sessions mixing

E. Will wrote:

Hello world,

Myself and a few friends have been experiencing the same problem. When
using sessions in PHP for ``logins'' we experience the sessions
``mixing.'' To say, one user logs in as ``foo,'' another user logs in as
``bar.'' User ``foo'' refreshes to find himself now logged in as
``bar'' or not logged in at all. This has happened on several different
scripts running on several different hosts using several PHP versions
(including the latest). I've been able to overcome it once in the past,
though I can't remember how and if the same method would have worked I
probably would have found it by now.

Thanks for any help.

-- E. Will // rakaur @ malkier

Strange behavior indeed! Are you generating your own session ID's? Make
sure your session ID's are truly unique; that is, you are not generating
ID's already in use by the system. Are you storing your session ID's in
a database? If so, check to see that you are retrieving the correct
session information. Are the two users connecting to the same
application via the same browser on the same machine? If so, that could
be the culprit right there.

--
Amir Khawaja.

----------------------------------
Rules are written for those who lack the ability to truly reason, But
for those who can, the rules become nothing more than guidelines, And
live their lives governed not by rules but by reason.
- James McGuigan

Amir Khawaja wrote:

E. Will wrote:

Hello world,

Myself and a few friends have been experiencing the same problem. When
using sessions in PHP for ``logins'' we experience the sessions
``mixing.'' To say, one user logs in as ``foo,'' another user logs in as
``bar.'' User ``foo'' refreshes to find himself now logged in as
``bar'' or not logged in at all. This has happened on several different
scripts running on several different hosts using several PHP versions
(including the latest). I've been able to overcome it once in the past,
though I can't remember how and if the same method would have worked I
probably would have found it by now.

Thanks for any help.

-- E. Will // rakaur @ malkier

Strange behavior indeed! Are you generating your own session ID's? Make
sure your session ID's are truly unique; that is, you are not generating
ID's already in use by the system. Are you storing your session ID's in
a database? If so, check to see that you are retrieving the correct
session information. Are the two users connecting to the same
application via the same browser on the same machine? If so, that could
be the culprit right there.

I simply use session_start() and the rest is done via $_SESSION (or in
some cases $HTTP_SESSION_V ARS). The session IDs should be generated
uniquely by PHP. The sessions are being stored in the default directory.
The two users was just an example. One site actually had about 40
users from varying geographic locations using varying
browsers/platforms/etc and they were all swapping sessions.

- E. Will

"E. Will" <ra****@malkier .net> wrote in message news:<10******* ******@corp.sup ernews.com>...

Hello world,

Myself and a few friends have been experiencing the same problem. When
using sessions in PHP for ``logins'' we experience the sessions
``mixing.'' To say, one user logs in as ``foo,'' another user logs in as
``bar.'' User ``foo'' refreshes to find himself now logged in as
``bar'' or not logged in at all. This has happened on several different
scripts running on several different hosts using several PHP versions
(including the latest). I've been able to overcome it once in the past,
though I can't remember how and if the same method would have worked I
probably would have found it by now.

It never happened to me, even in 10,000 hits per hour like sites.
Questions like this should give some idea about INI settings (at least
for the session )... I guess, the session.entropy _length is shorter
than the default.

--
"I don't believe in the God who doesn't give me food, but shows me
heaven!" -- Swami Vivekanandha
Email: rrjanbiah-at-Y!com

R. Rajesh Jeba Anbiah wrote:

"E. Will" <ra****@malkier .net> wrote in message news:<10******* ******@corp.sup ernews.com>...

Hello world,

Myself and a few friends have been experiencing the same problem. When
using sessions in PHP for ``logins'' we experience the sessions
``mixing.'' To say, one user logs in as ``foo,'' another user logs in as
``bar.'' User ``foo'' refreshes to find himself now logged in as
``bar'' or not logged in at all. This has happened on several different
scripts running on several different hosts using several PHP versions
(including the latest). I've been able to overcome it once in the past,
though I can't remember how and if the same method would have worked I
probably would have found it by now.

