sessions being destroyed prematurely

Lee wrote:

Hi,
I have a very specific problem that perhaps some of the smart people
here can figure out. I have a site based on PHP with some Java
applets on it. The session variables are being destroyed
prematurely. We are running Apache2 with PHP 5.

On the site, there is a PHP session variable that holds login
information. If you go to any page on the site, the session variables
remain intact... except the pages with Java applets. Every one of our
applets send POST and GET requests to the server and retrieve the
resulting php output.
Our group has determined that $_SESSION gets set to an empty array
exactly when getInputstream() is called by the applet's UrlConnection
class, regardless if the requests happen. The PHP session cookie is
not deleted though.
Interestingly, when sending a request via prototype's Ajax.Request,
the session variable still remain intact. Only the Java applets are
causing problems.

Is this problem familiar to anyone at all? I would really appreciate
any help.

One more (possible) piece of the puzzle: our IT installed the
following PHP modules around the time the problem started happening.
php5-pgsql
php5-suhosin
php5-uuid
php5-ps
php5-sqlite3
php5-pgsql
php5-mhash
php5-cli

Java applets can't access (at least not easily) PHP session information.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Java applets can't access (at least not easily) PHP session information.

The applet is not accessing the information actually--thank you for
prompting me to clarify.

The target PHP files carry session information themselves and return
specific data which are determined by their session information and
the applet's post/get variables. Thus, the applet never holds the
session variables.

Hi,

You may need to add a <paramwith the session ID. For example:

<param name="sessionId" value="<?php echo htmlentities(session_id()) ?

>">

When you connect back to the site add "PHPSESSID=" +
getParameter("sessionId") to the URL or POST data.

Regards,

John Peters

On May 27, 3:32 pm, Lee <lsk...@gmail.comwrote:

Hi,
I have a very specific problem that perhaps some of the smart people
here can figure out. I have a site based on PHP with some Java
applets on it. The session variables are being destroyed
prematurely. We are running Apache2 with PHP 5.

On the site, there is a PHP session variable that holds login
information. If you go to any page on the site, the session variables
remain intact... except the pages with Java applets. Every one of our
applets send POST and GET requests to the server and retrieve the
resulting php output.
Our group has determined that $_SESSION gets set to an empty array
exactly when getInputstream() is called by the applet's UrlConnection
class, regardless if the requests happen. The PHP session cookie is
not deleted though.
Interestingly, when sending a request via prototype's Ajax.Request,
the session variable still remain intact. Only the Java applets are
causing problems.

Is this problem familiar to anyone at all? I would really appreciate
any help.

One more (possible) piece of the puzzle: our IT installed the
following PHP modules around the time the problem started happening.
php5-pgsql
php5-suhosin
php5-uuid
php5-ps
php5-sqlite3
php5-pgsql
php5-mhash
php5-cli

Lee wrote:

>Java applets can't access (at least not easily) PHP session information.

The applet is not accessing the information actually--thank you for
prompting me to clarify.

The target PHP files carry session information themselves and return
specific data which are determined by their session information and
the applet's post/get variables. Thus, the applet never holds the
session variables.

It seems that what Jerry meant, was that java applets do not transmit
proper headers, that informs the php server what session files to use.
Since PHP does not receive the session id, it creates new session, that
is why you got an empty array - it's a new one.

Try checking headers, you will see the difference there.

As it's suggested in the other reply, you will need to force passing
some extra data. You can use both POST and GET requests to pass session
id to PHP

best regards
Piotr N

Lee wrote:

>Java applets can't access (at least not easily) PHP session information.

The applet is not accessing the information actually--thank you for
prompting me to clarify.

The target PHP files carry session information themselves and return
specific data which are determined by their session information and
the applet's post/get variables. Thus, the applet never holds the
session variables.

OK, in that case you can do it. But again, you need a little help.

The PHP session id is typically stored in a cookie. Your java applet
will need to pass this information back to the PHP page. You can get
the cookie in your applet and pass it on in the header, or you can pass
it as a hidden field as a post value or in the url as a get value.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Thank you all.

Just to clarify, simply adding in PHPSESSID into the request variables
will set the session? Or do I need to so something like
<?
session_start();
if(isset($_REQUEST['PHPSESSID']))
session_name($_REQUEST['PHPSESSID']);
?>
?

I will try this or whatever you suggest, thanks!

Lee wrote:

Thank you all.

Just to clarify, simply adding in PHPSESSID into the request variables
will set the session? Or do I need to so something like
<?
session_start();
if(isset($_REQUEST['PHPSESSID']))
session_name($_REQUEST['PHPSESSID']);
?>
?

