Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Session being lost after multiple (cancelled) POST requests

We're using an external Ubuntu server w/ Memcached for our session storage. Since we changed over from database sessions, we've had random complaints from users who are being logged out.

The issue:

  1. Users are being logged out before their session should expire. In some cases, they are being logged out a minute or two after they've logged in.
  2. No errors are appearing in our web server logs or our Memcached logs.
  3. Their session ID remains the same after they've been logged out.

Today, one of our users stumbled upon a way to reproduce the behavior. On a page that allows them to set a custom date range, they were repeatedly pressing a "previous day" button that sends off a POST request with each click. For example, if you click said button 20 times, it'll send off 20 POST requests, 19 of which will be cancelled before the last one is completed successfully. As soon as the final request is completed, it seems as though all of the session variables are lost.

My php.ini (CGI) settings:

session.save_handler = memcache
session.save_path = "tcp://OURSERVERIP:11211?persistent=1&weight=1&timeout=1&retry_interval=15"

Note: The POST request is loading an iframe on the same domain.

Update: Also seem to be getting an issue with users being logged in as one another. Session ID conflict?

like image 455
Wayne Whitty Avatar asked Jun 26 '26 05:06

Wayne Whitty


2 Answers

I have done some research about all the stuff you posted and here are some pinned points:

Session ID collision

According to This article there are 37^31 distinct session IDs. According to birthday paradox you would need 2E24 sessions to have 50% chance that there is a pair that collides. you can see that the chance is extremely low, but possible. The chances are a bit increased if you, for example, store session IDs in database and then hand it over later to the user such that they could use the same session id for a year or even longer.

Multiple simultaneous session requests

At this point i am not sure if "previous day" button sends ajax request such that user can click it many times in a row without waiting for result, or he needs to wait for (at least partial) page load to click the button again in newly loaded page. In first case it could happen that packets could get scrambled in an internet and request that has been sent as last, would arrive sooner than other requests. Now what happens when two requests arrive at once? According to this SO question the session data is locked until (usually) the scripts finishes execution. This causes multiple requests to pile up in a queue, so it should be safe and it wouldn't cause loosing the session.

Script time-specific weakness

This is the last major point and according to your info, i believe this is the cause for your session loss. It depends how your server is implemented, but what happens if 10th "previous day" request arrives before 5th? The second possible cause would be interrupting the page load. That wouldn't happen with ajax load, but it would happen with regular form. If you click previous day before the page loaded (and is possibly still executing) your web browser interrupts the loading and requests new page. The php script execution shall then be aborted. Now i according to session_write_close the function is called whenever the script terminates, so in this case it is still session-safe. So where is the problem? Possibly in the script again. Imagine that your php script will stop executing in the middle and instantly saves session. What would happen? It depends. Depends how you handle session, what do you store in it, when do you store it. It could basically die at any line where output is added (echoed), because that's when it finds out that client browser is no longer listening to the connection.

I believe this is the cause, i may be wrong because only you can see your code. I suggest you to review the code and check what could happen if your script terminates early or recives requests out of order.

EDIT I have forgot to account for memcache. Unfortunately i know nothing about it so some incorrect stuff is marked but not deleted from this answer,that's because rest could still be the correct cause.

like image 99
Kyborek Avatar answered Jun 27 '26 20:06

Kyborek


From what you write I can distinguish two different problems:

  1. Users get logged out, but their session ID doesn't change.
  2. Session ID's of users change.

These might be different problems, or the same, I can't tell. The more serious problem is that people can get other people's session ID's. That's very weird.

If I interpret your question correctly, you're asking: "Do other people have similar problems with sessions on an Ubuntu server with Memcached?".

I'm sorry, no, I don't have that experience. Questions related to your source codes cannot be answered, eventhough they might be the source of your problems. Especially the changing of the ID problem.

Have you seen this?

http://php.net/manual/en/memcached.sessions.php#115306

It doesn't sound exactly like your problem, but any bit of info can help.

As for my tips:

a: If you want to handle lots of traffic your server needs quite a bit of memory. Check how much free memory your server has over time, does it ever come close to zero? This will cause older sessions to get purged from MemCache and connection resets.

b: Check everything for 404 Not Found errors. Use the browsers console to check each page load. A 404 on an image or CSS file can reset the session causing sporadic session losses.

c: Make sure your session ID's are not regenerated. It can cause the problems you describe. (https://bugs.php.net/bug.php?id=61470&edit=1)

d: try to put more source code in your question. Give people something to look at and to try out. If it gets to long use something like http://ideone.com I know this doesn't include your database or traffic load, but it might help us find your problem.

If you do solve your problem, please let us know.

like image 26
KIKO Software Avatar answered Jun 27 '26 19:06

KIKO Software



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!