind-the-scenes...
Sorry, cheesypoof, but I think you're wrong, unless my eyes deceive me.
I've read the logic from the code itself in couch/auth/auth.php
Version 1.4:
setcookie's function THIRD parameter was set to ZERO instead of $cookie_expiry, which in turn was set to 12 hours. Instead of being passed as a parameter to a function, it is only used in HASH, which is clearly not enough.
The thing MIGHT work with very old PHP version though.
When a variable is set a value and is not used where intended, it IS a bug, not a feature.

version 1.4.5
There is not documented way to use $rememberme variable.
But the logic suggests that even with NO rememberme button checked, the cookie must last for 24 hours.
Then the logic suggests that IF rememberme is not checked, the cookie expiration parameter is yet again set to ZERO instead of 24 hours.
@tim
contemporary web-applications not only support automatic saving, but they've relaxed the common users, so they think of any text editor to be as reliable as MS Word, which they are used to.
I've implemented the warning in Javascript, so the page or browser is not closes unintentionally, but ending the session before the user could save anything is an atrocios bug. The worst thing about it is that the user did not do anything unexpected by her fault, she HAD all the text ready and DID press the "Save" button.
Just agree that this behavior of the system is unexpected. When you press "Save" the system is supposed to SAVE or AT LEAST notify the user that the action is impossible.
@eklipse2009, I'm sorry about the loss.
However, as @cheesypoof correctly pointed out, this cannot be termed as a bug per se.

The cookie set by Couch is ephemeral i.e. close the browser and the cookie is gone. You need to login again when you fire up the browser once more.

In v1.4, the time for which the cookie remains valid is 12 hours.
Which means that if a user opens her browser and logs in into Couch admin-panel and keeps the same browser open continuously for 12 hours, she'll be asked to login again after that period.

Now, I concede, 12 hours in rather short a period and there is a chance, as evidently happened with your client, that the user be in the middle of an active editing session when the 12 hours end. This could result in losing unsaved data.

To mitigate this eventuality, we increased the validity time fro 12 hours to 24 hours in 1.4.5RCx.

So now, the user needs to have a browser continuously open for 24 hours before hitting that time. This, IMHO, whittles down the chances of someone experiencing the problem being discussed considerably.

1.4.5RC is as stable as 1.4 and you can safely choose to upgrade to it. It has been in public for a long time and all reported bugs are fixed as soon as they are reported.

The 'remember' option, as @cheesypoof pointed out, is used by 'extended-user' and will be used by future versions of Couch for the default login screen.

Finally, on a lighter note, anyone who has been around computers for any length of time learns to save data periodically. Murphy's law sees to it :) I found myself once losing *saved* data from a text editor when the computer suddenly went down and now make a point to save important data and *close* the editor to make sure the data is flushed to the hard-disk :)
KK wrote: The cookie set by Couch is ephemeral i.e. close the browser and the cookie is gone.

If I'm wrong I'd prefer to know where I'm wrong and why my commit is wrong and will not work.

Sorry if I might sound irritated, because I'm 100% sure that I've fixed the bug, because now I can safely close the browser and retain my login in CouchCMS.

If the login data is lost when the browser is closed, then the cookie is set to expire in a SESSION.
Most users USE their website intensively, instead of just leaving the admin panel open, thus not even noticing the bug.
29 posts Page 1 of 3