I will try this or whatever you suggest, thanks!

It depends on your hosting company setup. If it allows the session id
to be in the URL (i.e. session.use_only_cookies NOT set to 1 in your
php.ini file), putting it in the URL should be all you need. You can
check this by disabling cookies in your browser and accessing the PHP
pages in your site (not using the java pages).

Otherwise you will need to call session_name with the session id (use
$_GET or $_POST, as appropriate - not $_REQUEST). But you need to call
session_name() BEFORE calling session_start().

But I think the better way would be to go ahead and just send the
session id as a cookie in Java. Check one of the Java newsgroups on how
to do that.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Ok so based on all of your recommendations, I write the following
code:
<?
if(isset($_GET['PHPSESSID'])){
$PHPSESSID=$_GET['PHPSESSID'];
session_id($PHPSESSID);
}
if(isset($_POST['PHPSESSID'])){
$PHPSESSID=$_POST['PHPSESSID'];
session_id($PHPSESSID);
}
session_start();
define('PHPSESSID',session_id());
?>

When I go to the web page and log in (essentially setting session
variables), it works like normal and I retrieve the session id.
Changing it logs me out, and reverting it logs me back in.
Ok so, setting the session id works perfectly.

However, when I run a Java program that makes a post request using
PHPSESSID, it logs me out (the session array is empty). Running the
Java program with an incorrect session id does not force me to log
out.

Is there anything I have done wrong here or have I done it right and
there could be another source of the problem? Thank you all for your
help.

Lee wrote:

Ok so based on all of your recommendations, I write the following
code:
<?
if(isset($_GET['PHPSESSID'])){
$PHPSESSID=$_GET['PHPSESSID'];
session_id($PHPSESSID);
}
if(isset($_POST['PHPSESSID'])){
$PHPSESSID=$_POST['PHPSESSID'];
session_id($PHPSESSID);
}
session_start();
define('PHPSESSID',session_id());
?>

When I go to the web page and log in (essentially setting session
variables), it works like normal and I retrieve the session id.
Changing it logs me out, and reverting it logs me back in.
Ok so, setting the session id works perfectly.

However, when I run a Java program that makes a post request using
PHPSESSID, it logs me out (the session array is empty). Running the
Java program with an incorrect session id does not force me to log
out.

Is there anything I have done wrong here or have I done it right and
there could be another source of the problem? Thank you all for your
help.

No, I suspect you're either using the wrong session ID, or using the
correct session id but passing it incorrectly from the Java applet.

Display your session id before and after running your applet - what does
it show?

Of course it's always possible something is clearing out your session
information. For instance, if you're using java at the server, and it's
set up to use the same session files as PHP, you might have an
incompatibility between languages.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

No, I suspect you're either using the wrong session ID, or using the

correct session id but passing it incorrectly from the Java applet.

Display your session id before and after running your applet - what does
it show?

Of course it's always possible something is clearing out your session
information. *For instance, if you're using java at the server, and it's
set up to use the same session files as PHP, you might have an
incompatibility between languages.

Well while I am testing, I have moved from an applet to a command-line
Java application that makes a simple post request. The target web
page print_r's the session array, the post array, and the session id.
At first when the web page is opened, the session array is fine.
I can log into the web page and get the PHPSESSID, no problem. Next,
I make a post request

PHPSESSID=1ca8fd4c538034542db70cdf70ce2b23

where the PHPSESSID is the sessionid (which I copy from the web page
after logging in). The target web page (now from the command line)
prints the session id from the post request, next an empty session,
and finally the current session id which matches the one in the post
array. Theoretically, the session array should contain everything
that the web page showed earlier but it doesn't.
Next, I go back to the web page to refresh it and there is an empty
array. Something that the Java file did logged me out. This behavior
does not happen however, if I use a different PHPSESSID: the command
line still returns an empty array but the web site still has the
session array intact.

Yes, I am using the CLI for a simple Java program instead of an applet
for now. It should not change which php.ini file is being used.
Below all this is what phpinfo shows under the session heading from
the browser when I call phpinfo().

