[SOLVED] My server is mixing-up sessions

[lemonshindig]

My problem is that my server doesn't seem to maintain an accurate associate between a user's cookie and their session on the server. After login, it always welcomes the correct username on the welcome page, but once on the main page (which takes up a lot of server resources on EACH refresh), it often displays information for somebody else's session. Usually this happens on the first login. Then, if you refresh, my check_login.php script DOES kick you out to the login page again, and if you log in a second time, it usually works. Also, my scripts perform major MySql updating every hour (well, probably 50-100 queries), and right after this occurs, it will sometimes mix up your session again.

 

When the sessions are mixed up, the first refresh will kick you out to the login page, like it's supposed to. However, since the check_login script is required in every single script on my server, i'm not sure how a mixed up session even goes about being displayed once. I know that I could log and compare IP addresses to ensure that a mixed up session is immediately terminated, but then still, you'd be kicked out of the logged in section every now and then for apparently no reason at all.

 

index.php:

<?php
$page_hredirect_exempt = 1;
require('check_login.php');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
        "http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<script src="java.js" type="text/javascript">
</script>
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="PUBLIC">
<link REL="StyleSheet" TYPE="text/css" HREF="styles.css">

<title></title>
</head>
<body>
<center><img src="logo.png"><hr></center>
<div class="scroller">
<?php
if (!$logged_in) {
?><center><?php require('login.php'); ?></center><?php
} else {
echo "Welcome, ".$_SESSION['username'];
?>
<--basic HTML removed here -->

login.php:

<?php
$database = "world";
require($DOCUMENT_ROOT.'/mydb/dbconnect.php');
if ($_POST['checksubmit'] == 1) {
session_start();
$query = "SELECT username, password, gameid FROM users WHERE username='".$_POST['username']."'";
$result = mysql_query($query);
if (mysql_error() == "") {
	$databasearray = mysql_fetch_array($result);
	if ($databasearray['username'] == $_POST['username'] && $databasearray['password'] == md5($_POST['password'])) {
		$_SESSION['username'] = $_POST['username'];
		$_SESSION['password'] = md5($_POST['password']);
		$_SESSION['gameid'] = $databasearray['gameid'];
		header('Location: index.php');
		die();
	} else {
		$_SESSION['error'] = "Username and Password do not match our records.";
		header('Location: index.php');
		die();
	}
} else {
	$_SESSION['error'] = "Username and Password do not match our records.";
	header('Location: index.php');
	die();
}
}
?>
<form method="post" action="login.php">
<table border="0">
<tr>
	<td>Username:
	</td>
	<td><input type="text" name="username">
	</td>
</tr>
<tr>
	<td>Password:
	</td>
	<td><input type="password" name="password">
	</td>
</tr>
</table>
<input type="hidden" name="checksubmit" value="1">
<input type="submit" value="Log-in">
</form>

check_login.php:

<?php
if (!$logged_in) {
session_start();
$database = "World";
require($DOCUMENT_ROOT.'/mydb/dbconnect.php');
$logged_in = 0;
if ($_SESSION['username']) {
	$query = "SELECT username, password FROM users WHERE username='".$_SESSION['username']."'";
	$result = mysql_query($query);
	$userinfo = mysql_fetch_array($result);
	if (mysql_error() == "") {
		if ($_SESSION['username'] == $userinfo['username'] && $_SESSION['password'] == $userinfo['password']) {
			$logged_in = 1;
		}
	}
}
}
if ($logged_in != 1) {
/* see if they're on a redirect exempt page (index, readmemo) */
if (!$page_hredirect_exempt) {
	session_destroy();
	header('Location: index.php');
	die();
}	
}
?>

 

session.use_only_cookies is set to 1.

 

Thanks.

 

I'm running php 4.4.0 on Apache2Triad W/ Windows XP. (I know, I know...)

[OLG]

Seems quite strange, and not something i've ever heard of before.

 

The only thing i can think of in this case is

 

If you are using cookie-based sessions, you must call session_start() before anything is outputted

 

I'm sure someone else might be able to be of more help to you

[shamilton]

Could you possibly echo out your variables for us?

No passwords - just the username and sql strings.

 

[per1os]

Basic observations, your session_start in the login.php may not be working right as you are using session as cookies session_start() needs to be before any output. Login.php as after. I would suggest using 1 session start at the top of the index of check_login page. You do not need it in multiple pages, just one.

 

Give that a shot and see what happens. Also are you storing session data in the DB at all? If so could the updates be messing with that? 

[shamilton]

Also note...how you have this setup...you call two files with two different session_start()...

