Unsolved mystery: Duplicate PHPSESSID causing session issues (PHP+IE7)

[on3lonestar]

I had posted this question here: http://forums.devnetwork.net/viewtopic.php?f=1&t=82911

 

I haven't received any useful response yet. I have previously searched for hours for a solution. Someone please help.

 

Here's the original query:

 

I have a site with a logout.php script like this:

 

session_start();

session_unset(); // enough for FF

session_destroy(); // IE needs both unset and destroy

 

and the login.php script is more complicated:

 

/***** Multi-step Php session fixation fix *****/

 

session_start();

 

// We unset+destroy all session vars, and start-over (log-out basically)

 

session_unset(); // enough for FF

session_destroy(); // IE needs both unset and destroy

session_start();

 

// Generate new PHPSESSID to shrink session hijack possibility

// to capture/prediction from fixation.

 

session_regenerate_id();

 

The problem is that, very consistently (once every 4-5 attempts), when I click on logout, and try to login again, IE ends up having 2 PHPSESSIDs in the cookie: HTTP request header:

 

POST /login.php HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: http://www.test.com/loginonly

Accept-Language: en-us

Content-Type: application/x-www-form-urlencoded

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)

Host: http://www.test.com

Content-Length: 68

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: __utma=261786520.302897073.1197649982.1211188880.1211192879.157; __utmz=261786520.1197649982.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=ohgecedjtb3og9ijkcvrvtmd20; __utmc=261786520; __utmb=261786520; PHPSESSID=8mftgsbi7pp91vo4gsmctsrma3

 

The 1st (from left) PHPSESSID is the old session id which should have been cleared on logout, while the 2nd on the right is the new session id regenerated on login. Unfortunately, PHP doesn't look at the 2nd one at all, and considers the 1st one "Logged out" or "doesnt exist".. The user essentially stays logged out. The only way to login at that point is to close and reopen the browser.

 

Please let me know how I can resolve this issue.. I have tried too many things, and it just isnt helping.

 

I found just one post on the Internet with a similar/same issue: http://drupal.org/node/87372#comment-453823 but there was no reply to it.

 

--

 

I looked it up, and I found that with the current PHP settings, the server is already sending a "must-revalidate" control to the browser:

 

GET /logout HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: http://test.com/live

Accept-Language: en-us

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)

Host: test.com

Connection: Keep-Alive

Cookie: __utma=261786520.302897073.1197649982.1211269686.1211270253.164; __utmz=261786520.1197649982.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=261786520; __utmc=261786520; PHPSESSID=lhfdthhrmin9bqkd8v24et9j15

 

 

HTTP/1.1 302 Found

Date: Tue, 20 May 2008 08:34:06 GMT

Server: Apache/2.0.61 (Unix) PHP/4.4.7 mod_ssl/2.0.61 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2 SVN/1.4.2

Content-Location: logout.php

Vary: negotiate,Accept-Encoding

TCN: choice

X-Powered-By: PHP/5.2.3

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Encoding: gzip

location: live

Content-Length: 26

Keep-Alive: timeout=2, max=100

Connection: Keep-Alive

Content-Type: text/html

 

..........................

 

GET /live HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: http://test.com/live

Accept-Language: en-us

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)

Host: test.com

Connection: Keep-Alive

Cookie: __utma=261786520.302897073.1197649982.1211269686.1211270253.164; __utmz=261786520.1197649982.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=261786520; __utmc=261786520; PHPSESSID=lhfdthhrmin9bqkd8v24et9j15

 

Also, is it necessary to do a setcookie("PHPSESSID", "", time()-3600, "/"); during logout to specifically clear that session id?

 

 

[jonsjava]

you can always clear the cookie as well:

<?php
//Killing the cookie:
$cookie_name="myCookie"; /*  <-- change for your needs */

//here we assign a "0" value to the cookie, i.e. disabling the cookie:
$cookie_value="";

//When deleting a cookie you should assure that the expiration date is in the past,
//to trigger the removal mechanism in your browser.
$cookie_expire=time()-60;

$cookie_domain="";
setcookie($cookie_name, $cookie_value, $cookie_expire, "/", $cookie_domain,0);

//re-direct to login screen (or any other you like):
header( "Location:login.html");
exit;
?>