Sessions restarting randomly, aaaaahhhh

[molesquirrel]

So, this problem has baffled me completely. I'll do the best to explain myself, and hopefully someone will have the answer.

I've got a php/mysql site on jpc which I've had for several months. It uses session variables to store certain user information. Just recently (surrounded by a period during which I didn't make any changes to the code base), one of my users began having a problem. He would log into the site, and then the next time he clicked on a link within the site, he would get logged out. More specifically: after clicking that link, somehow his session_id was no longer associated to him (I'm guessing), because he will immediately be assigned a new session_id.

Even more strangely, the old session data is still sitting around in serialized form on the web server, but he is no longer associated with it.

This only happens to a small subset of users, but it happens to them with consistency. I, for example, do not have a problem with it at all.

Some more things to note:

I have register_globals turned off, as well as use_trans_sid (Although I've tried toggling both of them in attempts to fix this).

Even more perplexing: I have a local setup of apache /php 4.3.2 on my winxp box, with the *Exact same* code base, and this problem doesn't exist. This, more than anything else, makes me think it has nothing to do with the code, but I figured this was still an appropriate place to post the question.

I've done my best to match up all the config settings in php.ini/phpinfo() so to mimic the environments, but all to no avail.

I will be happy to give you as much information as you need, because I'm really at wit's end with this problem.

Thanks in advance!

[Connie]

Do that small group of users use AOL as their ISP?

[gerilya]

Can that small group of customers reproduce this problem at will or it just happens sometimes?

[molesquirrel]

1. No, they're not AOL users.

2. Yea, they can reproduce is consistently. I only wish I was one of the one's it was happening to, so I'd have some control over what I was looking at.

Edit: I figure, just for the hell of it, I should mention this too:

The domain upon which this is acting fruity is 'parked' ontop of my main domain upon which my jpc account is tied. I don't understand what parking is (if it's anything more than a simple redirection), but could that possibly be convincing some part of this puzzle that it's a new session each time? (And if so, how might I fix it?)

[jason]

I wouldn't expect parking to cause any problems, but have you tried having the users that are having trouble access the site via the main domain name and/or ip address? Parking isn't a redirect of any type. As far as I can tell, Apache handles parked domains and the main domain of an account exactly the same way.

Check to ensure that the main domain isn't being attached to the session cookies. (The easiest way to do this is to turn on prompting when cookies are received in your browsers preferences.) Then, when the server tries to send you a cookie you'll be prompted to accept it and you'll be able to see what it looks like. It could be that PHP is setting your main domain's name in the cookies although the user is using the parked name. What doesn't make sense is that it doesn't happen for all users.

Are tehre any platform or browser type/version differences between you and the users who are reporting problems?

--Jason

[molesquirrel]

I tried the cookie checking business, and it appears as the parked domain, and not the subdomain upon which it is located.

Sadly, I'm not sure of the platform/browser makeup of the guys using it. I bet you all have run into it before, but people have an odd tendency of not reporting problems, or reporting them, then not seeming interested in helping to fix them. This makes it hard since I can't reproduce the bug myself. I've tried the site on ie, mozilla, and opera, without problems, so I'm not sure if that's the case.

I appreciate all the suggestions thus far; I'm going to keep looking into it, and keep posting more hints I discover here.

[molesquirrel]

This just gets weirder and weirder.

I no longer think it has anything to do with parked domains, because I'm starting to notice cookie errors on both the parked domain and the 'base' domain.

Here's what the current issue seems to be:

Cookies (some which I set using php, and some which store the PHPSESSID) are disappearing prior to their expected expiration date. Here is an example of the code I'm using to set the cookie (for the base domain)

PHP Code:

setcookie('C_USER', $user, time() + 154395000,"/",'.molesquirrel.net'); 


After this is done, I can see the cookie properly inserted into a file (through the cookie viewing abilities of Opera and Mozilla). The expiration dates are one year into the future.

At some point in the future (it seems to be about 20 minutes for me), Mozilla has the cookie disappear. There are plenty of other cookies from other websites that are still remaining, and they don't appear to be configured any differently from this one.

As far as I can tell, this error isn't happening with my version of Opera. Not sure about IE.

(Note: I don't have any code in the site that removes cookies, so they're not getting removed by my actions.

At this point, I'm thinking that for whatever reason, the cookies are dropping. In the session cases mentioned above, the cookies are dropping immediately, so the session keeps getting restarted (and would explain why the session file on the web server still remains when the browser gets a new sessionid ).

Again, thanks for any insight you can give me.

[gerilya]

I just visited your site with an option to prompt me before setting any cookies. PHPSESSID cookie is set up to expire 2 hours ago. No wonder it will be deleted very soon

[molesquirrel]

Hmm. hmmmmmmmmmmm.




I suppose I should look into that. for molesquirrel.net, I haven't changed any of the default session.xxxx_xxxxx php settings, so it's perplexing that it would expire at a past time like that :P. I wonder if it has anything to do with time zones? (Where are ya?)

[gerilya]

It's not where I am, it's what my clock is set to

Timezones was my first thought, but you claim your sessions should live for about a year, my clock is not messed up like that.

[molesquirrel]

Well, actually, another cookie I'm setting lives for a year. The sessions live for...whatever the php default is. I will try giving that a higher default, though, so if you could, try returning and see what it tells you. When I went to it, all my cookie said was 'until end of session', so that wasn't very useful

[Galen]

Does this group of users happen to visit other php/mysql sites that may have a similiar setup to yours? And, are you using the default names for the cookies?

I had this problem when I ran 3 phpBB boards on 1 site. I eventually discovered that because the cookies all had the same name, they were overwriting/conflicting each other (and, of course, the specific data such as SID in the cookie would be different for each board). So, it wound up causing no one to be able to stay logged in at all.

Try changing the actual name of the cookie and see if that helps. The users may need to use a Window Washer type program to delete all of their cookies first before logging back in to your site, though.

[molesquirrel]

So, I think i solved a large part (if not all) of my problem. The only reason I'm not sure if it's all solved is because I haven't had a chance to converse with those who had the session problems.

Looks like it was a cookie issue. The PHPSESSID cookies seemed to be getting set at odd points, as gerilya noted. the session.cookie_lifetime was set to default, so I went ahead and set it to 28400 (+ time()).

I also noticed that my phpbb data cookies were working fine, so I took a look at those. Against what seemed to be the popular suggestion at sites like php.net in the docs section, it left the domain field of setcookie blank, which would then fill in to molesquirrel.net. I had been putting domains like .molesquirrel.net, which supposedly catch the subdomains as well. Since that change, any cookies I set through php code haven't disappeared before they're expected time!

As to the php sessions, well, I guess I'll see what my users tell me when I manage to grab ahold of them.