Problems with SESSIONS, help needed, about to kill!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

Problems with SESSIONS, help needed, about to kill!

Post by chrys »

This is bizarre.

I created an application for my company that is actively used every day.

There is a problem that occurs that we have labeled "getting locked out".

The scenario is: Their session times out, so they are brought to the log in screen again.

Now, when they log in again, they log in fine. But, once they either reload the page they are on, or click to another section of the app, they are brought back to the login page.

It's as if there is a problem accessing or setting the new session cookie after it times out. I'm not sure how to approach this.

For now, I am going to ini_set the session timeout to 10 hours so that they shouldn't have problems during the day.

If anyone has any ideas about this, please post!

Thank you so much.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

are you forcing a session id recreation? Does your garbage collector run too often, not often enough?
User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

Post by chrys »

feyd wrote:are you forcing a session id recreation? Does your garbage collector run too often, not often enough?
Checking my PHP ini now...

Code: Select all

[Session]
; Handler used to store/retrieve data.
session.save_handler = files

session.save_path = /tmp

; Whether to use cookies.
session.use_cookies = 1

; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.
; session.use_only_cookies = 1

; Name of the session (used as cookie name).
session.name = PHPSESSID

; Initialize session on request startup.
session.auto_start = 0

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

; The path for which the cookie is valid.
session.cookie_path = /

; The domain for which the cookie is valid.
session.cookie_domain =

; Handler used to serialize data.  php is the standard serializer of PHP.
session.serialize_handler = php

; Define the probability that the 'garbage collection' process is started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts
; on each request.

session.gc_probability = 1
session.gc_divisor     = 100

; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440

session.bug_compat_42 = 1
session.bug_compat_warn = 1

; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =

; How many bytes to read from the file.
session.entropy_length = 0

; Specified here to create the session id.
session.entropy_file =

;session.entropy_length = 16

;session.entropy_file = /dev/urandom

; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
session.cache_limiter = nocache

; Document expires after n minutes.
session.cache_expire = 180

; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
;   to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
;   in publically accessible computer.
; - User may access your site with the same session ID
;   always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0
User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

Post by chrys »

Basically, I'm not sure if the problem is with the server side files related to sessions, or the cookies stored on their computer.. any idea?
User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

Post by chrys »

I still really need help with this... Anyone?
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

The problem suggests to me that there may be a problem with reading/writing the session data files. Have a look in the servers /tmp directory, you'll be able to confirm if the session files are being created and you can also confirm that the files are not being corrupt during creation. Another possible is that the /tmp directory is full.

I'm sure it could be a host of things, but i'd start there.
User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

Post by chrys »

redmonkey wrote:The problem suggests to me that there may be a problem with reading/writing the session data files. Have a look in the servers /tmp directory, you'll be able to confirm if the session files are being created and you can also confirm that the files are not being corrupt during creation. Another possible is that the /tmp directory is full.

I'm sure it could be a host of things, but i'd start there.
Thank you.

I am looking in the /tmp/ directory, and all the sessions are there. The problem is (allow me to re-iterate), is that a user will come back to their desk or something after lunch and be logged out (even though I set the lifetime to 10 hours) and then when they try to log back in, they can't get further than one page without being logged out again.

I debugged by goingt o one of their afflicted computers and outputting session variables to the screen. Here's what happened, when they logged in, they are are sent to their home page, and the session vars were all correct. username, and user_id are used to show that a user is logged in, they were both there. When they click on a link to move to another part of the application, they are logged out... which means between the time that the page is loaded and the time they click a link, there is some corruption of the session. I am really clueless.
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

Can you open the session file specific to the session ID of your user and ensure that it's not corrupt? Next step I'd say would be to look at the headers being sent by the users browser to ensure that the session ID is being sent. A simple clearing/deleting of the cookie file might also help.

All things point to the session (for some reason) not being created.

Depends on how your applications works (i.e. the login process) in many cases the resulting page after a sucessful login does not require the session file to actually be written which would explain why the user can login but go no further.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Are you checking against a session id? Once the session dies the session id gets set to 1. If you are checking against a session id and that session id is crap, then you will be faced with this problem. I ran into this with a session script I had developed once. I had to check if the session id was set to the cookied value of the session id. If they didn't match, I'd reset the session id, update it in the database then continue with the application.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

chrys wrote:
redmonkey wrote:The problem suggests to me that there may be a problem with reading/writing the session data files. Have a look in the servers /tmp directory, you'll be able to confirm if the session files are being created and you can also confirm that the files are not being corrupt during creation. Another possible is that the /tmp directory is full.

