Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical PHP Issue: An active PHP session was detected. #4048

Open
jmhmedia opened this issue Sep 4, 2020 · 35 comments
Open

Critical PHP Issue: An active PHP session was detected. #4048

jmhmedia opened this issue Sep 4, 2020 · 35 comments

Comments

@jmhmedia
Copy link

jmhmedia commented Sep 4, 2020

I'm getting the following error in my Site Health settings. After deactivating ALL plugins and reactivating one by one, I found that Unyson is the culprate.

A PHP session was created by a session_start() function call. This interferes with REST API and loopback requests. The session should be closed by session_write_close() before making any HTTP requests.
@jeremyJJB
Copy link

I have the exact same issue with WP 5.5.1 and Unyson 2.7.24

@wholthof
Copy link

wholthof commented Sep 9, 2020

And I have the exact same issue with WP 5.5.1 and Unyson 2.7.24 and have remove Unyson than no problem.
Please give me the solution

@franckadil
Copy link

Can Reproduce on latest 2.7.24: A PHP session was created by a session_start() function call. This interferes with REST API and loopback requests. The session should be closed by session_write_close() before making any HTTP requests.

@franckadil
Copy link

@jmhmedia , @jeremyJJB , @wholthof Hi guys, I made some pull requests, please review and suggest corrections if you can:

#4052
#4051

The best,

@wholthof
Copy link

wholthof commented Sep 13, 2020 via email

@wholthof
Copy link

Hi,
I have modify the 2 files but now I canot startup the website.
After I change to the old situation I can startup my website
Please give a good tested update from Unyson.

@jeremyJJB
Copy link

@franckadil I took a look at the code it looks like everything is closed. Full disclosure I'm not an expert in PHP or WP plugin dev. Going off what @wholthof mentioned in his previous comment, it seems that one too many sessions have been closed since the site would not load but I'm not sure. Thank you for taking the initiative on this. I've been having a lot of headaches with Unyson lately.

@wholthof
Copy link

My workarround is add in below
in themes/xxxx/funtions.php
if (!function_exists('_disable_fw_use_sessions')) { add_filter('fw_use_sessions','_disable_fw_use_sessions'); function _disable_fw_use_sessions(){ return false; } }

AGAIN THE URGENT REQUEST THAT UNYSON RELEASES AN UPDATE ASAP !!!!!!!

@wholthof
Copy link

Please can you tell me when Unyson release an update!!!

@marymaru
Copy link

Same here:

An active PHP session was detected. A PHP session was created by a session_start() function call. This interferes with REST API and loopback requests. The session should be closed by session_write_close() before making any HTTP requests.

I've talked to my web host and they've confirmed it's the Unyson plugin that's initiating the session. When they deactivated the plugin (and crashed my site) the PHP error disappeared. I tried deleting Unyson and then reinstalling on a dev site and it caused massive corruption to my site.

@wholthof workaround 👍🏻 thanks!
Adding to the urgent requests for a Unyson update.

@Ataurr
Copy link
Contributor

Ataurr commented Sep 27, 2020
edited
Loading

@valeriuzdrobau @andreiglingeanu @ViorelEremia @GheorgheP @llemurya @sergiu-radu Can you Please release an update with this fix?

@franckadil sent a pull request with the fix.

@luseju
Copy link

luseju commented Sep 29, 2020

Hi! I'm having the same error, and now I can't access into my WP site.

@corzel
Copy link

corzel commented Oct 22, 2020

I fixed it adding:
session_write_close();
in lines 231 and 262 in this file: wp-content/plugins/unyson/framework/includes/hooks.php

229: session_start();
230: }
231: session_write_close();
232: }

@wholthof
Copy link

WHY DOES UNYSON NOT ISSUE AN UPDATE THAT SOLVES THIS PROBLEM ???
Surely this is not always the case that everyone is looking for a solution.
Unyson come up with that Update

@CMRD77
Copy link

CMRD77 commented Oct 27, 2020

Is there any solution or update yet?.

"A PHP session was created by a session_start() function call. This interferes with REST API and loopback requests. The session should be closed by session_write_close() before making any HTTP requests."

@apatsidis123
Copy link

Same here, is December and Unyson Still didnt fix that issue? come on guys its a security issue are you serius? So many Themes are dependent from that, please fix your issues!

@yaaax
Copy link

yaaax commented Dec 31, 2020

Same here.
From what I understand, Unyson plugin uses the session to store "Flash messages".
See file /framework/helpers/class-fw-flash-messages.php:

Store messages in session (to not be lost between redirects) and remove them after they were shown to the user

Some useful links :

@ViorelEremia you seem to be the developer who would know the best how to rework this Flash Messages mechanism without sessions (see "Unyson not playing nice with Varnish-caching")
You actually introduced the workaround to disabled sessions : "add hook to disable sessions".

I think it's time for your bosses to give you some time to think about a rework :)
Have a great New Year's Eve.

Cheers

@EddiebNZ
Copy link

EddiebNZ commented Feb 21, 2021
edited
Loading

It's February 2021 and still no fix.

@jascha030
Copy link

We are still experiencing this issue.
Any activity still going on here? And if not, is there a possibility to implement a fix and make a pullrequest ourselves?

@wholthof
Copy link

wholthof commented Mar 5, 2021 via email

@corzel
Copy link

corzel commented Mar 5, 2021 via email

@EddiebNZ
Copy link

EddiebNZ commented Mar 6, 2021
edited
Loading

This is the new (official) fix Click here <da578e7> . El vie, 5 de mar. de 2021 a la(s) 11:05, wholthof ([email protected]) escribió:

Thank you, though I believe that has an error in it at line 260 where there is an unrequired } in the code between the Session_Start and the session_start(['read_and_close' => true,]);

session_start();
} /** This shouldn't be here
/**
* PHP sessions created with session_start() function may cause issues with REST API and loopback requests due to cURL error 28.
* @internal
*/
session_start(['read_and_close' => true,]);
}
}

@wholthof
Copy link

wholthof commented Mar 6, 2021 via email

@wholthof
Copy link

wholthof commented Mar 6, 2021

The official fix is not working for me. Can't start the website.
I go back to my solution that solves the problem

in lines 227 and 259 in this file: wp-content/plugins/unyson/framework/includes/hooks.php
229: session_start();
230: }
231: session_write_close();
232: }

@EddiebNZ
Copy link

EddiebNZ commented Mar 7, 2021

See my comment above, the official fix has an extra } that shouldn't be in there, if you remove that the fix works, but it doesn't stop the PHP sessions error being listed in the Site Health screen.

The official fix is not working for me. Can't start the website.
I go back to my solution that solves the problem

in lines 227 and 259 in this file: wp-content/plugins/unyson/framework/includes/hooks.php
229: session_start();
230: }
231: session_write_close();
232: }

@apatsidis123
Copy link

if it is an official fix why they do not deploy an official update so we can update it as all other wordpress plugins, so we are sure that it works for everyone?

@wholthof
Copy link

wholthof commented Mar 8, 2021

Daar ben ik het mee eens. Dit is toch geen offciële oplossing maar geknoei met de beste bedoeling natuurlijk

@wholthof
Copy link

wholthof commented Mar 8, 2021 via email

@apatsidis123
Copy link

For me indeed no longer showing the notiication but i got 50 errors on chrome's developer tool on console, so i return to the official official!!!

@wholthof
Copy link

wholthof commented Mar 10, 2021 via email

@EddiebNZ
Copy link

I've now moved off my Unyson based theme (Woffice) and all the issues I was having with my site have gone away. Whether it was Unyson or the Theme I don't know but I don't think I'll be going back.

@wholthof
Copy link

Unyson moet nog STEEDS een goedwerkende patch toeleveren, maar mijn workarround lost het probleem ook op. Ik denk dus dat het ook aan jou thema kan liggen dat je problemen blijft houden. Het is toch niet normaal dat Unyson niet van zich laat horen !!!!

@jascha030
Copy link

Unyson moet nog STEEDS een goedwerkende patch toeleveren, maar mijn workarround lost het probleem ook op. Ik denk dus dat het ook aan jou thema kan liggen dat je problemen blijft houden. Het is toch niet normaal dat Unyson niet van zich laat horen !!!!

I'm responding in English out of courtesy towards others,
From hearsay I've understood that active development to Unyson has probably stopped. It was part of ThemeFuse which they have stated is now deprecated. I'm not too invested, this question was not one that came from myself, and I did no research whatsoever on the situation.

I can see their frustration caused by breaking Wordpress updates as a good reason to stop active development. In my opinion they can't really be held accountable for the deprecation.
What I however do think they should be held accountable for, is the lack of a clear statement in the README's of their themefuse Repo's.

I think they're smudging their own name by leaving people hung out to dry like this...

From what I've seen, my suggestion would be to contact them through their support for their current project: https://support.brizy.io.

That being said, I wouldn't expect too much out of their response and start thinking about abandoning it all together. Trying to maintain a deprecated framework is asking for issues in the long term (especially when PHP 8 is moving towards being the new standard).
Also Wordpress + old plugins/themes is an open invitation to hackers.

It sucks but it's also the nature of software...

Hope this has been somewhat helpful information to anyone in this thread, if not for fixing it, maybe just for managing expectations. Good luck!

@omniacode
Copy link

omniacode commented Apr 23, 2021
edited
Loading

My workarround is add in below
in themes/xxxx/funtions.php
if (!function_exists('_disable_fw_use_sessions')) { add_filter('fw_use_sessions','_disable_fw_use_sessions'); function _disable_fw_use_sessions(){ return false; } }

AGAIN THE URGENT REQUEST THAT UNYSON RELEASES AN UPDATE ASAP !!!!!!!

Just inherited a site that is using Unyson and can confirm that is it the cause for this error, and the above workaround from @wholthof does in fact "fix" it. Bringing this to the client's attention in hopes that we can get them out of the theme they are using and this awful plugin. Gotta love when developers just decide to up and quit a project and leave everyone out to dry. Just horrible.

@jakubkasparek
Copy link

This is the new (official) fix Click here <da578e7> . El vie, 5 de mar. de 2021 a la(s) 11:05, wholthof ([email protected]) escribió:

thanks, this changes help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests