Login destroys session bug workaround

As reported here, i wonder if there is a workaround to keep other session values when logging in to front-end, as i encounter the problem:


is there anyone on it to change how the login works?

1 Like

Please see this explanation over at OWASP. Not starting a new session on login is a security risk.

so i guess e.g. the shopping cart case we have to work around it for example saving the current cart to a cookie, when logging in filling the cookie into the session yet again?

or is there another way around to keep the information?

guess @samnabi is also interested.

I guess Kirby could copy over the session data to the new session, but I don’t know what @bastianallgeier’s motivation was to destroy the session completely on login. I have invited him to this topic.

Logging out first is basically a clean-up process to get rid of any data that might create conflicts. I think we could only clean up all panel session vars though and copy over the rest. That might probably work.


so in an upcoming version of kirby, the login will not delete all sessions?

as for now i fixed the problem saving certain session values into a cookie and return the values into the session after logging in again. as in my case it’s no critical data involved i guess that’s fine for me, for now.

Could you share the code you used to save the session values to the cookie and back? It would surely be useful for others :slight_smile: At least I could use it in one project where the sessions are not optimal at the moment :slight_smile:


Setting the Cookie on the Login Page

$shoppingcart = array();
      foreach($pages->find('shop')->children()->visible() as $session){
          $shoppingcart[] = array(
            'produkt' => $session->uid(),
            'qty' => s::get($session->uid()),

Return Cookie into the Session, and deleting the cookie again:

        $cookiecart = json_decode(cookie::get('cart'));
        foreach($cookiecart as $cartsession){
          s::set($cartsession->produkt, $cartsession->qty);

as short explaination:

i am using a session to save a shopping cart where as the page->uid is some kind of the identifier, and the session value e.g. 1, 2, 3 etc pp.

so in short i go though all products to see if there’s a session with that identifier, save the values into $shoppingcart encode it as json, and after logging in decode json and run each value into the session using the same identifiers obviously. lastly deleting the cookie again as it’s not needed anymore.

Could you please test the improved-login feature branch? Should work, but we haven’t tested this enough yet to be merged.