Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-83949

Moodle error page handler should not need a session lock / remove redundant error contact form

XMLWordPrintable

    • MOODLE_405_STABLE
    • MDL-83949-error-session-create
    • Hide
      1. Setup a site using the database session handler purely to make it easier to test (not redis etc)
      2. Setup a Moodle 404 error handler page
        https://docs.moodle.org/dev/Error_pages#404_File_not_found_-_Web_server_errors
      3. Login as anyone
      4. Visit a non existent page such as
        https://master.localhost/a404page
      5. Confirm you still see you header and user menu for your user
      6. Confirm you see 'Contact site support' and can click on it and get taken to the contact form
      7. Kill all sessions from cli
        php admin/cli/kill_all_sessions.php
      8. In the database confirm all sessions are gone:
        select count(sid) from mdl_sessions;
      9. In a terminal simulate some random bot traffic and curl non existent pages
        curl -kI 'https://master.localhost/not-a-real-page'
      10. Confirm that there are no new sessions, count = 0
        select count(sid) from mdl_sessions;
      11. In a terminal simulate some random bot traffic and curl a real page
        curl -kI 'https://master.localhost/'
      12. Confirm that there are now new sessions, count = 1
        select count(sid) from mdl_sessions;
      Show
      Setup a site using the database session handler purely to make it easier to test (not redis etc) Setup a Moodle 404 error handler page https://docs.moodle.org/dev/Error_pages#404_File_not_found_-_Web_server_errors Login as anyone Visit a non existent page such as https://master.localhost/a404page Confirm you still see you header and user menu for your user Confirm you see 'Contact site support' and can click on it and get taken to the contact form Kill all sessions from cli php admin/cli/kill_all_sessions.php In the database confirm all sessions are gone: select count(sid) from mdl_sessions; In a terminal simulate some random bot traffic and curl non existent pages curl -kI 'https://master.localhost/not-a-real-page' Confirm that there are no new sessions, count = 0 select count(sid) from mdl_sessions; In a terminal simulate some random bot traffic and curl a real page curl -kI 'https://master.localhost/' Confirm that there are now new sessions, count = 1 select count(sid) from mdl_sessions;
    • Hide

      Code verified against automated checks.

      Checked MDL-83949 using repository: https://github.com/brendanheywood/moodle

      More information about this report

      Built on: Mon 09 Dec 2024 09:55:56 AM UTC

      Show
      Code verified against automated checks. Checked MDL-83949 using repository: https://github.com/brendanheywood/moodle main (0 errors / 0 warnings) [branch: MDL-83949-error-session-create | CI Job ] More information about this report Built on: Mon 09 Dec 2024 09:55:56 AM UTC

      There is lots of random bot traffic which hits 404s and when 404s are forwarded to /error/index.php for handling, which then creates a moodle session which is never used again.

      If a real user legitimately ends up on the error page then it is nice that the error page knows who they are and prints the correct page header etc, but in most cases if it's a bot and they are not logged in then this should not create a new session when they will never come back and it just clogs up the session store.

      The only legitimate reason you need a session on this page is if you are a real human and you also want to fill out the form on the error page to site support because forms need a sesskey. But in most cases that form doesn't even show with default config.

      In 3.10 in MDL-56041  I cleaned up the way error pages could be used to send a message to the site support, but then in MDL-73608 in 4.0 a much nicer way was added in parallel and I think should have completely replaced the error page contact form.  They are both only available under certain conditions, but those conditions mostly overlap, and so in most cases you get neither form, or only the new better one, or when fully setup you would get both forms which is redundant and confusing.

      Forms /error/index.php /user/contactsitesupport.php
      User Can be anon, defaults to user Can be anon, defaults to user
      Capability site:senderrormessage  
      Support user Only shown if support is a real user Shown either way
      Settings No admin settings $CFG->supportavailability
      General context Only error pages General purpose contact form

      Given that there are two competing contact forms, and the new one is obviously superior I propose just removing the old one, and then we can safely mark the error pages as not needing a session lock, or a session at all if you are anon.

            brendanheywood Brendan Heywood
            brendanheywood Brendan Heywood
            Benjamin Walker Benjamin Walker
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.