<?
// this is the PHP target page

if(isset($_GET['PHPSESSID'])){
$PHPSESSID=$_GET['PHPSESSID'];
session_id($PHPSESSID);
}

if(isset($_POST['PHPSESSID'])){
$PHPSESSID=$_POST['PHPSESSID'];
session_id($PHPSESSID);
}

session_start();
define('PHPSESSID',session_id());

print_r($_SESSION);
print_r($_POST);
print PHPSESSID."\n";
?>

/** The Java applet and the CLI script both use this method, which
basically opens a page and sends the request of PHPSESSID=... */
public static InputStream postToURL(URL postURL, String post)
throws IOException{
URLConnection connect = postURL.openConnection();
connect.setDoOutput(true);
connect.setUseCaches(false);

OutputStreamWriter fwdOut = new
OutputStreamWriter(connect.getOutputStream());
fwdOut.write(post);
fwdOut.flush();
fwdOut.close();

return connect.getInputStream();
}

session
Session Support enabled
Registered save handlers files user
Registered serializer handlers php php_binary wddx

Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 0 0
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /var/lib/php5 /var/lib/php5
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0

Lee wrote:

Yes, I am using the CLI for a simple Java program instead of an applet
for now. It should not change which php.ini file is being used.
Below all this is what phpinfo shows under the session heading from
the browser when I call phpinfo().

<?
// this is the PHP target page

if(isset($_GET['PHPSESSID'])){
$PHPSESSID=$_GET['PHPSESSID'];
session_id($PHPSESSID);
}

if(isset($_POST['PHPSESSID'])){
$PHPSESSID=$_POST['PHPSESSID'];
session_id($PHPSESSID);
}

session_start();
define('PHPSESSID',session_id());

print_r($_SESSION);
print_r($_POST);
print PHPSESSID."\n";
?>

Offhand I'd say it looks OK. I don't think you should be checking the
$_POST if $_GET works (and personally I'd do it the other way around).
But I don't think it will cause this problem.

Also, what do you get if you print_r($_COOKIES); ?

/** The Java applet and the CLI script both use this method, which
basically opens a page and sends the request of PHPSESSID=... */
public static InputStream postToURL(URL postURL, String post)
throws IOException{
URLConnection connect = postURL.openConnection();
connect.setDoOutput(true);
connect.setUseCaches(false);

OutputStreamWriter fwdOut = new
OutputStreamWriter(connect.getOutputStream());
fwdOut.write(post);
fwdOut.flush();
fwdOut.close();

return connect.getInputStream();
}

OK, this isn't going to send the correct headers to get the id to the
PHP script. You need to follow up in the Java newsgroups to send the
information in the necessary format.

>
session
Session Support enabled
Registered save handlers files user
Registered serializer handlers php php_binary wddx

Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 0 0
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /var/lib/php5 /var/lib/php5
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0

session.save_path is generally /tmp on Unix and a temporary directory
(i.e. c:/temp) on Windows. But it shouldn't cause this problem.

But I don't see any problems with your settings. I really think what's
being sent by your applet is incorrect. But I can't explain why it's
causing the symptoms you're seeing.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Thank you for looking over everything. I'll try the Java forums and
see about header information. Thanks!

I went and looked into Java headers and other miscellaneous Java
topics but our group is quickly learning that there is no way for Java
to directly access the PHP session variables on the server.
That is to say, there is a place in the PHP files that starts a
session and there is one place that loads in the session variables;
however, there is no place in the PHP code that sets $_SESSION to an
empty array, which is what is happening.
The session id has been working perfectly. The only problem is that
somehow the connection that Java causes $_SESSION=array();. Setting
$_SESSION to an empty array is nowhere in my code which leads me to
think that this is only a PHP problem.
What are some plausible reasons that the array would be reset to empty?

Lee wrote:

I went and looked into Java headers and other miscellaneous Java
topics but our group is quickly learning that there is no way for Java
to directly access the PHP session variables on the server.
That is to say, there is a place in the PHP files that starts a
session and there is one place that loads in the session variables;
however, there is no place in the PHP code that sets $_SESSION to an
empty array, which is what is happening.
The session id has been working perfectly. The only problem is that
somehow the connection that Java causes $_SESSION=array();. Setting
$_SESSION to an empty array is nowhere in my code which leads me to
think that this is only a PHP problem.
What are some plausible reasons that the array would be reset to empty?

No, there is no way for Java to access the PHP session data directly.
If you use a database for the session data, Java may be able to
interpret it by reading the database, but otherwise it's quite difficult
(you can probably make it work on a specific server, but it wouldn't
necessarily be transportable to a different server).

The problem here is - I don't know of anywhere PHP would set the session
data to an empty array. It either creates the session if the session
doesn't exist, or uses the data that's already there. This is quite
puzzling.

What did you find about sending the correct header information from the
applet to the PHP page?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

No, there is no way for Java to access the PHP session data directly.
If you use a database for the session data, Java may be able to
interpret it by reading the database, but otherwise it's quite difficult
(you can probably make it work on a specific server, but it wouldn't
necessarily be transportable to a different server).

