https and sessions causes multiple session files in /tmp

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mlampard
Forum Newbie
Posts: 2
Joined: Sun Apr 18, 2004 5:50 pm

https and sessions causes multiple session files in /tmp

Post by mlampard »

I have very strange behaviour with sessions and https on a Redhat enterprise server (kernel 2.4.21-9.0.1.ELsmp), running apache 2.0.48 and PHP 4.3.6RC1 and openssl 0.9.7c....

I pared this down and created 3 scripts as follows:
TEST1.PHP
<?php
session_name('testsess');
session_start();
$_SESSION['test_var1'] = "hello, this is test var 1";
print_r ($_SESSION);
print "<br><a href=\"test2.php\">Go to next script...</a>";
?>
--------------------------------

TEST2.PHP
<?php
session_name('testsess');
session_start();
$_SESSION['test_var2'] = "hello, this is test var 2";
print_r ($_SESSION);
print "<br><a href=\"test3.php\">Go to final script...</a>";
?>
--------------------------------

TEST3.PHP
<?php
session_name('testsess');
session_start();
print_r ($_SESSION);
?>
--------------------------------

The output of the final script is sometimes: "Array ( )"
and sometimes: Array ( [test_var1] => hello, this is test var 1 [test_var2] => hello, this is test var 2 )
and sometimes:Array ( [test_var2] => hello, this is test var 2 )

It usually (but not every time) creates 2 session files in /tmp, one containing the info from test_var1 and one containing the info from test_var2.

There is no consistency or rhyme/reason as to when it will display what! I have tried adding session_destroy() in the first script and it does nothing! It works consistently on a non-ssl port (port 80), but only if I remove the session_name('testsess') line! Removing that line on the secure side makes no difference! The scripts work flawlessy on a secure port on a 4.3.6 PHP install on a RedHat 9 build. I have tried 4.3.5RC1 on the Redhat enterprise server and have the same problem. So, it seems like it's specific to that machine/build!

The session vars in php.ini are as follows:
session.auto_start Off
session.bug_compat_42 On
session.bug_compat_warn On
session.cache_expire 180
session.cache_limiter nocache
session.cookie_domain no value
session.cookie_lifetime 0
session.cookie_path /
session.cookie_secure Off
session.entropy_file no value
session.entropy_length 0
session.gc_divisor 100
session.gc_maxlifetime 1440
session.gc_probability 1
session.name PHPSESSID
session.referer_check no value
session.save_handler files
session.save_path /tmp
session.serialize_handler php
session.use_cookies On
session.use_only_cookies Off
session.use_trans_sid Off

Anyone got any clues?
Thanks,
Marty
User avatar
Lord Sauron
Forum Commoner
Posts: 85
Joined: Tue Apr 20, 2004 5:53 am
Location: Tilburg, NL

Post by Lord Sauron »

Yep, this is because Internet Explorer keeps the array contents of one of the first scripts in its memory. When you would close your browser between testing e.g. script 2 and 3, the output of script 3 would always be Array().

May I ask why you are using session names? And even when you do, why you are using the same session name for every script?
mlampard
Forum Newbie
Posts: 2
Joined: Sun Apr 18, 2004 5:50 pm

No, this is not the case..

Post by mlampard »

Actually it turned out the time was set incorrectly on the server and it causes havoc with PHP session management!

Using session names is good programming practice, IMHO, as it defines which session the cookie should belong to and allows mutliple sessions to run off the same server/virtualhost without interference or chance of accidental variable overwrite. If I had used different session names in the example scripts above, then they would NOT work at all (unless I had left the session name at default)

Thanks for the response.
Post Reply