0

One (and only one) of my end users has some issues with being logged out. I discovered that there are multiple PHP SessionID's being created, and that the older sessionIDs are timing out causing the logout.

The problem is the multiple session IDs. I cannot reproduce how this is happening. They are using Firefox, as am I. I've tried opening new windows by double-clicking the desktop icon, going to File -> Open New Window, and right-clicking a link in the app and choosing Open Link in New Window. Everything I do opens a new window with the same SessionID (on my system). This is expected behaviour.

Is there another way this user could be opening windows that might create a separate SessionID? I don't have access to their system, only logging data from my application.

a coder
  • 6,796
  • 19
  • 77
  • 121
  • check for output/whitespace before session_start() in your code. – Green Black Feb 19 '13 at 23:05
  • 2
    They might have cookies disabled, so it would prevent them from keeping the session. – i-- Feb 19 '13 at 23:05
  • 2
    @John -- Only one user experiences this problem. It is not happening for me. If there were whitespace, the problem would happen for all users. – a coder Feb 19 '13 at 23:06
  • @J-- is there a programmatic way to determine whether cookies are disabled? – a coder Feb 19 '13 at 23:08
  • `(session_id())` would work ? – vikingmaster Feb 19 '13 at 23:08
  • 1
    @acoder check out http://stackoverflow.com/questions/6663859/check-if-cookies-are-enabled – Lawrence Cherone Feb 19 '13 at 23:09
  • 1
    If they had cookies disabled, they wouldn't have logout issues. They would've had login issues. – Rudie Feb 19 '13 at 23:09
  • detect if cookies are disabled : http://stackoverflow.com/questions/531393/how-to-detect-if-cookies-are-disabled-is-it-possible – Jeffrey Nicholson Carré Feb 19 '13 at 23:09
  • 1
    How about subdomains? Maybe the cookies are registered under different domains, but read on all of them. (Like `.domain.com`.) Does your site allow subdomains? – Rudie Feb 19 '13 at 23:12
  • No - just a single domain. – a coder Feb 19 '13 at 23:12
  • I misread. If the user is logged in and out immediately and the server registers new sessions, that's probably cookie security (like disabled). – Rudie Feb 19 '13 at 23:14
  • Negative -- they are logged in and remain so until the first created session reaches maturity. The system then does what it is supposed to do, which is log them out. Ordinarily, they would have one session for however many tabs/windows. That is what is happening with every user except the one. – a coder Feb 19 '13 at 23:15
  • http://www.fusioncube.net/index.php/multiple-sessions-firefox – Maykonn Feb 19 '13 at 23:19
  • Have you asked about browser he uses? And has he tried another one? – vikingmaster Feb 19 '13 at 23:19
  • @Jari -- she and all users only use Firefox (system requirement - we do not support `Internet Exploder`). I have log data to confim that only firefox is being utilized. – a coder Feb 19 '13 at 23:38

2 Answers2

0

He is most likely using a different firefox browsers.

You can use PHP mobile detect to give you all the information on the browser

i think it will confirm my guess.

There are multiple variants of firefox and most ofthen they send the same headers so you will not know if they are using 2 differnet ones:

  1. firefox(the original)
  2. Tor project
  3. Comodo Ice Dragon
  4. portable Firefox
  5. ...

I cannot think of a way where the same Session_ID cookie would have the same value for the same domain.

Maybe some obscure plugin is tempering with the browser.

FIX : Try changing the name of your session id (php manual)

exemple :

<?php

 session_name("My_new_session_id" );
 session_start();

It is generally asked to change the session name to a less obvious name like : "qwerty"

EDIT :

A quick example of a secure Session management : link

For more information : OWasp Session Management Cheat Sheet

Jeffrey Nicholson Carré
  • 2,511
  • 1
  • 22
  • 38
0

Circling back on this question. The problem turned out to be a workflow issue with one of the users. The problem was resolved with education.

a coder
  • 6,796
  • 19
  • 77
  • 121