I am using Apache, PHP 5.4 and Cakephp 2.4. recently I am getting random issues with my session.
My queries are based on variables stored in the session and once every 10-15 pages I get a critical error saying that the mysql query failed because it cannot find the field in the database. This field name is stored in the session that's why I suspect it being an issue with my session settings. Moreover, when I get an error and refresh the page 2 or 3 times it finally loads and the session somehow "restores"
It is an e-commerce application and shopping cart is saved in the session. Even if an item is in the shopping cart, I get that error and refresh the page, shopping cart is still saved fine so the session is not completely lost. It seems like it almost disappears for few seconds.
My cake is set up like:
Configure::write('Session', array(
'defaults' => 'php'
));
In my php.ini I already changed
session.save_handler = memcache
to
session.save_handler = files
But it didnt help. I also get that issue when I put a link directly in my url and there is no redirect to it, so it is not an issue with redirects losing a session that was already discussed on this forum before.
Any ideas where else I should look?
I had a similar problem many years ago whereby I was randomly losing session variables. It turned out that my ISP, for reasons related to load balancing, had a PHP instance running on multiple servers. At the beginning of the session the Session Variables would be saved on only one of the servers. If a request came from the browser that was directed to a different server the Session variables would not be found.
I got around the problem by placing the session_save_path('/tmp') command at the beginning of every script and then immediately running the session_start() command. I create the 'tmp' folder in my private public_html space. This solved the problem.
This was in my pre-Cake days so I haven't thought about how to solve this problem in a Cake environment but hopefully it gives you somewhere to look.
So it turned out the reason was recently installed APM. Thank you for all the support
Related
I have a few CakePHP 2.5.1 websites running on a production LAMP environment with PHP 5.3.29 and MySQL 5.6 (I know, it's old stuff). They use Auth to protect the access to them to only registered users. These websites have had no issues for years.
Recently we started getting complains from users that they are being kicked out of those sites when seemingly they shouldn't be, it even happened to myself once. I'm talking getting the typical message that we display when someone tries to access a protected page once their session expires and they get taken to the login page. Only that those sessions are expiring quicker than they should. We use database sessions for these sites, here's the config:
Configure::write('Session', array(
'defaults' => 'database',
'handler' => array('model' => 'cake_sessions'),
'timeout' => 60
));
Configure::write('Security.level', 'low');
The weirdest thing is that after getting kicked out, if you log in again and try to access a page that you had not accessed in your previous session, you get kicked out again to the login page. But if you access a page that you had accessed before getting kicked out in the previous session, then you can access it no problem. I presume this might be related to caching but I had never seen something like this happen in these sites before, so I thought I'd mention it just in case.
The code of those sites has not changed in years. The only thing that's changed is that the server where those websites are located had some PHP configuration changed where they enabled PHP-FPM, and it does seem like these issues started around the same time, but I don't know how to make a connection between that and the sessions. Also I don't think we can have that disabled.
I've been doing some troubleshooting, printing session variables while using these sites, looking at the database table that handles sessions, verifying session IDs, timeouts, cookies, etc and everything seems OK as far as I can tell. Sessions get automatically refreshed when I navigate to other pages, they show the correct duration, Cakephp cookies show correct session IDs, etc. I have not managed to replicate the issue or found anything wrong in the code, database, cookies, or PHP session. But maybe I'm not looking in the right places.
So in reality I have 2 questions:
Does anyone know what might be going on here with the sessions? What can cause a premature end of a session?
Can anyone suggest a way for me to troubleshoot this? Replicate the issue somehow?
I am using sessions in an attempt to implement persistent logins for my users in a web application. The back-end is php 7.2 and apache, provided through Namecheap shared hosting.
I am setting a session cookie on the client with a "cookie_lifetime" and "gc_maxlifetime" of 604,800 seconds (one week). The server calls session_start() with these parameters and checks a $_SESSION key called "user_id" to see if the session_start() call has started an existing session (if the key is defined, the user is "logged in"). It does this every time the page is loaded. Everything works fine until about 40 minutes of inactivity have gone by, then the next page refresh and attempt to call session_start() and access any $_SESSION keys returns undefined for everything, despite the session cookie still showing an "Expires" value several days in the future in DevTools.
My understanding was that "cookie_lifetime", "gc_maxlifetime", and the associated "Expires" header for setting the client-side cookie would preserve session information for at least as long as the time specified, but this interaction is demonstrating that regardless of what I put in those fields, the $_SESSION superglobal will not return anything meaningful beyond ~40 minutes of inactivity.
Am I not understanding this correctly, or is there perhaps something wrong from a server configuration standpoint that is beyond the scope of the client-server application code?
I didn't fully get to the bottom of why this was occurring. I did reach out to the Namecheap support staff, however, and they told me their sessions were not malfunctioning in the same way after ~40 minutes; they continued to see session values that had been set several hours previously when they tried to recreate the issue using the same code and configuration as I was using.
