Page 1 of 1

Are empty $_SESSIONs possible?

Posted: Sat Dec 10, 2005 5:00 am
by pascalpensa
dear all,

i'm currently conducting an online survey and had a problem with empty $_SESSION variables.

the survey in question would be this: Forecasting Survey

all data that is not generated through user interaction, eg. selecting options, is stored in session variables and passed back to the script before saving to a text/csv file.

the second day into the study, one clever guy "stress-tested" the script and played roughly 50 consecutive rounds with round times of less than 4 seconds (between page display and submission) in some cases.

after this "incident", the script started to generate empty values as other people started to play at the same time (3 times). namely the data that is stored in session variables. everything else, eg. the $_POST variables worked fine. since then, as people interacted "normally" with the script, nothing similar happened.

my questions are the following:

- what could've caused the empty values? is it because the script "overheated"? are there limitations to session variables when under stress, i.e. multiple sessions at the same time and fast changes in session variables?

and

- are there limitations to using flat files for this? would we be better off using MySQL?

thanks for sharing your thoughts.

-pascal

Re: Are empty $_SESSIONs possible?

Posted: Sat Dec 10, 2005 5:23 am
by onion2k
pascalpensa wrote:- are there limitations to using flat files for this? would we be better off using MySQL?
Are you flock()ing the files before writing to them? If you're not then I suspect this problem arises from multiple scripts attempting to write to the file at once. If you are then it's something more complicated.

Either way, a database would definitely be a better option.

Re: Are empty $_SESSIONs possible?

Posted: Sat Dec 10, 2005 5:38 am
by pascalpensa
onion2k wrote:Either way, a database would definitely be a better option.
ok, so i'll skip the flock()-thing (cause it does not look that bomb proof either) entirely and convert to a SQL solution. thanks.

Posted: Sat Dec 10, 2005 11:41 am
by AKA Panama Jack
Well, it would depend upon how you are doing things in your code. It is kind of hard to get a handle on what is happening without something more to go on.

We use session variables on just about all of our sites and don't have any problems and some of them are under very, very heavy usage.

Plus it would be nice to know how much drive space is still left where PHP is storing the session data for each user. If that drive is almost full it could be failing to store the session data and that would return empty session variables. Another problem could be if the user or group permission on the directory session data is stored is different from the user or group for Apache.

There are a number of reasons something like this could happen and some of them are poorly configured or maintained server installations that have nothing much to do with PHP itself.

Posted: Mon Dec 12, 2005 10:31 am
by Maugrim_The_Reaper
Although I like Database stored sessions (I think they offer superior security) they are generally not justified by the file based altenative returning empty SESSION arrays. So the right solution, but for the wrong reasons?

You should take a look at the above posts - I've never encountered a situation where the file based sessions (or an alternative) failed simply from stress tests. Its either a server misconfiguration or a session handler error. Moving to a database may even carry a similar problem (if you're using a custom written session handler with some undiagnosed bug).

Posted: Mon Dec 12, 2005 12:07 pm
by GRemm
Sounds like session corruption.
Make sure that you are not re-using the same session for the form no matter who is editing information and from where. If you two users change the same value in the same session at similiar times then the last change and only the last change would take effect.

You can store sessions in the db but you still need to solve the concurrent session issues. Are you requiring a login for the users? Are you starting a new session based on some sort of unique return value upon logging in? Do you generate a unique session id for each session? Are your files correctly permissioned? Are you using some sort of api for managing sessions or using php's built in functions?

We can only help so much without better information.

Gremm