SOS: Internet Explorer issue with duplicate PHP Session ids

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
on3lonestar
Forum Newbie
Posts: 3
Joined: Mon May 19, 2008 3:09 pm

SOS: Internet Explorer issue with duplicate PHP Session ids

Post by on3lonestar »

Hello, I have searched heavily for the answer to this issue, but haven't found anything useful.

I have a site with a logout.php script like this:

session_start();
session_unset(); // enough for FF
session_destroy(); // IE needs both unset and destroy


and the login.php script is more complicated:

/***** Multi-step Php session fixation fix *****/

session_start();

// We unset+destroy all session vars, and start-over (log-out basically)

session_unset(); // enough for FF
session_destroy(); // IE needs both unset and destroy
session_start();

// Generate new PHPSESSID to shrink session hijack possibility
// to capture/prediction from fixation.

session_regenerate_id();


The problem is that, very consistently (once every 4-5 attempts), when I click on logout, and try to login again, IE ends up having 2 PHPSESSIDs in the cookie: HTTP request header:

POST /login.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.test.com/loginonly
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: http://www.test.com
Content-Length: 68
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: __utma=261786520.302897073.1197649982.1211188880.1211192879.157; __utmz=261786520.1197649982.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=ohgecedjtb3og9ijkcvrvtmd20; __utmc=261786520; __utmb=261786520; PHPSESSID=8mftgsbi7pp91vo4gsmctsrma3

The 1st (from left) PHPSESSID is the old session id which should have been cleared on logout, while the 2nd on the right is the new session id regenerated on login. Unfortunately, PHP doesn't look at the 2nd one at all, and considers the 1st one "Logged out" or "doesnt exist".. The user essentially stays logged out. The only way to login at that point is to close and reopen the browser.

Please let me know how I can resolve this issue.. I have tried too many things, and it just isnt helping.

I found just one post on the Internet with a similar/same issue: http://drupal.org/node/87372#comment-453823 but there was no reply to it.

Thanks in advance,
Vinay.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: SOS: Internet Explorer issue with duplicate PHP Session ids

Post by Christopher »

For IE you should probably try session_cache_limiter ('must-revalidate');. Check the manual for more information on session_cache_limiter() and read the notes.
(#10850)
on3lonestar
Forum Newbie
Posts: 3
Joined: Mon May 19, 2008 3:09 pm

Re: SOS: Internet Explorer issue with duplicate PHP Session ids

Post by on3lonestar »

I looked it up, and I found that with the current PHP settings, the server is already sending a "must-revalidate" control to the browser:

GET /logout HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://test.com/live
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: test.com
Connection: Keep-Alive
Cookie: __utma=261786520.302897073.1197649982.1211269686.1211270253.164; __utmz=261786520.1197649982.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=261786520; __utmc=261786520; PHPSESSID=lhfdthhrmin9bqkd8v24et9j15


HTTP/1.1 302 Found
Date: Tue, 20 May 2008 08:34:06 GMT
Server: Apache/2.0.61 (Unix) PHP/4.4.7 mod_ssl/2.0.61 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2 SVN/1.4.2
Content-Location: logout.php
Vary: negotiate,Accept-Encoding
TCN: choice
X-Powered-By: PHP/5.2.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

Content-Encoding: gzip
location: live
Content-Length: 26
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html

..........................

GET /live HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://test.com/live
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: test.com
Connection: Keep-Alive
Cookie: __utma=261786520.302897073.1197649982.1211269686.1211270253.164; __utmz=261786520.1197649982.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=261786520; __utmc=261786520; PHPSESSID=lhfdthhrmin9bqkd8v24et9j15

Also, is it necessary to do a setcookie("PHPSESSID", "", time()-3600, "/"); during logout to specifically clear that session id?

Some please help.. I have spent several days trying to figure out how to fix this issue..
on3lonestar
Forum Newbie
Posts: 3
Joined: Mon May 19, 2008 3:09 pm

Re: SOS: Internet Explorer issue with duplicate PHP Session ids

Post by on3lonestar »

Anyone?
temidayo
Forum Contributor
Posts: 109
Joined: Fri May 23, 2008 6:17 am
Location: Nigeria

Re: SOS: Internet Explorer issue with duplicate PHP Session ids

Post by temidayo »

@ on3lonestar

I just PM you
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: SOS: Internet Explorer issue with duplicate PHP Session ids

Post by onion2k »

temidayo wrote:@ on3lonestar

I just PM you
If you have something to add how about sharing it with the entire community?
Post Reply