All Sessions cleared

finger

Hello,

I'm fighting with a very strange session problem - maybe someone experienced somthing similar:

at random times (sometimes after a few minutes, sometimes after a couple of hours) all active sessions get cleared - the session-cookie is still active, and the session-file in /tmp still exists (but with a filesize of 0 bytes).

this affects all sessions (regardless which php-programm started it). i wrote a testscript (see code below), that does nothing but starting and reading a session-variable. this also gets cleared.

my big question is: is it possible to accidentally kill sessions of other client-users from other programs in PHP? (the different scripts all run as the same server-user 'www').

i'd be grateful for any glue. thanks.

stefan

the session-testscript:

<?php 
session_name ("testsession");
session_start();

if ($_REQUEST["startsession"] != "")
{
	$_SESSION["test"] = "yeah";
}


if ($_SESSION["test"] == "yeah")
{
 ?>

 <div id="">logged in</div>

 <?php
}
else
{
 ?>

 <div id="loginForm">

 <a href="session.php?startsession=yes">login</a>

 </div>

 <?php
}
?>

NogDog

At first I was thinking of the possibility that if some script that shares the same session data directory is run and it has session.gc_maxlifetime set to some low value, then when that script is run the session garbage collector will clear any data older than that time. However, I would have expected that to delete the data files, not leave them there but empty.

But if you want to try an experiment, you could set your local PHP environment (via .htacess, for example) to use a different session data directory via the session.save_path setting. (Make sure that directory you select exists and is read/writable by all.)

Weedpacket

finger wrote:
my big question is: is it possible to accidentally kill sessions of other client-users from other programs in PHP? (the different scripts all run as the same server-user 'www').

Since in this case all of the files are owned by the same user (who the client-user is doesn't matter, because they're the server's files), it's certainly possible for one script to wreak havoc on every session file.

$sessions = glob(ini_get('session.save_path').'/sess_*');
print_r($sessions);

I don't know about "accidentally", but never attribute to maliciousness that which can be attributed to stupidity.