php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43579 sessions time out on 5.2.5
Submitted: 2007-12-12 10:53 UTC Modified: 2008-03-28 01:00 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: assid at assid dot com Assigned: jani (profile)
Status: No Feedback Package: Session related
PHP Version: 5.2.5 OS: Debian etch
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: assid at assid dot com
New email:
PHP Version: OS:

 

 [2007-12-12 10:53 UTC] assid at assid dot com
Description:
------------
I tried upgrading to php 5.2.5 from 5.2.4 and ever since i did that my sessions have been acting strange. It seems most noticable using squirrelmail. Downgrading back to 5.2.4 seems to have fixed this issue, so its definitely something on how 5.2.5 handles sessions


Reproduce code:
---------------
http://spherelinx.com/phpinfo.php
http://assid.pastebin.com/f7ba83639 <-- yes i know certain configure options have been deprecated.  but using the same config.nice for both

Expected result:
----------------
session management similar to 5.2.4 where it doesnt just timeout for no apparent reason.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-02-11 03:45 UTC] jsnyxx at gmail dot com
We've found similar problems -- see our report here:

http://xcache.lighttpd.net/ticket/163

(We initially thought that it was Xcache, but that doesn't seem to be the case now).
 [2008-02-24 19:16 UTC] assid at assid dot com
I decided to try and give php5.2-200802241730 a try to see perhaps if the bug is know and rectified.

I know still have the session time outs, except now its worse. Instead of being able to continue after clicking on the folder on the left side, it now logs out totally, effectively destroying the session.
 [2008-02-24 20:10 UTC] jani@php.net
Please provide a short reproducing script.
 [2008-02-24 20:23 UTC] assid at assid dot com
The problem is I didnt make squirrelmail. So i am not sure of what i can provide as the reproducable script. I am using the current stable release.

I wanted to give something else to my users in the meantime, so i tried horde, and well, that seems to have session timeout issues as well.
 [2008-02-25 01:28 UTC] rasmus@php.net
Many people, including myself, are running SquirrelMail quite fine on 5.2.5 without any sort of session problems.  The fact that it also happens in other applications points to a general problem on your end.  Sessions are really simple.  There are 3 parts to an active session.

1. Your browser sends a session cookie
2. The PHP script that receives the cookie calls session_start()
3. session_start() reads the session data from the session data

So, to debug this, look at each part.  Install something like the LiveHTTPHeaders Firefox extension and make sure the cookie is being sent.  Second, make sure there is a session_start() call in the receiving code.  And third, check to make sure that the session data is in the session data store.  If you are using the file-based session store, match the session cookie to the session filename and watch it as you click around.  Does it suddenly disappear?  If so, figure out why.  

Also check all your session.* settings and if you have multiple servers behind any sort of load balancer, a per-server file-based session store obviously won't work.  NFS-based stuff can also cause problems for a file-based session store.

You can also write your own very simple trivial session test to verify that sessions are working at all on your setup.
 [2008-02-25 08:30 UTC] assid at assid dot com
okay here you go, 5 hours of sleep helped a bit.

http://spherelinx.com/session.php
Now refresh this slowly (i mean one F5 per second or 2 seconds), till you hit something like 8-10.

Now press F5 rapidly (dont hold), like 5-8 times. You end up with a new counter. 

Refresh this counter slowly, and again repeat the above step. Sometimes you get it to go back to the older counter.

reproduce code: http://spherelinx.com/session.phps
phpinfo - http://spherelinx.com/phpinfo.php

From my guess, session_name fails or causes some kind of glitch
 [2008-02-25 13:12 UTC] assid at assid dot com
With regards to session files and squirrelmail

I checked the part that you told me. The headers look exactly the same. Sometimes I get the session kicking me out. The headers during which, looks exactly the same as the ones when it doesnt kick me out. However, sometimes i just rightclick in that frame and reload frame and it works, or i click on any of the available imap folders on the left side.

During the time it kicks me out, the session file still exists, would explain WHY i can still continue using AFTER that. 

from my previous test and this into consideration, i would GUESS its something to do with session generation / session file handling or something related to this.
 [2008-02-25 14:23 UTC] assid at assid dot com
I have to downgrade to 5.2.4, as this is a production box. Please let me know when you are available, and I will load the necessary module at that moment.

I am also available on IRC / freenode as Assid
 [2008-02-26 08:02 UTC] jsnyxx at gmail dot com
Rasmus -- verified that this issue (PHP session being randomly lost) is also occurring for us on php 5.2.5 but not php 5.2.4 on our Linux Centos 4.4 box.

Please also see here for our own reproduce code:

http://xcache.lighttpd.net/ticket/163
 [2008-02-26 08:27 UTC] assid at assid dot com
Hrm, strange, i dont use xcache. But yeah session integrity is messed up.

Looks like we gotta wait for 5.2.6 and hope the developers fixed that bug. It does seem php5.2-200802241730  is still not done, as a matter of fact, the session file in -dev seems to disappear, whereas atleast in 5.2.5 it remains. (very little testing in -dev btw). So its gone from bad to worse.

