Re: Session overwritten - but why

On Fri, 30 Nov 2007 16:57:18 +0100, <j.wendelmuth@xxxxxxxxxxx> wrote:

Hi,

i have a problem with PHP sessions. The problem only occurs on one
machine (PHP v5.2.4 incl. mod_security). On another one (PHP v5.2.0 no
mod security) my application works fine.

Here's the precondition:
I have 2 PHP applications, A and B. Both on a seperate server/machine.
A perfoms via SoapClient a request on B, where a Soap service is
located. B provides amongst others a function, that initializes a
session with data on B's side

$sess_id = md5(microtime());


Why do you want to do that???? microtime() is highly, highly unsuited for a busy server. At least use something like uniqid(). You basically are asking for problems creating session-ids like this. Is there any particular reason you want to set the session-id? Why not let PHP handle it (and it's uniqueness at that time). If you just want to know a session-id after it's being set just call session_id() with no arguments..

session_name('SESSID');
session_id($sess_id);
session_start();

$_SESSION['blah'] = 'blah';
$_SESSION['fasel'] = 'fasel';
$_SESSION['blubb'] = 'blubb';

session_write_close();

and returns the session id and a URL to A.

OK, and where is the sharded storage of session data? Are both servers set up to look at the same storage?

A takes the URL and the session id and performs a redirect via

header('Location: ' . $url . '?SESSID=' . $sess_id). The URL
points to a script located on B's side.

Using a GET is somewhat hazardous. What domains do your servers have? You might be better of setting a cookie for a wildcard domain (setcookie() -> <http://nl2.php.net/manual/en/function.setcookie.php>, i.e. set the domain to '.example.com' rather then 'server1.example.com' or 'server2.example.com'.

When the script on B is called, it checks if a session id is given
within the URL ($_GET) and tries to start the session.

$sess_id = $_GET['SESSID'];
session_name('SESSID');
session_id($sess_id);
session_start();

As i mentioned above it works fine on the PHP v5.2.0 machine but not
on v5.2.4. After session_start() the existing session will be
overwritten with an empty one, having the same session id. I've
additionally confirmed this behaviour in the sessions directory.

Where is this sessions directory, and how have you configured the servers to look into one and the same directory (which can be on only 1 server, either A or B, or an unmentioned C) for the storage?

When 'crossing' servers with sessions, I usually opt for setting up my own sessionhandler (set_session_handler()), and use a single database server to store/retrieve session data from.
--
Rik Wasmus
.

Relevant Pages