It never happened to me, even in 10,000 hits per hour like sites.
Questions like this should give some idea about INI settings (at least
for the session )... I guess, the session.entropy _length is shorter
than the default.

It's all default.

"E. Will" <ra****@malkier .net> wrote in message news:<10******* ******@corp.sup ernews.com>...

R. Rajesh Jeba Anbiah wrote:

"E. Will" <ra****@malkier .net> wrote in message news:<10******* ******@corp.sup ernews.com>...

Hello world,

Myself and a few friends have been experiencing the same problem. When
using sessions in PHP for ``logins'' we experience the sessions
``mixing.'' To say, one user logs in as ``foo,'' another user logs in as
``bar.'' User ``foo'' refreshes to find himself now logged in as
``bar'' or not logged in at all. This has happened on several different
scripts running on several different hosts using several PHP versions
(including the latest). I've been able to overcome it once in the past,
though I can't remember how and if the same method would have worked I
probably would have found it by now.

It never happened to me, even in 10,000 hits per hour like sites.
Questions like this should give some idea about INI settings (at least
for the session )... I guess, the session.entropy _length is shorter
than the default.

It's all default.

Then, it sounds like a hoax. You haven't said anything about the
version of your PHP... You also said, you've faced similar problem
before(with various versions!!) ?? Yet, I haven't heard such problem.
Yet, I have faced clustering of session alone, which can be solved
with custom session handler.

--
"I don't believe in the God who doesn't give me food, but shows me
heaven!" -- Swami Vivekanandha
Email: rrjanbiah-at-Y!com

R. Rajesh Jeba Anbiah wrote:

"E. Will" <ra****@malkier .net> wrote in message news:<10******* ******@corp.sup ernews.com>...

R. Rajesh Jeba Anbiah wrote:

"E. Will" <ra****@malkier .net> wrote in message news:<10******* ******@corp.sup ernews.com>...
Hello world,

Myself and a few friends have been experiencing the same problem. When
using sessions in PHP for ``logins'' we experience the sessions
``mixing. '' To say, one user logs in as ``foo,'' another user logs in as
``bar.'' User ``foo'' refreshes to find himself now logged in as
``bar'' or not logged in at all. This has happened on several different
scripts running on several different hosts using several PHP versions
(includin g the latest). I've been able to overcome it once in the past,
though I can't remember how and if the same method would have worked I
probably would have found it by now.
It never happened to me, even in 10,000 hits per hour like sites.
Questions like this should give some idea about INI settings (at least
for the session )... I guess, the session.entropy _length is shorter
than the default.

It's all default.

Then, it sounds like a hoax. You haven't said anything about the
version of your PHP... You also said, you've faced similar problem
before(with various versions!!) ?? Yet, I haven't heard such problem.
Yet, I have faced clustering of session alone, which can be solved
with custom session handler.

Yes that's right, I'm faking it. Good call.

I mentioned the PHP versions in the first post. It's happened to me and
to two other friends on varying occasions. Sometimes it happens,
sometimes it doesn't. It appears to be a flat-out bug to me. There's no
pattern whatsoever. If the only conclusion you can come to is ``he's
lying'' then you're probably mentally ill. I have better things to do
than to sift through seventy messages a day on a news group to see who
responded to a made-up bug.

If you need proof I'll put it on a public page. In the mean time, if you
have nothing to say other than calling me a liar don't bother responding.

"E. Will" <ra****@malkier .net> wrote in message news:<10******* ******@corp.sup ernews.com>...