The problem here is - I don't know of anywhere PHP would set the session
data to an empty array. It either creates the session if the session
doesn't exist, or uses the data that's already there. This is quite
puzzling.

What did you find about sending the correct header information from the
applet to the PHP page?

We're still looking into this, and I'm not sure what to say yet... I
am just glad that you are helping me so far.
Our Java programmer has not found anything wrong with the headers so
far. Apparently the method we are using is a very standard method for
connecting to a site and performing a request.
What I am wondering right now is if the session is being reset
somehow--like if session_start decides to restart instead of continue
a session for some reason. Is there a way to test that?

On Wed, 04 Jun 2008 23:50:55 +0200, Lee <ls****@gmail.comwrote:

>

>No, there is no way for Java to access the PHP session data directly.
If you use a database for the session data, Java may be able to
interpret it by reading the database, but otherwise it's quite difficult
(you can probably make it work on a specific server, but it wouldn't
necessarily be transportable to a different server).

The problem here is - I don't know of anywhere PHP would set the session
data to an empty array. It either creates the session if the session
doesn't exist, or uses the data that's already there. This is quite
puzzling.

What did you find about sending the correct header information from the
applet to the PHP page?

We're still looking into this, and I'm not sure what to say yet... I
am just glad that you are helping me so far.
Our Java programmer has not found anything wrong with the headers so
far. Apparently the method we are using is a very standard method for
connecting to a site and performing a request.
What I am wondering right now is if the session is being reset
somehow--like if session_start decides to restart instead of continue
a session for some reason. Is there a way to test that?

Define your own session handler with session_set_save_handler(), end get
full control (including of course, logging :) ) over everything you
session does. If you've never written one, keep in mind race conditions,
or use one you can find on the net that has proven itself.

Be warned, the simple example given in the function description in the
manual is just an example, and not suitable for any real use. It's not
exactly how the default handler works, and it's a fest of logical errors
waiting to happen.
--
Rik Wasmus
....spamrun finished

Lee wrote:

>No, there is no way for Java to access the PHP session data directly.
If you use a database for the session data, Java may be able to
interpret it by reading the database, but otherwise it's quite difficult
(you can probably make it work on a specific server, but it wouldn't
necessarily be transportable to a different server).

The problem here is - I don't know of anywhere PHP would set the session
data to an empty array. It either creates the session if the session
doesn't exist, or uses the data that's already there. This is quite
puzzling.

What did you find about sending the correct header information from the
applet to the PHP page?

We're still looking into this, and I'm not sure what to say yet... I
am just glad that you are helping me so far.
Our Java programmer has not found anything wrong with the headers so
far. Apparently the method we are using is a very standard method for
connecting to a site and performing a request.
What I am wondering right now is if the session is being reset
somehow--like if session_start decides to restart instead of continue
a session for some reason. Is there a way to test that?

Yes, I've seen a lot of "very standard methods...". But the question is
- are you POSTing the data correctly? That is much different than just
getting a page!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Finally, I have fixed the bug by disabling the module php5-suhosin.
Suhosin has features that add onto the security of sessioning by
clearing the session array if a different program uses the same
sessionid.
In my case, the applet and Firefox were using the same sessionid.
Whenever the applet connected, suhosin reset the session array. I
started figuring this out when I tried to use the same sessionid for
both Firefox and Internet Explorer, and the session array was emptied
when the second browser connected.

I hope this helps someone.

Lee wrote:

Finally, I have fixed the bug by disabling the module php5-suhosin.
Suhosin has features that add onto the security of sessioning by
clearing the session array if a different program uses the same
sessionid.
In my case, the applet and Firefox were using the same sessionid.
Whenever the applet connected, suhosin reset the session array. I
started figuring this out when I tried to use the same sessionid for
both Firefox and Internet Explorer, and the session array was emptied
when the second browser connected.

I hope this helps someone.

It's certainly pretty damned ineteresting and filed for future reference.

Lee wrote:

Finally, I have fixed the bug by disabling the module php5-suhosin.
Suhosin has features that add onto the security of sessioning by
clearing the session array if a different program uses the same
sessionid.
In my case, the applet and Firefox were using the same sessionid.
Whenever the applet connected, suhosin reset the session array. I
started figuring this out when I tried to use the same sessionid for
both Firefox and Internet Explorer, and the session array was emptied
when the second browser connected.

I hope this helps someone.

Very interesting.

It would, of course, helped to tell us you were using suhosin. However,
at the same time, I can understand why you didn't mention it in the
first place. It wouldn't have occurred to me at the outset, either.

A good one to remember :-)

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================