- Data integrity ? -
Another important note, is that phpmyadmin acts super strange as well. The css i believe is generated on the fly, that goes awry and sql queries start yielding no results. I am not sure if this is session related. or not!
 [2008-02-26 09:11 UTC] rasmus@php.net
There is only a single trivial change to the session extension between 5.2.4 and 5.2.5 and it was to fix http://bugs.php.net/42596

The change is here:

http://cvs.php.net/viewvc.cgi/php-src/ext/session/mod_files.c?r1=1.100.2.3.2.9&r2=1.100.2.3.2.10&pathrev=PHP_5_2&diff_format=u

I don't see how this change could have caused these problems.  Could you please verify that 5.2.4 works under the exact same conditions that 5.2.5 doesn't work?  That is, on the same machine, built the same way and running the same code.
 [2008-02-26 09:32 UTC] assid at assid dot com
Yes, same machine, same everything. Even phpmyadmin dies on me. I just had to move it back. I can apachectl stop; make install; apachectl start ; whenever your online. 

Since its a production box, i need functionality to work fine, so i moved it back down to 5.2.4

As I said i am available on freenode as Assid
 [2008-02-27 08:19 UTC] jsnyxx at gmail dot com
Hi Rasmus 


Yes, we can confirm that nothing changed on the box apart from php 5.2.4 -> 5.2.5.

We found it easier to reproduce the bug once XCache was installed, but the bug still exists even when we remove Xcache, it's just more intermitment. The developer of Xcache thinks this is related to a heap corruption of some sort. See here: http://forum.lighttpd.net/topic/42805

The issue for us seems to be that even though the session file exists on the server (under a private /sessions directory), at some point when the browser sends the cookie with the PHPSESSID header, the server seems to temporarily "lose" the information stored in the session file and returns a blank _$SESSION variable. However, after a few more refreshes it provides the correct info from the $_SESSION variable again.
 [2008-02-28 06:07 UTC] rasmus@php.net
4 different people on our end have tried to reproduce this without any success.  And no, those memory issues you refer to have nothing to do with this since they were fixed long before that snapshot you tried.

At this point you'll need to dig in yourself.  Fire up Valgrind and see if you can spot what might be causing the corruption.  It could be in some extension that we don't have in any of our environments here.  It definitely isn't the session code itself, so it is impossible to diagnose without more information.
 [2008-02-28 09:20 UTC] assid at assid dot com
Any suggestions on the options / how to use valgrind without learning the whole thing. Perhaps the cli cmd to run ?

I am starting to think this isnt limited to session related. phpMyAdmin as i mentioned starts acting very very strangely here. Due to the lack of knowledge of valgrind, i can try and see if i can try removing an extension to see if it makes any difference, while retaining atleast the basic ones that i DO need. 

If i can get the valgrind options (exact cli commands ) to use, that would be great.
 [2008-02-28 10:54 UTC] assid at assid dot com
Still trying to remove more extensions and test. Rasmus, I have sent you a private email with 2 links to video files, which shows the phpmyadmin bugs. It seems the bugs faced are infact more indepth as you suggested.

I do apologize for private mailing btw., but since they are links to videos, I didnt want to post them in public.
 [2008-02-28 11:40 UTC] assid at assid dot com
Okay ran valgrind (as far as i can understand it)
http://assid.com/valgrind.txt

I have removed some extensions as i was still testing, but to no success.

I hope the log proves useful to you.
 [2008-02-28 17:52 UTC] rasmus@php.net
The libdl stuff can be ignored, so that looks like a clean valgrind run.  But, are you sure the problem happens on the command line?  I'd run the entire apache -X through valgrind.  You'd need to do it on a quiet machine somewhere that isn't getting hit, of course, so you can control the requests you send to it while valgrind is running.  Hit it until you see the problem, then stop and show us that valgrind output from that.
 [2008-02-28 18:13 UTC] assid at assid dot com
this will be difficult, we provide shared hosting on this box, and will be difficult to just shut it down for that period of time. but lets see what i can do.

Can you tell me how exactly do i put the whole apache process through valgrind ?
 [2008-03-01 02:34 UTC] assid at assid dot com
Okay, finally found out how to do valgrind with apache :P

During valgrind, phpmyadmin was behaving properly, squirrelmail as i mentioned in my previous post is erratic, but it normally takes time to crash, once it does, then it happens more frequently.

I later tried the session script as spherelinx.com/session.php (check phps)

This counter was working fine here again. 

I then decided to visit alternate sites on the server perhaps to create more session files.

I visited www.equineindia.com, and then i started hitting on session.php again, voila! session counter was reset to 0

I tried to see if i could simulate more of the sessions disappearing etc, like it going back to the original counter, but it didnt go, (normally you keep hitting refresh, you just might get back). I guess i should have tried more, but the day was just beginning and had to let the public in once again. So i decided, we atleast got the basics of what was causing this, and atleast report this.

The valgrind log is available at: http://assid.com/apache1.log

Btw: yes apc , and fileinfo from pecl were disabled before I did this.

the main page of equineindia refreshes to login.php ; please visit login.phps for the source of the same.

