Random Session Failure

onedrum

I have a class based user session system. it uses the default session handling, a database of users and stores an object in the session.

It's worked for years, with occasional improvements. I have used it on a recent site that has survived 2 full OS and PHP/MySQL upgrades and stayed working.

I uploaded it to the webhost (not named), but now I have my sessions randomly failing.

Symptons are...

User logs in. OK
User browses private area OK
Randomly user is informed they need to log in. NOT OK.
User attempts to log back in but
- 50% of the time they already are still logged in.
- 50% of the time they get the log in box
WTF?

I found that this happens randomly, sometimes it doesn't happen for hours of testing and debugging, other times it happens everyother click within the authentication controled area. It happens at any point within the area, not any particular point.

Constantly refreshing a page every 10 seconds, results in a random order of..

the apropriate page.
the invite to log in.
the log in box

"only" clicking refresh, nothing else.

I don't know where to begin to debug something so random, when the site worked on 2 previous servers and the code in the session/user handling has been in use on many more!

The only differences I have had to battle with are the new hosts restrictions for uploads, memory limits and max execution time.... and register_globals was off, but my site was designed for on.

(spare me the register_globals lecture, I know it well)

I enabled register_globals within .htaccess with a PHPFlag line and the site worked, except the sessions. Would this be related?

I'd love some help here.

I can post any code you need etc. Server details can be found here:
http://www.iceniproperties.com/phpinfo.php

planetsim

Its great that you explained it all but what code is used for sessions. I also highly suggest you turn register_globals back off.

Also you may want to notify your host to upgrade your PHP its quite old, 4.3.11 is out and has been out since March (already trying to get 4.4.0 out now).

onedrum

// Start the session
session_start();

// Register the user object to carry user id info from page to page.
if ( ! session_is_registered( "user" )) 
	session_register( "user" );

// Test for cookies (we will tell them the bad new later if they dont have cookies turned on
$cookies = false;
if ( isset($HTTP_COOKIE_VARS["PHPSESSID"]) ) {
		$cookies = true;
}

<?
	if ( isset( $email ) && isset( $pass ) )
	{
		$user = new Subscriber();
		$id = $user->verify($email, $db);
		if ( ! $id ) {
			$errors = $user->errors;
			include( FS_TEMPLATES."login-error.tpl.php" );
		} else {
			$user->load( $db, $id );
			if ( ! $user->authenticate($pass) ) {
				$errors = $user->errors;
				include( FS_TEMPLATES."login-error.tpl.php" );
				$user = object;  // deletes user contents from session for security
				myexit();
			}
			// Test cookies 
			if ( ! $cookies ) {
				$user = null;
				session_unregister( "user" );
				$errors[] = COOKIES_ERROR;
				include( FS_TEMPLATES."login-error.tpl.php" );
				myexit();
			}
			$user->confirm($db);
			//session_register( "user" );
		}
	}
	include( FS_TEMPLATES."login.tpl.php" );
?>

Then the auth code in the private section does this:

// Security checks
// User logged in?
if ( (!empty($user->full_name)) && $user->isAuthed() ) {

// SNIP site code.

} else {
?>
	<h2 class="login"><?=E_LOGIN_REQUIRED?></h2>
	<a class="login" href="users.php?command=login&amp;return=<?=$REQUEST_URI?>"
<img src="images/admin.gif" /> Click here to login</a>
<?
}

Hope that helps.

I can't turn reg globals back off, there are 114 PHP files in this site. Most have GET and/or POST variables and I don't really fancy debugging it all again.