php - Strange, annoying and very random session timeout

618

I have a rather large PHP app (several thousands unique URL's, user logins with various roles, etc.) PHP has session timeout set to 1 hour (3600 seconds) in php.ini. The way logins work is this: when a user successfully logs into the app, a few things about the user are stored in the $_SESSION, including username, real name, role id, etc. On every page access (common code), $_SESSION is checked for these variables and, if they are present, the user goes where they asked for. If the variables are not there, then the user is redirected to the "unlogged-in" page.

This has been working fine for the past few years and is still working fine - mostly. Very randomly the session the session seems to time out without any warning or anything else. For a logged in user this is seen like so: log in, do something, navigate to next page - and instead get logged out and back to the "unlogged-in" page. Naturally, this is extremely annoying. However the random nature of this behaviour makes it extremely difficult to investigate.

I never experience it on my machine in any browser. There's another machine in the office, where this happens in every browser all the time (at least I can reproduce the problem). On yet another machine, it happens in one browser and doesn't happen in another browser. And yet on another machine it happens sometimes and not other times. Today we got a call from one of the clients who experience this problem - but when requested to try in a different browser, it worked fine.

This is not due to a version of the browser, as it works on some machines and not on others with the same version. Moreover, having two identically set up machines, it sometimes happens on one but never on another. So overall it seems that there's something very-very strange happening with the sessions, but I'm totally stumped as to where to look. I've been trying to investigate this for a better part of the last several months but haven't gotten anywhere. Where else to look?

At this point any help is more than greatly appreciated.

ADDED: Here is the session part of my php.ini:

[Session]
session.save_handler = files
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly = 
session.serialize_handler = php
session.gc_divisor     = 100
session.gc_maxlifetime = 3600 
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 4
940

Answer

Solution:

I have experienced the same issues with sessions timing out randomly on some boxes, consistently on other, and not at all on the majority. After a lot of trial and error, I tracked my issue back to some machines with IE having compact privacy policy issues. We simply added a header like so header('P3P: CP=Visit www.oururl.tld for our Privacy Policy.'), which stopped a lot of the problems from old IE. This is only supposed to apply to 3rd party cookies but who knows with IE.

Second, I found that some machines were having a fit when setting the session cookie on .domain.tld then accessing it from domain.tld rather than way www.domain.tld. Making sure all requests got directed to the www subdomain solved most of the other browsers.

Finally, I had to take over setting the session timeout from php because the timezone of our server was causing issues when that got set automatically. I simply set the expiration to 0 so that it never times out the cookie using the browser until the "session" ends by the user closing the browser or such. Then I added a simply expires variable into the session and manually checked it so that all checks and decisions on the expiration were made in our server's timezone, not the clients.

These three things solved all but the most un-reproducible instances that I strongly suspect are caused by things like Google and Yahoo Toolbar doing strange things with either the browser cache or the browsers temporary internet files themselves.

You may also want to check and make sure that you aren't encountering any race conditions with session id regeneration and AJAX/other asynchronous calls if you use them. Often in older browsers the cookie simply doesn't get updated fast enough when you regenerate the id and even newer browsers timing can get off just enough to submit an old id with a new request and cause the session to drop. My best solution for this was to not regenerate session id on AJAX, but only on actual page loads so that things stayed synchronized. There are several other approaches like keeping the old session data around instead of having it automatically deleted (also insecure to a degree only your application's needs can determine).

People are also looking for solutions to the problem: php - Echo doesn't show first row made

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.