Losing sessions?


#1

Hi All,

Weird situation…

On our production environment, one of our users (I have remotely
connected
to their system) is losing Session information as soon as they try to do
anything past their login. Even stranger (I can tell via the title of
the
page) that the session information is getting mixed up. The title of
the
page should be the user’s name and after clicking on a page that
requires
session / cookie information, the title of the page changes to another
user’s name. So something isn’t right…

Our development environment (unfortunately) at this time uses Apache
(we’ll
be upgrading it to Nginx shortly). This issue does not exist in our
development environment.

The problem computer is behind a proxy and the proxy on that server is
configured as a “text” proxy (i.e. not ip address… rather proxy name).
So
I’m not sure if that would be an issue?

Is it possible that sessions are getting mixed up between users behind a
proxy who’s name is the same?

Any suggestions / thoughts?

Thanks


#2

sounds like an application level issue to me, or how you determine
session names.

being behind a proxy would only change the IP (maybe) - which could be
a factor in the session name.

also their login name changing from anonymous -> a logged in user could
too.

but if this doesn’t happen in the apache environment i’m not quite
sure. (thinking out loud)

i’ve never had a problem with session code portability. of course i
use mysql-backed sessions, but even file-based ones don’t seem to be
affected.


#3

Thanks, this is definitely a very odd situation. Essentially within a
few
seconds of being logged in, it kicks her out and actually shows
information
about a different session.

I don’t even know where to look for this one. There are no nginx error
logs
corresponding to this and the access logs simply show a trail of clicks.


#4

Regarding the switching of the username via session, turns out that the
page
was being partially cached by the CMS. So as one user was calling it
with
their name, the internal cache would get overwritten. We have now
disabled
this functionality.

Again, thanks all for your responses.


#5

Either proxy is dumb and does caching of private copies of pages or
proxy is very smart and needs Cache-Control: private header from app.


#6

Thanks for all the responses I got, really appreciate it. I think we
found
the problem… the PHP ini save_sessions directory wasn’t set (oops).

On Wed, Jan 14, 2009 at 3:27 PM, Valery K. <