Strange session behavior

[vineld]

I use a unique key in certain places to make sure that the pages don't receive external post data. The "problem" is that I store this in a session variable. Unfortunately this seems to time out when least expected at the site I am currently working on. Here is the logic of what happens in the file.

 

1. Session is initiated:

 

session_start();
$session = session_id();

 

2. If form has been posted, check that the posted key is equal to $_SESSION["secret"]

 

3. Set $_SESSION["secret"] to a random key

 

Am i failing to see some simple mistake in this process or why does this happen? I checked session.gc_maxlifetime and that was set to 1440 (24 minutes) both local and global.

[rhodesa]

this may be a waste of time...anyone trying to exploit your site will also know how to initiate a session before sending the POST

[vineld]

Maybe you're right but I think you might stop some automated bot scripts this way. After all, now that it's there it would be a waste of time to remove it 

 

No matter what, I would still like to know the reason for this strange behavior since it might cause other problems in the future. Is it possible that server sessions can become unstable and for some reason time out prior to the set limit?

[rhodesa]

Nope...shouldn't be...when do you set the random key? it should be like this:

 

<?php
  session_start();
  if($_SERVER['REQUEST_METHOD'] == 'POST'){
    if(!empty($_SESSION['secret']) && !empty($_POST['key']) && $_SESSION['secret'] == $_POST['key']){
      echo "You, my friend, passed the test.<br />";
    }else{
      echo "You are evil, away with you!<br />";
    }
    print_r($_POST);
    exit;
  }
  $_SESSION['secret'] = md5(time().rand());
?>
<form action="" method="POST">
  <input type="hidden" name="key" value="<?php echo $_SESSION['secret']; ?>" />
  <input type="text" name="foobar" />
  <input type="submit" value="Let's Go" />
</form>

[ignace]

The "problem" is that I store this in a session variable.

 

That's not a problem considering the purpose it's a good choice.

 

Unfortunately this seems to time out when least expected at the site I am currently working on. Here is the logic of what happens in the file.

 

How do you exactly mean time out?

 

1. Session is initiated:

session_start();
$session = session_id();

 

2. If form has been posted, check that the posted key is equal to $_SESSION["secret"]

3. Set $_SESSION["secret"] to a random key

 

Nothing with this process either.

[ignace]

echo "You are evil, away with you!<br />";

 

I think

die('! you evil scumbag, eat my headers');

would be more appropriate

[vineld]

Yup, that's exactly what is done, everything goes in the order I listed in the first post. Most of the time it works just fine and the only page where I have encountered it to fail (once in a while, whenever it feels like it apparently) is where I do file uploading so I wonder if there is some instability over at my host's server?

[rhodesa]

maybe...i would also check, when it fails, is secret empty, form key empty or both. if they are both set but not matching, you are probably updating the secret somehow and not realizing

 

[vineld]

I have printed all values (key, post and session arrays) and they are always set. I have also searched the file + included files and those are the only places where the variables are in use. As it appears only once in a while, even if I do the exact same thing, it seems very strange.

 

Could other users' use of sessions on the server affect mine as well in any situations?

[rhodesa]

no...user sessions are all separate

 

if they are set and not the same, my guess is the php script is changing it somewhere can you explain the flow a little more...especially with file uploads?

-Does it submit to the same php file or a different one?

-Do file uploads happen in the same form or in a different step?

[vineld]

If the code followed a different path depending on the situation I would probably think so too  :-\ However, nothing changes and it seems random albeit unusual.

 

The code itself is not really complex, there is only one form and it posts to the same page. File uploads are done in the same file but some image handling take place in included functions but that's about it. The code where the session is first initiated is also in an included file but that shouldn't matter...

 

Judging from the strange random factor I find it very hard to believe that the flaw is anywhere else but on the server but, if so, what could possibly cause it?

[rhodesa]

sounds like we are in agreement...without some code, i can't really help any further

 

maybe your hosting service is flaky, but i've never had this problem, and since both keys are set to something, it leads me to believe it's not the session prematurely dying

[vineld]

I have never had this problem before either  :-\ I have stripped the code down to make it readable although I doubt it will do any good (unless I have failed to catch something obvious that I am blind to at this point):

 

<?php
include [file where session is set:

session_start();
]

// Error check prints
print_r($_SESSION);
print_r($_POST);

// Database connection and log in check

// Check if form has been submitted
if (isset($_POST["submit"]))
{
// External attack check
if (isset($_SESSION['secret']) && $_POST['secretValue'] == $_SESSION['secret'])
{

	// yada yada yada PHP code

	if [file has been selected]
	{
		[error handling, image editing etc.]
	}
}
}

// Secret key is set
$secret = md5(uniqid(rand(), true));
$_SESSION["secret"] = $secret;

// Error check
echo $secret;
?>


<html>

<head>
</head>

<body>

// yada yada yada HTML

// The form itself

<form method="post" action="[same file]" enctype="multipart/form-data">
<input type="hidden" name="secretValue" value="<?php echo $secret; ?>" />
<input type="submit" class="submit" name="submit" value="Send" />
</form>

</body>

</html>

 

Don't take my pseudocode literally 

[vineld]

I think I may have found the problem. My host saves the sessions in the shared tmp folder and run scripts regularly which clean up this folder.

[rhodesa]

were you able to figure it out?

 

if this is on a hosting service, did you try installing a webserver on your local computer, loading up the code there, and seeing if you get the same problem?

[phpSensei]

Your method makes no sense.

[rhodesa]

Your method makes no sense.

 

Thank you for providing constructive feedback

[phpSensei]

Your method makes no sense.

 

Thank you for providing constructive feedback

 

Been staying up all night solving and helping problems... im pretty tried and grumpy.

[ignace]

Your method makes no sense.

 

Thank you for providing constructive feedback

 

Been staying up all night solving and helping problems... im pretty tried and grumpy.

 

If your comment has no added value then save yourself the bother.