I'm sure it could be a host of things, but i'd start there.
Thank you.

I am looking in the /tmp/ directory, and all the sessions are there. The problem is (allow me to re-iterate), is that a user will come back to their desk or something after lunch and be logged out (even though I set the lifetime to 10 hours) and then when they try to log back in, they can't get further than one page without being logged out again.

I debugged by goingt o one of their afflicted computers and outputting session variables to the screen. Here's what happened, when they logged in, they are are sent to their home page, and the session vars were all correct. username, and user_id are used to show that a user is logged in, they were both there. When they click on a link to move to another part of the application, they are logged out... which means between the time that the page is loaded and the time they click a link, there is some corruption of the session. I am really clueless.
If you solve this let me know because we're having similar issues with an 8 hour timeout on sessions... it seems a little sporadic however, but certainly a problem that we can't see the source of :?

EDIT | We're using a database to store sessions so our situation is a little different I guess.
User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

Post by chrys »

redmonkey wrote:Can you open the session file specific to the session ID of your user and ensure that it's not corrupt?
I haven't tried this yet, but I will next time that they get "locked out".
Next step I'd say would be to look at the headers being sent by the users browser to ensure that the session ID is being sent.
How do I check what headers a browser is sending?
A simple clearing/deleting of the cookie file might also help.
This is the current solution to the bug, which to my boss is unacceptable, so I am doomed to fix it :)
All things point to the session (for some reason) not being created.
True. My question now is: Why does the session seem to expire when it's supposed to last 10 hours? When I check their cookies, the cookie still exists. I will ofcourse be checking the session file the next chance I get.
Depends on how your applications works (i.e. the login process) in many cases the resulting page after a sucessful login does not require the session file to actually be written which would explain why the user can login but go no further.
Thank you, this is useful information. Here is the login process:

When they log in, I take their credentials and compare them in the database. If everything matches up, two variables are assigned like this:

Code: Select all

$_SESSION['username'] = $row->username;
$_SESSION['user_id'] = $row->id;
I do a session_start() at the beginning of every page ofcourse.

And this is how I check if someone is logged in:

Code: Select all

function isLoggedIn()
    {
        if( $_SESSION['username'] && $_SESSION['user_id'] )
            return 1;
            
        return 0;
    }
User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

Post by chrys »

Everah wrote:Are you checking against a session id? Once the session dies the session id gets set to 1. If you are checking against a session id and that session id is crap, then you will be faced with this problem. I ran into this with a session script I had developed once. I had to check if the session id was set to the cookied value of the session id. If they didn't match, I'd reset the session id, update it in the database then continue with the application.
Hmm I'm not quite sure what you mean. I don't check the actual PHPSESSID, only variables that I've personally set in the session. I notice that a lot of sites include the session id in the GET variables, but I never do this, could this be related to my problems?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

If you are not checking session id values then you might want to consider checking some other session value for a) being set and b) set to a certain value. When I use PHP sessions (I am leaning more heavily toward DB based sessions right now) I usually set a session value like $_SESSION['is_logged_in'] = TRUE upon succesful login. Then on each page load I check for that session var value:

Code: Select all

<?php
if (isset($_SESSION['is_logged_in']) && $_SESSION['is_logged_in'] == TRUE)
{
    // Session exists, is logged and matches
}
else
{
    // Session data not found or not set, log them out
}
?>
I know it seems a bit archaic, but it has had some pretty succesful results with this process.
User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

Post by chrys »

Everah wrote:If you are not checking session id values then you might want to consider checking some other session value for a) being set and b) set to a certain value. When I use PHP sessions (I am leaning more heavily toward DB based sessions right now) I usually set a session value like $_SESSION['is_logged_in'] = TRUE upon succesful login. Then on each page load I check for that session var value:

Code: Select all

<?php
if (isset($_SESSION['is_logged_in']) && $_SESSION['is_logged_in'] == TRUE)
{
    // Session exists, is logged and matches
}
else
{
    // Session data not found or not set, log them out
}
?>
I know it seems a bit archaic, but it has had some pretty succesful results with this process.
Well if you scroll up you'll see my isLoggedIn function, the only difference is I don't use isset(), but I just check for the value not being 0 or null. Would you deem that acceptable?
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

I use an isset method mainly as it will run and won't issue any notice level warnings if the var doesn't exist, however, that's a completly different box of frogs than what we are dealing with.

There are some third party applications around for inspecting packets and headers being set. Which operating system are your users (or you able to debug on) running?

The most well known is ethereal but that is probably overkill for your needs.

Presumably there's a Firefox extension that allows you see headers being sent as well as recieved?
Post Reply