Sessions and IP Addresses

simulant

Does PHP need a unique IP address in order to create a unique session? How does session_start() generate a session ID??

I am developing a web application that is accessible by us within our intranet, and also by our client after their requests come through their firewall. So all HTTP requests that Apache receives from them come from their firewall's IP address.

The application works great from our end, but has inconsistent results from their end.....on top of performing a lot slower.

Do PHP developers need to do anything special in this case when they are using sessions?? In particular, are sessions affected by non-unique IP addresses??

Thanks.

rinjani

It could be that your client's firewall doesn't allow cookies to be set/read or is somehow interferring with this. I believe the default way for cookies to be set up is to write a cookie file to the client browser (PHPSESSHID or something like that). At least that's what happens when I use sessions.

HTH

simulant

Yes, we are thinking that it could be something to do with the configuration of our client's firewall. But it is strange that their results are so inconsistent.

Do you know exactly how PHP generates a session ID? How does PHP ensure that session IDs are unique??

I noticed that in the apache access logs I'm seeing a bunch of HTTP 304 Not Modified responses. There is apparently a bug in either PHP or Apache (the devs can't agree on whose bug it really is). I'm working on upgrading both PHP and Apache (we're currently using PHP 4.2.0 and Apache 1.3.12!!). I'm hoping that simply upgrading Apache will be the solution.

Here's the bug info:
http://bugs.php.net/bug.php?id=17098
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9673

This is from the HTTP RFC, referring to the 3xx class of http responses:
"A client SHOULD detect infinite redirection loops, since such loops generate network traffic for each redirection."

Maybe these 304 responses are causing problems....but only outside of our intranet.....is this possible?

Just in case, how do these session settings look??:

session.auto_start: Off
session.cache_expire: 60
session.cache_limiter: nocache
session.cookie_domain: no value
session.cookie_lifetime: 0
session.cookie_path: /
session.cookie_secure: Off
session.entropy_file: no value
session.entropy_length: 0
session.gc_maxlifetime: 1440
session.gc_probability: 1
session.name: PHPSESSID
session.referer_check: no value
session.save_handler: files
session.save_path: /home/web/cache/tmp
session.serialize_handler: php
session.use_cookies: On
session.use_trans_sid: 1

Thanks!

rinjani

Hi,

There is only one item that I can see that might be a problem. You have session.use_trans_sid set to true. This is URL based session tracking so that may be your problem. I only use cookie based so I have no experience with the use_trans_sid setting. Since it appends the SID to the URL as you go maybe your firewall gags on it.

As for how the SID is generated, I'm not sure.Probably some random string with the time the session started incorporated into it.

rinjani

simulant

Some more info on this problem:

After some research, I saw that the Apache module mod_proxy is available since Apache 1.3.23.......we are using 1.3.12. The packets that are sent from our client's network do travel through proxies when they are requesting data.

Do you think that the lack of proxy support in 1.3.12 could be the cause of our client's inconsistent results?? Would the proxy allow some packets to go through but not others??