 

Try just putting session_start() at the top of index.php

[lemonshindig]

Well session_start() should be called before any output, since the check_login script is ran at the very start of each script, and the first thing in there is session_start(). It should also only be ran once, since if the variable $logged_in is set to 1 the first time it's ran in 1 connection, then the check_login script will jump over the verification code. If the login is invalidated, then the check_login() script will header the client to the index/login page. No errors are showing up in my php error log. Could it be because i'm so low on system memory and running under windows? (1.25GB DDR333)

 

Thanks

[per1os]

I never heard of or had the problem. I only have 1GB of memory on my PC and never had any type of trouble running php/apache on Windows XP.

 

Doesn't mean that it is not it, just stating that I have never heard of this issue. But low system memory (if you have something eat it up) could be the cause of the problem...i guess.

[lemonshindig]

Well it only seems to mix up sessions on the main page which isn't included here, because i thought for sure the problem was in my login scripts or my check_login script.

 

The main page DOES use a lot of memory, since on each request of it, it generates a 3617x1870px transparent GIF, executes 50 sql queries, and copies a few images into their appropriate places on the large canvas according to the database information. I imagine that uses a lot of memory, since it crashes my apache server every now and then, but other than that, it works flawlessly. I just have to reboot the server every now and then. The sessions, though, seem to mix themselves up even if i clear out the sessions and reboot the server and then it doesn't crash for a day or two.

 

Thanks

[lemonshindig]

php.ini  I think these variables are all where I want them, but just to make sure:

[session]
; Handler used to store/retrieve data.
session.save_handler = files

; Argument passed to save_handler.  In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this
; variable in order to use PHP's session functions.
;
; As of PHP 4.0.1, you can define the path as:
;
;     session.save_path = "N;/path"
;
; where N is an integer.  Instead of storing all the session files in
; /path, what this will do is use subdirectories N-levels deep, and
; store the session data in those directories.  This is useful if you
; or your OS have problems with lots of files in one directory, and is
; a more efficient layout for servers that handle lots of sessions.
;
; NOTE 1: PHP will not create this directory structure automatically.
;         You can use the script in the ext/session dir for that purpose.
; NOTE 2: See the section on garbage collection below if you choose to
;         use subdirectories for session storage
;
; The file storage module creates files using mode 600 by default.
; You can change that by using
;
session.save_path = C:\apache2triad\temp
;
; where MODE is the octal representation of the mode. Note that this
; does not overwrite the process's umask.
;session.save_path = "/tmp"

; Whether to use cookies.
session.use_cookies = 1

; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.
session.use_only_cookies = 1

; Name of the session (used as cookie name).
session.name = PHPSESSID

; Initialize session on request startup.
session.auto_start = 0

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 1200

; The path for which the cookie is valid. / default
session.cookie_path = 

; The domain for which the cookie is valid.
session.cookie_domain =

; Handler used to serialize data.  php is the standard serializer of PHP.
session.serialize_handler = php

; Define the probability that the 'garbage collection' process is started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts
; on each request.

session.gc_probability = 1
session.gc_divisor     = 10

; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1200

; NOTE: If you are using the subdirectory option for storing session files
;       (see session.save_path above), then garbage collection does *not*
;       happen automatically.  You will need to do your own garbage
;       collection through a shell script, cron entry, or some other method.
;       For example, the following script would is the equivalent of
;       setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
;          cd /path/to/sessions; find -cmin +24 | xargs rm

; PHP 4.2 and less have an undocumented feature/bug that allows you to
; to initialize a session variable in the global scope, albeit register_globals
; is disabled.  PHP 4.3 and later will warn you, if this feature is used.
; You can disable the feature and the warning separately. At this time,
; the warning is only displayed, if bug_compat_42 is enabled.

session.bug_compat_42 = 1
session.bug_compat_warn = 1

; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =

; How many bytes to read from the file.
session.entropy_length = 0

; Specified here to create the session id.
session.entropy_file =

;session.entropy_length = 16

;session.entropy_file = /dev/urandom

; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
session.cache_limiter = nocache

; Document expires after n minutes.
session.cache_expire = 20

; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
;   to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
;   in publically accessible computer.
; - User may access your site with the same session ID
;   always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0

; The URL rewriter will look for URLs in a defined set of HTML tags.
; form/fieldset are special; if you include them here, the rewriter will
; add a hidden <input> field with the info which is otherwise appended
; to URLs.  If you want XHTML conformity, remove the form entry.
; Note that all valid entries require a "=", even if no value follows.
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

[lemonshindig]

Figured it out;

 

For all of those who are interested-

It wasn't the sessions that were mixing up, just the usernames.

register_globals was On. I was using $_SESSION['username'] to distinguish the individual user, and i was using $username in a block of code which did a specific action to EACH user's data in the database by using $username as a temperary variable in a foreach loop. Therefore, the last user edited by that block of code

would be registered over $_SESSION['username'], and my check_login script on next request would kick them out.

 

Hope it helps someone.