>Hello world,
>
>Myself and a few friends have been experiencing the same problem. When
>using sessions in PHP for ``logins'' we experience the sessions
>``mixing. '' To say, one user logs in as ``foo,'' another user logs in as
> ``bar.'' User ``foo'' refreshes to find himself now logged in as
>``bar'' or not logged in at all. This has happened on several different
>scripts running on several different hosts using several PHP versions
>(includin g the latest). I've been able to overcome it once in the past,
>though I can't remember how and if the same method would have worked I
>probably would have found it by now.
It never happened to me, even in 10,000 hits per hour like sites.
Questions like this should give some idea about INI settings (at least
for the session )... I guess, the session.entropy _length is shorter
than the default.

It's all default.

Then, it sounds like a hoax. You haven't said anything about the
version of your PHP... You also said, you've faced similar problem
before(with various versions!!) ?? Yet, I haven't heard such problem.
Yet, I have faced clustering of session alone, which can be solved
with custom session handler.

Yes that's right, I'm faking it. Good call.

I mentioned the PHP versions in the first post.
Hmmm... I couldn't see. Could you?
It's happened to me and
to two other friends on varying occasions. Sometimes it happens,
sometimes it doesn't. It appears to be a flat-out bug to me. There's no
pattern whatsoever. If the only conclusion you can come to is ``he's
lying'' then you're probably mentally ill.
Ok.
I have better things to do
than to sift through seventy messages a day on a news group to see who
responded to a made-up bug.

If you need proof I'll put it on a public page.
May be you can. But, you said that you've previously faced similar
problem and solved it. So, I think, you can better check your previous
codes to see how you've done. Anyway, you please report the bug (with
more info like, PHP version, OS, INI settings, etc) to PHP dev team.
In the mean time, if you
have nothing to say other than calling me a liar don't bother responding.

Ok.

--
"I don't believe in the God who doesn't give me food, but shows me
heaven!" -- Swami Vivekanandha
Email: rrjanbiah-at-Y!com

"E. Will" <ra****@malkier .net> wrote in message news:<10******* ******@corp.sup ernews.com>...
<snip>

I mentioned the PHP versions in the first post. It's happened to me and
to two other friends on varying occasions. Sometimes it happens,
sometimes it doesn't. It appears to be a flat-out bug to me. There's no
pattern whatsoever. If the only conclusion you can come to is ``he's
lying'' then you're probably mentally ill. I have better things to do
than to sift through seventy messages a day on a news group to see who
responded to a made-up bug.

If you need proof I'll put it on a public page. In the mean time, if you
have nothing to say other than calling me a liar don't bother responding.

I'd thought that you'll be providing more info about your code.
Unfortunately, in this c.l.p, most of the visitors present the vague
questions but expect the best answer. In your case, you didn't mention
about your login system, version, etc.

1. I still believe, there is no bug in PHP session. The problem might
be in your installation or your settings. Or someone else is hacking
the system. You should note that, you can pass someone's session_id to
see other's session variables (security issues). In this case, you
need to find better/secure login system.

2. Increase the session.entropy _length to 32. It may _sometimes_ help
you.

3. Find a better login system (no idea, how you do!!). The logic is:
save the session_id of the user in user table while he logins to the
site. And check the current session_id (of the page) with the one
present in the DB on "every pages". For more info on this stuff, see
Martin's login script/tutorial (<http://martin.f2o.org/php/login>)

HTH.
--
"I don't believe in the God who doesn't give me food, but shows me
heaven!" -- Swami Vivekanandha
Email: rrjanbiah-at-Y!com

I am not an expert on sessions, but have you tried storing the IP
address along with each session-id and then checking the IP against
the session-id. I know that proxy servers, etc can cause this to fail
because some user's IP address changes during a session, but it may
illuminate the issue a little more.

Viking
On Wed, 28 Jan 2004 17:09:18 -0600, "E. Will" <ra****@malkier .net>
wrote:

I simply use session_start() and the rest is done via $_SESSION (or in
some cases $HTTP_SESSION_V ARS). The session IDs should be generated
uniquely by PHP. The sessions are being stored in the default directory.
The two users was just an example. One site actually had about 40
users from varying geographic locations using varying
browsers/platforms/etc and they were all swapping sessions.

- E. Will