Magento 1.x SUPEE-10570 Bug – Session Timing Out

After deploying a recent Magento security patch – SUPEE-10570 – I was receiving reports from fellow staff and customers that valid product pages were returning a 404 response.  Oddly enough, if you logged into your customer account the page would be rendered just fine.

Bugs have been identified in Magento 1.x SUPEE-10570 security patch – v1 and v2

In a bit of a panic, I did pulled the major reset lever – a full reindex and cache flush of the full page cache and objects.  And all was good!

A random Magento oddity that will not reoccur – right?  Wrong.  It happened again.  And again.  And then vendors pointed it out to us as well…

Additionally our internal staff seemed to be getting logged out of the Magneto admin at undesired times – like when submitting an order for a customer in the Magneto Admin…

Magento Installation

This issue was happening on a Magento Enterprise 1.14.2.0 fully patched site, including SUPEE-10570 v2 (though v1 is affected by this as well).

I have not looked into the Magneto 2 code to see if the same issue exists there.

SUPEE-10570 Bugs

The root bug with this patch is that it is setting a timestamp in the visitors session which is used to validate if a malicious person is trying to hijack session cookie.  The timestamp will expire based on the session lifetime settings set in the Magento for the frontend and admin.

If that timestamp is in the past, Magento will invalidate the session.  But it is not handled gracefully…  And worse yet, not all timestamps are updated as expected.

In the users session stored on the server there are several namespaces – each of which have the session validation timestamp stored to them.  But not all pages use all of the namespaces.  So it’s possible to get a stale timestamp stored in your session.

Worse yet, if you are using the Full Page Cache (from Enterprise), the block of code that should update one of the namespaces – reports (for tracking page view stats) – isn’t called if the page is stored in the fullpage cache.  For this reason it’s very easy for a visitor to have a stale timestamp in their session, which will result in an exception thrown in your server logs (exception.log) and a 404 page being returned to the visitor.  Worse yet, that 404 response is now stored in the full page cache for future visitors to find!

This same scenario plays into the Magento admin as well.  I haven’t dug as deep into how that is all affected but am aware that it is and that the below fix resolves the issues.

Exception Thrown in exception.log

When Magento detects a stale timestamp from the Reports module, it throws the following exception:

Long Standing Additional Bug Identified By This Issue

It seems to me that the report function of Magento that reports product view counts is not working as desired when the Full Page Cache is enabled.  As mentioned above, that block of code is not called when a page is stored in the Full Page Cache, thus the counter is never updated…

Steps to Recreate the 404 Product Page Bug

  1. Enable the Full Page Cache in the Magento Admin
  2. Set the session Cookie Lifetime to a low value for testing like 60 (1 minute)
  3. Clear the full page cache
  4. Visit a product page (it should render as expected)
  5. Visit a category page
  6. Wait until the session Cookie Lifetime has lapsed – wait 60+ seconds based on the above suggested settings
  7. Visit any product page (except that visited in step 4) – a 404 response is shown to the customer.
    1. This 404 response is stored in the full page cache – as will be verified by step 8 below.
    2. View the exception.log file to notice an exception thrown – exception ‘Mage_Core_Model_Session_Exception’ in /var/www/vhosts/mysite.com/html/app/code/core/Mage/Core/Model/Session/Abstract/Varien.php
  8. Open a different browser/session and visit the same product page as step 7
    1. a 404 response is shown to this now new visitor because the page is stored in the full page cache. 

Magento Support

I have brought this issue to the attention of Magento Support.  It’s my understanding that they are working on a resolution and I will certainly update this post when I know more.  But honestly their responses are rather vague and I have already implemented a working solution, so I have put that ticket on the sideburner a bit.  They never did acknowledge if they can recreate the issue or not oddly enough…  but have said they are working on my ticket…

Source of the Bug

The source of the bug is this bit of code added by patch SUPEE-10570:

This is where Magento checks the timestamp.  When Magento returns false there can be undesired, depending on what namespace called the validate() function.

Mitigating the Session Timeout Bug

Mitigation is simple – just comment out / remove the problematic lines of code.

I personally don’t suggest modifying core files – as does any good Magneto developer.  For that reason, you should copy the entire file to the local path:

NOTE: Because this a an abstract file you do need to copy the entire file – not just the method you are overriding.

In that local file you can then comment out these lines and all will be resolved.  That said, this is a mitigation – NOT a Magento approved/supplied fix.

Magento intended to add this step of validation for security reasons.  I don’t personally feel this really helps much of anything in terms of security, but I’ve never claimed to be a security expert either – I’m a developer.  Also, if/when Magento does publish a solution to this issue we will likely need to remove this mitigation, so keep in mind that implementing this may require additional maintenance in the future.