PHP :: Bug #35602 :: Session timeout garbage collection bug

[2005-12-08 17:25 UTC] php at tomarq dot co dot uk

Description:
------------
Within the session_start function, the session garbage collection is performed after reading the session information.

This is the case across all versions of PHP that I have looked at (4.3.10,4.4.1,5.1.1).

If the garbage collection is set to always run (100/100) and a session has expired with no other script executions in the meantime, then session_start will load the session data, and *then* expire the session for the following script execution.

The garbage collection should delete the expired session file before trying to load any sessions.

Note that this issue leads to the data we have in our session on run 2 being destroyed, even though the time till our next script execution is only ~5 seconds (well under our gc_maxlifetime of 10 seconds).

Reproduce code:
---------------
<?
    // run this code with with a gc_maxlifetime = 10
    // and gc_probability and gc_divisor of 100
    // also making sure that no other php scripts
    // are run while the test takes place.

    header("content-type: text/plain");

    session_start();

    echo "Current: ".date('l dS \of F Y h:i:s A')."\n";
    echo "Before : ".$_SESSION['ts']."\n";

    if (!isset($_SESSION['ts'])) $_SESSION['ts'] = date('l dS \of F Y h:i:s A');

    echo "After  : ".$_SESSION['ts']."\n";
?>


Expected result:
----------------
-- Run 1 --
Current: Thursday 08th of December 2005 04:09:58 PM
Before : 
After  : Thursday 08th of December 2005 04:09:58 PM

-- Run 2 -- (15 seconds later)
Current: Thursday 08th of December 2005 04:10:13 PM
Before : 
After  : Thursday 08th of December 2005 04:10:13 PM

-- Run 3 -- (5 seconds later)
Current: Thursday 08th of December 2005 04:10:18 PM
Before : Thursday 08th of December 2005 04:10:13 PM
After  : Thursday 08th of December 2005 04:10:13 PM

Actual result:
--------------
-- Run 1 --
Current: Thursday 08th of December 2005 04:09:58 PM
Before : 
After  : Thursday 08th of December 2005 04:09:58 PM

-- Run 2 -- (15 seconds later)
Current: Thursday 08th of December 2005 04:10:13 PM
Before : Thursday 08th of December 2005 04:09:58 PM
After  : Thursday 08th of December 2005 04:09:58 PM

-- Run 3 -- (5 seconds later)
Current: Thursday 08th of December 2005 04:10:18 PM
Before : 
After  : Thursday 08th of December 2005 04:10:18 PM

[2005-12-08 18:05 UTC] sniper@php.net

Too late to change this. It works fine as it is.

[2005-12-08 18:17 UTC] php at tomarq dot co dot uk

It does not work fine - hence the bug submission.

It only works "fine" on servers with a high load where concurrent php scripts effectively clear each other's expired sessions by the running of their garbage collector.

When there aren't so many scripts running, and so garbage collection doesn't occur as often, a script can be run... have it's session data fetched... perform garbage collection ... and then lose any data that is put into the session from that point on - which is a BUG.

Scripts suddenly losing their session data because of this bug is not "working fine".

[2005-12-08 18:23 UTC] iliaa@php.net

The best solution in your case is to deploy a cron job that would run periodically and remove all old sessions.

[2018-04-17 07:55 UTC] robert dot schneider at colop dot co dot at

Related bug report: https://bugs.php.net/bug.php?id=35479

Please re-open it.

Patches

Pull Requests

History

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 03:01:28 2024 UTC