I dug into the server configuration and reviewed the output of a phpinfo() dump and determined that the Registered save handlers were set to files user. I can't find out what the user component of that reflects, and maybe that's where the issue lies, but I was able to resolve the issue by explicitly specifying the session.save_path parameter rather than relying on the default (which was no value in the phpinfo output).
The support staff had said that the default location was /home/[user]/tmp/ and their sessions were showing up there, but mine were not. After adding the explicit save_path to php.ini, my sessions began to appear there and the ~40 minute expiration stopped occurring.
I'll hold off on accepting this as the answer in case anyone else can provide more insight/understanding, but I wanted to at least chime in saying that I had found a solution to my problem. I'm not sure what was happening before, but I could not find my session files anywhere sensible in the directories of my shared host user account and I'm wondering if they were there at all. It's also very strange to me that it worked for the support staff but not for me or a friend that I had test it on his own computer.
I'm using session variables in my php application, and I put session_start() at the first line (after the php, of course) of all my pages. But I'm losing data from two pages before.
Example: If I store $_SESSION['var1'], in the next page I will retrieve its value correctly, but if I go one more page ahead, I lose the data.
I use session_start() in all pages and I only reset the session at the index page where my user login-in.
Did someone pass through this and know what can I do? I'm testing using wamp, and in the localhost the problem doesn't happen. It only happens at my company's godaddy server (with cpanel hosting).
Solved.
My index.php was destroying the session data, even if the page doesn't pass trhought it, the session was always erased.
This is just a comment
Its the problem of the server and not the script. Usually to maintain the server load the sessions that are created at your site can expire in a short amount of time. There are ways like editing the php.ini file of the www directory but every hosting server could have different methods.
I got a really strange problem in my PHP webapp.
If I log in, everything works fine for the duration of my session.
If I come in the next day, my webapp returns me to the Login page (as I expect).
The problem is that once I log in, parts of my site work and parts don't. The parts that don't return strange error messages and then I'm logged out and need to log back in. The strange thing is that some days some parts don't work and other days other parts don't work. If I delete all cookie values I can see, that doesn't solve the problem. The problem is only solved by deleting the entire cookie itself and then logging in again.
I've turned off garbage collection (because on Ubuntu there is supposedly a cron job which does it automatically even though I can't see it) but the issue was occurring before that.
So in terms of simplicity my intention is two-fold:
- To add code to my Login page to delete the cookie entirely (assuming I can do that from PHP)
- To move session storage from my webserver to my MySQL DB (because I'm in my dev environment but preparing to build my test environment which will be a cluster of webservers, not just one)
My questions are:
- Is there any way to ensure session values die reliably and gracefully rather than lingering and wreaking havoc?
- Is it possible to delete an entire cookie from PHP code, rather than just cookie values?
Many thanks.
After being a constant problem for a while, this issue has gone away. I've actually determined the cause and so I thought I'd post a quick update. Basically I had three sites I was accessing on my domain, my own webapp, a CMS Admin page and another admin tool. I've determined that the session cookies between my webapp and CMS admin were interfering with each other. If I use different browsers to access the different sites, the problem doesn't reoccur. It was driving me up the wall. Thanks to those who posted suggestions/responses. I appreciate it. I'll mark this as closed.
I am in the process of moving away from Apache in favor of nginx due to the lower resource consumption. I have set up an Ubuntu Server box with the LEMP stack installed. After moving all my applications over (3 CakePHP 2.0.5 apps, 1 Wordpress install), everything seems to be working perfectly except for one thing - Cake's cookies suddenly disappear when the browser is closed.
I have created a very simple test PHP page to test if cookies are working at all and they are in fact working, just not in Cake. Wordpress is also not having any troubles remembering me when I close my browser.
Using the Chrome developer tools, I have inspected to see if the cookie is being set at all, and it is as you can see below:
The expiry date is even set a month into the future as well, so I don't understand why they don't live past browser close. As soon as I fire my browser up and navigate to my app, the cookie is now gone:
One thing I did notice is that with my app running on Apache, the CAKEPHP cookie you see above above has the same value before and after close. However on the nginx server, that cookie has a different value everytime I close and re-open my browser.
I thought this might have to do with sessions, so I checked my session settings in core.php and it's set to let PHP do the session handling:
Configure::write('Session', array(
'defaults' => 'php'
));
I've checked my /tmp directory and session files are being created. I tried changing the session handler to cake so that Cake would store sessions in its app/tmp/sessions directory, and while the sessions would successfully get created in this directory my cookies are still lost on browser close.
Has anybody experienced this behavior between nginx and Cake before, or have any ideas as to why this might be happening?
The problem is related to encrypted cookies and the Suhosin patch. Apparently Suhosin ignores any mt_srand() and srand() calls you make and initializes the randomizer itself [see here]. Because Cake relies on these functions, it was interfering with my encrypted cookies. To fix it, I added these two lines to my php.ini file and rebooted the server (note that simply restarting nginx didn't work):
suhosin.srand.ignore = Off
suhosin.mt_srand.ignore = Off