2

A customer of ours is currently experiencing trouble. Our system uses AJAX requests for all communication with the server after logging in. Wherever $_SESSION is being used, session_start(); is on top of the script - which is contained in a try...catch, because of a custom error handler which throws an exception on error. Thus, the pseudo-code looks like this:

//set_error_handler_here
try{
session_start();
//do_something_with $_SESSION
(...)
} catch($e){
//handle error
}

Now, the problem: our customer seems to lose the session at random, by which i mean that f.e. $_SESSION['id'] will throw an "unknown index"-error. This is the case in both Internet Explorer and Chrome. We have tested this system among various systems for several months and can confirm that we have not had this error before.

We do not use suhosin. There is also activity within the time before the session expires. Does anyone have any ideas as to what the solution may be?

edit: i eventually conducted a test to see if $_COOKIE['PHPSESSID'] was set. isset($_COOKIE['PHPSESSID']) returned false. This means the client is probably being bothered by some form of malware, considering it happens on both browsers. I would like to thank everyone who did try and help out, certain options were ones we had not thought of.

Improve this question
4
  • 1
    It might be a little stupid, but just saying to make sure: Aren't the cookies just turned off or deleted? Commented May 23, 2012 at 14:36
  • I highly doubt cookies are being deleted, as our client is not an IT professional. I did hear something that sounded like malware (IE homepage set to some company specialized in audio software somehow), but I don't think this would affect Chrome as well. Our client was not aware of affected settings either. --edit: also, there are also moments when it just works fine. So I think it's fair to assume the cookies are NOT turned off. Commented May 23, 2012 at 14:38
  • @Sietse That would came to my mind first also. And that the ajax url is missing a script.php.'?&'.SID Commented May 23, 2012 at 14:38
  • The SID shouldn't be necessary, as AJAX passes the cookies through just fine - take a look at an ajax request in Chrome, you'll see it in the HTTP headers field. Commented May 23, 2012 at 14:40

2 Answers 2

Reset to default
1

Case 1
Are you validating the http user agent?

if so that could be an issue as IE will use different user agents when it runs in compatible mode and normal mode.

case 2

do you have clustering application servers? and so it might be the case where session file is stored in one server and next request goes to another server?

case 3

May be application level bug, where session is unset based on condition or an user or something

case 4
If you have an iframe, It's also possible that because you're setting the cookies in an iframe, that the browsers may view it as a third-party cookie and reject it unless explicitly set out in the browser preferences to

In that case you would need a P3P header on the pages from where you're trying to set the cookies from.

I suggest you to set some dummy cookie and see whether it is coming back. And also set the session cookie as httpcookie so that it cannot be accessed from javascript (assuming some script malforming cookie).

Improve this answer
Sign up to request clarification or add additional context in comments.

14 Comments

The customer is using IE9 and the latest version of Chrome. The issue occurs on both browsers, as far as i am aware.
are you validating remote ip then?
I'm not validating the remote ip, no. Can you please explain why this may be necessary? It seems to me that the client is always logging on from the same spot (and the same ip), from what my logs say.
based on user connection, their ip's might change. so I want to confirm whether you are validating ip or user agent for session..
do you have clustering application servers? and so it might be the case where session file is stored in one server and next request goes to another server?
|
1

This might be a rare case, but if anyone has done the same error I did he might benefit.

I had the same problem, the php session was lost. I am not using jquery ajax but simple xmlhttp ajax, but I think this doesn't matter, in the background the same steps do take place.

I fixed this problem after stoping using an ip address for my ajax requests, so from this: http://1.2.3.4/index.php?somekey=somevalue I went to this: http://www.example.com/index.php?somekey=somevalue

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.