acedrummond
Posts: 90
|
| Posted: 02/04/2015, 7:20 PM |
|
I have a question relative to 'sessions.'
I was operating under the impression that a session was a 'browser' session and that each window had its own session ID such that session variables would only be available in the window in which it was opened thus if I had two windows open with the same screen program each would have its own independent values in the same named session variables.
They say you learn something every day and today - I think I found an issue that has hit me in the back of the head for quite some time.
I am using Windows 8.0 PHP and CCS 5.1.1
Session variables in one scree are available in a second window and even a second browser instance thus the session variables are being changed depending upon what the user is doing in each window.
I've written a few test programs and proven that this is the case! The same session ID is in each window on the same PC.
So to make sure that the issues presented by this session issue are not shared across windows I need to find a better way of passing values between screens and am thinking that passing parameters in the URL is a way to insure that the variables I am trying to pass do not go across browser windows or am I missing something?
The good news is that not too many users normally open the same application in multiple windows at the same time so the problems I've encountered are rare and rather contained.
I need to fix this problem and am looking for some input. Thanks//
_________________
Ace Drummond |
 |
 |
eratech
Posts: 513
|
| Posted: 02/04/2015, 8:26 PM |
|
Ace - I think you are correct - if you are logged in on 2 windows then the server might not know the difference and treat the sessions as a single instance.
Passing values in the URL - I rarely do it any other way, but my applications are usually intranet and not internet so some slight exposure of data is not an issue. Depends on what data you are transferring.
If I wanted to verify the URL parameters haven't been tampered with (eg: User with access to Client ABC123 changing clientid to XYZ123) then I usually have a random session value that I use as a salt and then hash the values and the salt, and then compare it on the receiving page.
Eric
_________________
CCS 3/4/5 ASP Classic, VB.NET, PHP
Melbourne, Victoria, Australia |
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 02/05/2015, 11:24 PM |
|
Have you guys ever seen intermittent session dropping at random times and volumes?
It's not the garbage collector and not session expires, sessions are being put into cookies.
I have ripped my code to bits and put it back together.
I have moved the CCGetSession function to the top of common.php
I cannot for the life of me see how anything intermittent couldn't be anything but hardware.
_________________
Central Coast, NSW, Australia.
|
|
|
|
eratech
Posts: 513
|
| Posted: 02/07/2015, 11:41 PM |
|
Michael - I've seen a variety of 'logouts' that I can only attribute to sessions expiring, but could never find an 'aha!' setting that solved it. It could be the number of users (it was in a 100-person intranet application all through the same connection) but some people would be fine all day, and others would timeout in 30-40 minutes.
Eventually we just used the 'Remember Me' and the browser to autofill the password and most people were fine.
So, no, I haven't found a solution either....
Eric
_________________
CCS 3/4/5 ASP Classic, VB.NET, PHP
Melbourne, Victoria, Australia |
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 02/08/2015, 3:50 AM |
|
I have now set session.save-handler = memcached, specifed the I.P and port and asked the network guys to see if they can follow a "get session" request through their firewalls and routers, etc.
The other thing I have come across using tcp optimizer is a recommend MTU of 1492 instead of Windows default 1500.
But try convincing know-it-all tech's just to try it in case a packet is fragmenting here and there....
"no we have the best routers and infrastucture that money can blah blah blah"..
Well I've done the research and an intermittent fault can only ever occur in something with a physical presence.
Software mis-configuration can show up appearing as a random, but it is always just a setting somewhere that hit's it's multiplier or divisor and so is not intermittent phenomena.
Physical devices suffer load and heat stress and electrical breakdown from time-to-time.
PHP set and get session is a black-and-white operation, 1's and 0's so to speak.
_________________
Central Coast, NSW, Australia.
|
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 02/10/2015, 2:33 AM |
|
memcached wasn't working and then I found out that session variables are appearing in 2 different tmp folders.
It's a cloud linux system using "caged filesystem."
WTF that is I dunno.
But with cagefs you cannot simply drop php.ini into a sub-directory, it won't work although at this stage it looks like it is creating and managing * some sessions", while the global php.ini file is managing *some other sessions* and as there is this shonky overwrite relationship global might be running garbage collection on those sessions created by the global php.ini file every 24 minutes as per probability setting and the php.ini file dropped in the sub-directory could be doing whatever it wants too, and whenever.
This is what I am instructing my hosting provider whom I pay to research and fix this stuff tomorrow and I will post results ...
http://docs.cloudlinux.com/substitute_global_php_ini_for_.html
_________________
Central Coast, NSW, Australia.
|
|
|
|
|
