PHP Sessions Expiring Unexpectedly

Question

I'm at a loss here. I've got a specific group of users upstairs whose sessions seem to expire completely randomly. It's not just when they leave the site sitting for a while, it can expire while they're browsing around. For me and most of our users everything works just fine. It's not a browser issue, we've got people in FF and all IE versions that both function correctly, and people in FF and IE that don't work.

My gc_maxlifetime is at 43200 and the garbage collection is a crazy low 1/1000 (not that that should matter). Is it possible there's something else running on the server that's randomly deleting some of our sessions? What should I check? That still wouldn't explain why only this specific group seems to be affected.

I have a few Session settings that are different from the default:

session.gc_maxlifetime = 43200
session.gc_divisor = 1000
session.save_path = /var/lib/php/session
session.use_only_cookies = Off
session.bug_compat_42 = Off

The first three I'm not worried about, but could the last two be causing this behavior? I don't actually ever send cookies through the URL, so I have no good reason for having use_only_cookies off. I have no guarantees that the misfits who made this app before I got here didn't exploit the bug_compat_42 thing to set session variables, but again, I would expect an issue with that to be less random.

Edit:

On further investigation, I've found that the Session is not being destroyed at all, but the end-user is getting a new session ID. The old session still exists intact on the server, but a new one is randomly started while they're browsing.

Answer 1

The issue here turns out to be that their browser was setting the session cookie to expire prematurely. I've solved the issue with this dirty, dirty hack that you should never have to use, ever. I'm not proud of this, but if this shines some light on anything feel free to let me in:

if (!headers_sent()) {
    if ($_COOKIE["PHPSESSID"] != "") {
        setcookie("PHPSESSID", $_COOKIE["PHPSESSID"], time()+43200, "/", ".mydomain.com");
    }
}

Answer 2

I would install some http sniffer like httpwatch (paid but worth every penny) or fiddler (free) on those machines and see what's going on with the session cookies (I think it's PHPSESSID, but not sure). If the cookie is being deleted or changed in the middle of the session because of proxies, weird apache configuration or something, this would be the best way to detect it.

Answer 3

Can you provide a little more information about your set up?

My first thought would be that there is something randomly cleaning out your temporary files directory. If you're using a standard LAMP set up, PHP will be storing the session data files into /tmp. If they're getting deleted from there by a cleaning process, you'd lose your sessions.

Edit: I'm re-thinking this now. If only a specific group of users is affected, that makes it much less likely.

How about cookie settings? I'd make sure that these people aren't using something like a dynamic proxy, and that your cookies are being set for the root domain of your site. Is it possible they might have some privacy-cleaning software such as CCleaner set up as a scheduled task that might be removing their cookies?

I'd get up there on one of their computers and throw Firebug onto one of the Firefox machines and examine the HTTP requests to see if the cookies are being sent properly.

Answer 4

I know this is late. But just for some people who's having the same problem as well.

[If you encrypt and decrypt your data]

I've run with this issue and took me awhile to figure out what's the problem. It keeps creating a new session ID for the same user. Turns out that the encrypt data and the decrypt data is not the same. The decrypt data returns with some additional white spaces. Try check your data value when send and return from database or whatever storage you are using.