Interestingly, the leak summary shows alot of leakage BTW.
 [2008-03-01 02:36 UTC] assid at assid dot com
err sorry, session counter reset to 1 on refresh on the previous post.
 [2008-03-01 21:56 UTC] sv4php at fmethod dot com
I had the chance to test this issue with Assid on his server and we were able to more accurately pin point the issue:

1) the sessions don't time out, instead we're talking about session_name() selectively being ignored (which results in two session cookies, and hence sessions, created)

2) the issue seems to only happen on PHP 5.2.5 without --enable-debug. On 5.2.4 it doesn't happen, on 5.2.5 with --enable-debug we couldn't repro, but this needs more testing.

3) the issue may be hardware/configuration dependent (32-64 bit? OS distro? I don't have those details, Assid could provide them). The Apache server on the tested configuration runs in prefork mode, so it can't be a threading race condition (as far as I know).

4) we reverted the patch for bug http://bugs.php.net/42596 and recompiled 5.2.5 but still were able to reproduce the issue. Since this is the only change in the session module between 5.2.4 and 5.2.5, I have to conclude the issue is related to some other code (somehow..).

Description of the reproduce steps.

We have userA and userB on different machines, IP-s. They both are given the url to the example with the counter as Assid provided it. Notice the example uses session_name('spheretest'). 

If a userA refreshes the page alone, he gains session cookie 'spheretest' and the counter works normally.

If userB refreshed the page, userA gains a new cookie 'PHPSESSID' and a new session. After userA refreshes few more times, PHP gets back to using the previous 'spheretest' session/cookie.

We tested if the issue is related to prematurely starting session *before* the session_name() call. But no, session_id is never defined before the session_name() call.
 [2008-03-03 12:40 UTC] jsnyxx at gmail dot com
sv4php - have you tried reverting the patch made in the ext/session/mod_files.c?

Just an idea but this bug (#42596 (session.save_path MODE option does not work)) was fixed in between the PHP 5.2.4 and 5.2.5 releases.

Link is here for patch diff:

http://cvs.php.net/viewvc.cgi/php-src/ext/session/mod_files.c?r1=1.100.2.3.2.9&r2=1.100.2.3.2.10&pathrev=PHP_5_2
 [2008-03-03 17:31 UTC] assid at assid dot com
It seems whenever I run http://assid.com/session.php (source - http://assid.com/session.phps), if i refresh enough number of times and at odd times, i end up with a new session of PHPSESSID (it also jumps back and forth). I am trying to figure out WHY its starting that session, when the script EXPLICITLY has a session name set to spheretest

Maybe that can help us pinpoint what to check?
 [2008-03-03 17:32 UTC] assid at assid dot com
Yes, I reversed it back, but it didnt help  (seeing the diff in the patch).
 [2008-03-03 23:18 UTC] stas@php.net
While doing valgrind I'd also recommend setting USE_ZEND_ALLOC=0 in the environment. That would make the engine use only mallocs which would provide much more information to the valgrind.
 [2008-03-08 20:31 UTC] assid at assid dot com
Actually my original log did contain that.

Nevertheless, here you go again
i ran 2 rounds

www.assid.com/apache.log
www.assid.com/apache5.log

Hope its helpful. Back to php 5.2.4 for now :|
 [2008-03-13 13:27 UTC] jani@php.net
Are you by any chance using php_admin_value/php_value/etc. in some .htaccess file or in your httpd.conf to set any php.ini options?
 [2008-03-14 09:35 UTC] assid at assid dot com
Yes the assid.com domain has  the following in the vhost
php_admin_value open_basedir /home/assid:/var/shared:/var/stats:/tmp

The other vhosts on the server have similar as well.

The other domain: equineindia.com (that uses the login/logout function), has the following:

        php_admin_value session.gc_maxlifetime 10800
        php_admin_value asp_tags 1
        php_admin_value max_execution_time 90
        php_admin_value session.name eisessid
        php_admin_value session.auto_start 1
        php_admin_value session.cookie_domain .equineindia.com
        php_admin_value short_open_tag 1


What i did notice, is that if you want to "trigger" the bug, you refresh a few times on assid.com/session.php, then go to http://www.equineindia.com/login.php and then click login again, then go back to the counter (assid.com/session.php) this somehow makes the bug "easier" to reproduce. Atleast when running valgrind.

When running generally, you just keep refreshing and the bug is triggered.
 [2008-03-17 00:43 UTC] jani@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi

A fix for another bug (related to php_admin_value / php_value) was just fixed, and I'm guessing it's causing this session issue as well. So please, try the snapshot!
 [2008-03-19 21:14 UTC] assid at assid dot com
Okay i have tried the current release php5.2-200803191930, as of now, it seems good, I will waitfor a day or 2 to see what my users say. Will update here as soon as I get a response.
 [2008-03-21 00:34 UTC] jani@php.net
Let's keep this in feedback status until that then. I'd expect this to having been fixed by the fix for bug #43677. 
 [2008-03-28 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Dec 07 00:03:19 2022 UTC