TracyDebugger session challenge conflict

[psy]

Hi @adrian

Love TD and can't do without it. Unfortunately I found a conflict with a module I'm developing.

The module calls on a library that uses  a particular class type for a challenge. My module is frontend only, autload="template!=admin" and the FE works with TD using the native PHP $_SESSION. I had http errors using PW's $session.

However, when I go to the admin, PW crashes spectacularly with:

Disabling TD (putting a dot before the module name) is the only solution to access the admin area, but creates other problems. TD is still installed but inaccessible.

Have tried namespacing the $session var, ie

$session->setFor("myspace", "challenge", "my data")

but it makes no difference. Turning off $config->debug resulted is a slightly less alarming Error 500.

Any ideas on how to fix? Or maybe this is a question for @ryan as it's the admin core that spitting the error?

 

 

[adrian]

Hi @psy - I don't think this is a Tracy issue. It seems like there is an unserialize call somewhere - can you see one in Tracy's callstack? Maybe you can post the entire HTML of it?

Is your module trying to integrate: https://github.com/lbuchs/WebAuthn ?

There are lots of results on Google about this error: https://www.google.com/search?q="the+script+tried+to+call+a+method+on+an+incomplete+object.+Please+ensure+that+the+class+definition"&oq="the+script+tried+to+call+a+method+on+an+incomplete+object.+Please+ensure+that+the+class+definition"&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQLhhA0gEJMTM1NjlqMGoxqAIAsAIA&sourceid=chrome&ie=UTF-8 but kinda hard to figure out the cause in this case without seeing the rest of Tracy's stack trace.

[psy]

Hi @adrian and thank you for the prompt reply. I agree, it's not Tracy. Tracy is simply reporting the problem.

Yes, I'm trying to integrate the https://github.com/lbuchs/WebAuthn. It obviously needs a lot of custom code to 'ProcessWire' it. The 'challenge' is proving to be the challenge - pun intended!

I'd also googled the incomplete object problem and could find nothing specific to ByteBuffer.

Touch wood, I've not encountered the admin issue with the session ByteBuffer today. Other issues for sure. There's a lot of conversation between the server and browser that has to be 100% to get the certificate created.

The weirdest thing is that the first time the session byte buffer is accessed, it's reported correctly. Subsequent bd()'s show that it's corrupted. The front end page submits to an api (page) that has a switch statement based on the page urlSegment 1 (route).

(image deleted)

The demo site at https://webauthn.lubu.ch/_test/client.html doesn't have these issues and it's all based on sessions, get variables, html & js being processed by PHP.

🤷‍♀️ and not a question for you unless you have any ideas on what's going on.

[adrian]

Sorry, I don't have any ideas why the challenge is getting corrupted like that but there is something in the back of my brain saying it's seen something similar before - if I remember, I'll let you know.

On a side note, have you seen this WebAuthn module: https://processwire.com/modules/tfa-web-authn/

 

[psy]

  On 3/13/2025 at 4:06 PM, adrian said:

On a side note, have you seen this WebAuthn module: https://processwire.com/modules/tfa-web-authn/

Expand  

Oh man, why didn't that show up in all my searches 🤦‍♀️ Will definitely investigate.

I'm well down the path with lubuch now - may still have to scratch it - and have solved the issue with sessions simply by bypassing them during the registration process. It may come back to bite me later.

Please do let me know if you recall the issue with corrupted sessions.

Thanks again 🙂 

[psy]

Adam Blunt's https://processwire.com/modules/tfa-web-authn/ is amazing! My hat goes off to him for getting it to work. Sadly, his use of the lubuch library and the fact that he changed some of the core library code to work with PW, caused me to scratch it due to conflicts.

Anyhoo, have moved on and getting closer to a front-end user passkey login without the lubuch code and no more corrupted sessions.

One thing I'd like to know is how to use Tracy on the front end (guest or superuser) with https requests? Whenever I have TD enabled on the frontend as a guest, the request fails as it includes the Tracy FE javascript. Is this a TD configuration thing?

 

 

 

[adrian]

Hi @psy - maybe I am not understanding exactly the issue. I have Tracy enabled on the frontend for superusers in development mode (with debug bar etc) and in production mode (allowing logging and reporting of errors via email/slack) for guest users. I don't think there should be any Tracy JS on the FE for guest users in production mode.

Are you trying enable development mode for guest users? If so, then what you probably want it to just enable "Guest Dumps" - the button on the Selector panel. The other tool that might come in handy is the RequestLogger, but then again, I am not certain what you're actually doing - can you provide some code and context?

[psy]

Hi @adrian thanks again for your guidance and patience. It was a configuration issue. Tracy has so many options it can be difficult to know what works.

I mistakenly only had Tracy enabled for the Frontend so your instructions didn't make sense at first. Achieved what I need by:

1. Enabling Tracy for the backend on a browser window in which I was logged in as 'admin'
2. From that browser window, enabling 'Guest dumps'
3. Loading the PW page as a guest in an incognito window and submitting the https request
4. Reverting to the Tracy browser window, refreshing it and viewing the Guest dumps

May seem obvious to those who know. 🤦‍♀️

 

 

[adrian]

Honestly probably not that obvious so no worries at all.