Session Variables Sessions in PHP behaving strangely

[u_c_iv 0]

Hi. I am part of a development team working in PHP and MySQL. The site is using SSL, and users have to log to use the site. When users log in, their important details are retrieved from the database and stored in session variables (functionality in the site is permissions specific). Lately, sessions are "disappearing" for no apparent reason. Users will log in, and at some point (the length of time will vary unpredicatably) the sessions will lose their value (the variables are empty) and this causes the site to evict the user. This is very frustrating for the user but moreso for the development team who is struggling to understand why this happens. The STRANGEST part is that the site is hosted in a city in Australia, the users a predominantly in another city in Australia, and I am in Charlotte. I have NEVER been able to replicate the problem on the live server or my localhost test machine. I had some friends in the same city in Australia try to access the site, and they aren't able to replicate the error... ?!?!? Those of you who debug will appreciate the hopelessness of trying to solve an error when you can't even get it to trip up! This is all I know - sessions are losing their value and I have no idea why. I've coded a work around for the PHP garbage collection function and that was working well for some time.I have checekd the code, and it isn't the problem (I think).Can ANYONE help me?

[WindAndWater 0]

I can't think of any reason why the session variables would loose scope unless they were overwritten/overloaded. If you can't find any evidence of that in your code you might consider temorarily switching to using session cookies until you resolve the problem.

[Spectre 0]

Unless you explicitly destroy the session (eg. by prematurely calling session_destroy()) or PHP is unable to determine the session's owner, this shouldn't happen. Generally speaking, PHP will either use a cookie to indicate a session's owner or append the session ID to all links within the page (eg. a link to '/page.html' may become '/page.html?PHPSESID={32-byte MD5 hash}'). If it using the second method, perhaps it is losing track of session owners if the link is unable to be modified - are you using irregular HTML or can you think of some other problem that may affect it in this way?

Anyway, try setting and/or checking when the session is set to expire with the session_cache_expire() function. It probably wouldn't hurt to further explore PHP sessions either; perhaps it's your server configuration or a problem within your code that you aren't aware of.

Edited April 26, 2006 by Spectre (see edit history)

[u_c_iv 0]

Hi guys. Thanks for your input. I just had a very interesting accident...What was really bothering me was that code doesn't morph, right? So if there is faulty code on one server, it will be faulty on another server. The code was working exactly as intended on my local machine, and certain users (in certain locations) never had the error, and yet a lot of people were consistently having the error! No matter how I tried to replicate what the error-prone users were doing, I just didn't get the error.Then. I bought a laptop, and I was setting it up with a development environment, and all the usual stuff you need on a computer. The thing I didn't have was firewall/virus protection. So I bought CA eTrust Internet Security Suite and installed it. Because I want my two machines to share resources (see my OTHER post where I'm having no luck in THAT arena) I set my home network to be a trusted zone. It all installed fine and I restarted the machine to do some work.Then when I opened up my localhost site, I had the EXACT SAME ERROR as the users were having in Australia!! I couldn't believe it. I uninstalled the Security Suite, restarted the machine, and the error was gone. Re-installed the Security Suite - you guessed it. Errors.Bottom line... my signal chain is ISP -> Modem -> Wireless Router -> PCs. So in setting my home network (including the router) as a trusted zone, it prevented the sessions holding their value. If I set the home network as a Internet Zone, then it works fine - therein is my home network problem... shared resources need to eb in a trusted zone!!I did an online help-chat with someone from CA, and they said that the reason for this problem is that trusted zones are treated with more caution (?! I thought they were TRUSTED?!?!) and that was the interference with the session values. They confirmed that the problem my users in Australia were experiencing are not related to the code.I have temporarily incorporated cookies as a backup plan (as suggested) and so far so good. I'll let you all know if it keeps up...

[u_c_iv 0]

Hi again,I'm sorry to report that the cookie-solution that I tried to implement was of no effect. The cookies are created (as are the session variables), but for some STRANGE reason, they are getting deleted. I'm almost 100% positive that it is outside of the control of the PHP code, so I have to leave it alone for now and try to find out what sorts of measures ISPs use to stay secure.Thanks again for your help. I will let you know if I find anything interesting.