Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Session expiration caused by ajax requests
  • WaldlaeuferWaldlaeufer


    I've been having trouble with my users' sessions randomly expiring on them frequently while using my Fuel-based application. I think it might be caused by session rotation between concurrent ajax calls. I know Fuel is supposed to have safeguards against this, so I'm wondering if I'm supposed to be doing something special in my requests. I've included my session config below:




    'auto_initialize' => true,
    'driver' => 'db',
    'match_ip' => false,
    'match_ua' => true,
    'cookie_domain' => '',
    'cookie_path' => '/',
    'cookie_http_only' => null,
    'encrypt_cookie' => true,
    'expire_on_close' => false,
    'expiration_time' => 32400,
    'rotation_time' => 300,
    'flash_id' => 'flash',
    'flash_auto_expire' => true,
    'flash_expire_after_get' => true,
    'post_cookie_name' => '',
    'http_header_name' => 'Session-Id',
    'enable_cookie' => true,
    'native_emulation' => false,
    'cookie' => array(
    'cookie_name' => 'fuelcid',
    ),
    'file' => array(
    'cookie_name' => 'fuelfid',
    'path' => '/tmp',
    'gc_probability' => 5
    ),
    'memcached' => array(
    'cookie_name' => 'fuelmid',
    'servers' => array(
    'default' => array('host' => '127.0.0.1', 'port' => 11211, 'weight' => 100)
    ),
    ),
    'db' => array(
    'cookie_name' => 'd',
    'database' => Config::get('environment'),
    'table' => 'sessions',
    'gc_probability' => 5
    ),
    'redis' => array(
    'cookie_name' => 'fuelrid',
    'database' => 'default'
    )
  • HarroHarro
    You can't completely safeguard against it, sessions are not atomic.

    It can happen when you have a lot of concurrent ajax requests two requests simultaneously rotate the session id. When that happens you have a double rotation which is something the Session class can't cope with at the moment.

    The only thing you can do to prevent it, is increase the session rotation time, or to disable session rotation, and rotate manually, for example on a page load.
  • WaldlaeuferWaldlaeufer
    Thanks, Harro!  The second option sounds like a great idea.  I'll try implementing it!
  • HarroHarro
    If you're using Auth, it will already manually rotate the session id on login, so you don't have to do that.
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion