I've got a fairly major problem whereby session ids are being just randomly reassigned for reasons I can't comprehend. A user will be on the site, has a session ID... I can track them and have been.
As soon as they move over to https, potential for tragedy begins and the server seems to be deciding willy-nilly to hand out new IDs. I've seen a single user in a single browsing session with 3 different session IDs. It doesn't seem to necessarily do it EVERY page but it often does. Now, all the session data is being maintained; if that user goes BACK to regular http, they can regain their old session id and see all their data is still there. I'm totally lost on this now.
I should mention that this affects only a small number of people. And from the statistics I've gathered there is NO connection between them in terms of time of day, browser, platform, IP, or anything else that might make sense.
Sessions / https problem
Moderator: General Moderators
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
I'd bet the session cookie is switching from secure to unsecure and back.. If this is happening, new cookies will get assigned with new id's.. you may want ensure the cookies are getting set exactly the same throughout.. You may need to pass the session id via urls when switching between http and https... dunno after that. 
Here's the thing about that: session.use_trans_sid is and always has been ON. And I've tried explicitly sending the session ID myself. This works, but the second the user comes across a page on the https side that doesn't have that assigned session id, it invents a new one. It's pretty hard for me to cover all possible ways to navigate these pages, and I don't understand why it would be doing that in the first place!