Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Problem with session / rotation time - How to troubleshoot?
  • programmieraffeprogrammieraffe
    Hey there! I'm developing an app for the layar api and have some session issues. I think it is because session rotation time. If I set the rotation time to 10 seconds after a few requests the session gets lost. (I couldnt reproduce exactly when it happens) - Maybe someone have some tips how to debug this so that I can determine if it is caused by Layar or by fuelphp?
    - Or some best practises regarding sessions? By now I set the rotation_time to 2 hours to workaround this problem. Heres my session.php:
    https://gist.github.com/1932395 Layar-API Cookies/Auth:
    http://layar.com/documentation/browser/howtos/user-authentication/ Cheers,
    Matthias
  • HarroHarro
    The session ID logic in the session class has been explicitly designed to be resilient against a rotation of the session id. Having said that, 10 seconds is EXTREMELY short. This means that if you have multiple concurrent calls in the same session, one spanning 20 seconds or more, you will lose your session (it can't look further back then 1 session id). I can imagine that long response times in a mobile environment with a layar architecture is not uncommon. Setting it to null (as you documented in your session.php) will cause it to revert to the default of 300 seconds. It is save to increase the session rotation time, usually the default is fine. Combined with encryption and other security measures, the session cookie is reasonably well protected against session hijacking. Basically session ID rotation is always going to be an issue in multi-access stateless environments, there's technically no way around it. The way it works:
    - request A sends a request to the server
    - server starts processing request A
    - request B sends a request to the server
    - server starts processing request B
    - server decides to rotate the session ID on request B
    - server sends anwer B back
    - browser stores the session cookie with the new ID
    - server sends answer A back (no rotation here, so the OLD ID is send back!)
    - brower overwites the correct cookie with the cookie containing the old ID
    - session is lost FuelPHP mitigates this scenario by keeping the old session id, but that solves the problem for only 1 rotation. Ideally you need a central non-blocking service to maintain unique sessions per user, and all requests from that uses should use that service, so that all requests are aware of the ID change when it is triggered. PHP's native sessions simply solve this by locking the server session file, basically forcing all requests of a user to be executed in a serial fashion (due to the lock). This is a mechanism that should be avoided in the "web 2.0" era. There is a rewrite of the Session class on the roadmap for version 2, this issue is definitely on the agenda.
  • programmieraffeprogrammieraffe
    Thanks for the detailed answer! I'm developing right now an app with lot's of small, multiple ajax requests. So that will probably cause the problem with session rotation. I also remember this being an issue while working with Codeigniter-Framework as well: http://codeigniter.com/forums/viewthread/138823/ Would that be a good idea to fix it the same way for fuel php? Just disabling session_rotation for Ajax-Requests?
  • HarroHarro
    That doesn't really solve the problem, you will have the same issue with two windows open. Make sure the rotation time is longer then the longest running request, and you should be save against most trouble. We're working on improvements to make it even more reliable. (p.s. the CI session class doesn't have any of the measures built into FuelPHP's class, the problem there is far worse, you can't compare the two).
  • programmieraffeprogrammieraffe
    Harro Verton wrote on Monday 12th of March 2012:
    That doesn't really solve the problem, you will have the same issue with two windows open. Make sure the rotation time is longer then the longest running request, and you should be save against most trouble. We're working on improvements to make it even more reliable. (p.s. the CI session class doesn't have any of the measures built into FuelPHP's class, the problem there is far worse, you can't compare the two).

    Alright, thanks for the infos. Much appreciated!
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion