TracyDebugger session challenge conflict

[psy]

Hi @adrian

Love TD and can't do without it. Unfortunately I found a conflict with a module I'm developing.

The module calls on a library that uses  a particular class type for a challenge. My module is frontend only, autload="template!=admin" and the FE works with TD using the native PHP $_SESSION. I had http errors using PW's $session.

However, when I go to the admin, PW crashes spectacularly with:

Disabling TD (putting a dot before the module name) is the only solution to access the admin area, but creates other problems. TD is still installed but inaccessible.

Have tried namespacing the $session var, ie

$session->setFor("myspace", "challenge", "my data")

but it makes no difference. Turning off $config->debug resulted is a slightly less alarming Error 500.

Any ideas on how to fix? Or maybe this is a question for @ryan as it's the admin core that spitting the error?

 

 

[adrian]

Hi @psy - I don't think this is a Tracy issue. It seems like there is an unserialize call somewhere - can you see one in Tracy's callstack? Maybe you can post the entire HTML of it?

Is your module trying to integrate: https://github.com/lbuchs/WebAuthn ?

There are lots of results on Google about this error: https://www.google.com/search?q="the+script+tried+to+call+a+method+on+an+incomplete+object.+Please+ensure+that+the+class+definition"&oq="the+script+tried+to+call+a+method+on+an+incomplete+object.+Please+ensure+that+the+class+definition"&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQLhhA0gEJMTM1NjlqMGoxqAIAsAIA&sourceid=chrome&ie=UTF-8 but kinda hard to figure out the cause in this case without seeing the rest of Tracy's stack trace.

[psy]

Hi @adrian and thank you for the prompt reply. I agree, it's not Tracy. Tracy is simply reporting the problem.

Yes, I'm trying to integrate the https://github.com/lbuchs/WebAuthn. It obviously needs a lot of custom code to 'ProcessWire' it. The 'challenge' is proving to be the challenge - pun intended!

I'd also googled the incomplete object problem and could find nothing specific to ByteBuffer.

Touch wood, I've not encountered the admin issue with the session ByteBuffer today. Other issues for sure. There's a lot of conversation between the server and browser that has to be 100% to get the certificate created.

The weirdest thing is that the first time the session byte buffer is accessed, it's reported correctly. Subsequent bd()'s show that it's corrupted. The front end page submits to an api (page) that has a switch statement based on the page urlSegment 1 (route).

The demo site at https://webauthn.lubu.ch/_test/client.html doesn't have these issues and it's all based on sessions, get variables, html & js being processed by PHP.

🤷‍♀️ and not a question for you unless you have any ideas on what's going on.

 

[adrian]

Sorry, I don't have any ideas why the challenge is getting corrupted like that but there is something in the back of my brain saying it's seen something similar before - if I remember, I'll let you know.

On a side note, have you seen this WebAuthn module: https://processwire.com/modules/tfa-web-authn/

 

[psy]

  On 3/13/2025 at 4:06 PM, adrian said:

On a side note, have you seen this WebAuthn module: https://processwire.com/modules/tfa-web-authn/

Expand  

Oh man, why didn't that show up in all my searches 🤦‍♀️ Will definitely investigate.

I'm well down the path with lubuch now - may still have to scratch it - and have solved the issue with sessions simply by bypassing them during the registration process. It may come back to bite me later.

Please do let me know if you recall the issue with corrupted sessions.

Thanks again 🙂