Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Auth sessions behave weird
  • Hi 

    I have an issue with an app. In the front office, users account behave well, but in admininstration with admin auth accounts, sometime the admin user is randomly logged out. I checked out every part of my code about auth managment, nothing is wrong and i dont have any clue about it. What could possibly make it happen ? My session lifetime is 2 hours, the problem dont come from it.

    I dont think the problem come from the server, it's happen in local and on a distant apache server.

    The drivers in use for auth are simpleauth, with the base package configuration.

    I understand the lack of specifications and code about the issue can make it hard to debug, but maybe it's a known issue, if anyone did ever seen it...  
  • Are you talking about two different auth environments? Or a single user table with both front-end and admin users?

    What mechanism are you using to store sessions? Which version of Fuel are you using? Do you have multiple users using the same account?

    There was a bug that caused the session update timer not be be updated, which in turn caused the session to expire (in your case after 2 hours), whether there was user activity or not. But since you say it happens "randomly", this can not be the cause.
  • The same auth environnement with both front and end, with group allowed or not to access the admin.

    The sessions are stored in cookie, with Fuel 1.5, and no multiple users on the same account.

    I said it seem random, but maybe it's this bug, i didn't start a stopwatch between the logout.

    Waiting for others thought, let's start with it. In witch file this bug toke place ? I can't update Fuel for this app but i can manually chec and repare it.
  • 1.5 is pretty old, there were quite a few fixes in 1.6 and 1.7:

    Most important, in 1.7.0: "A bug in all session drivers (except cookie) that caused the session
    timestamp not to be updated has been fixed. The session will now not
    expire as long as there is activity within the expiration timeout".

    Since you're using cookie based sessions, you don't have this issue (because the cookie timestamp is the timer, there is no separate timer field in use). Also, since the session id and the data is both in the same cookie, there is also no id rotation problem (cookie and data store out of sync).

    No exit or die in use in your code somewhere that may prevent the cookie from being updated?
  • No. My code about the auth (login / logout / admin denied access if not logged with the right group) is pretty simple... It's really weird.

    Something maybe relevant : It's happen more often when switching page with pagination (Fuelphp pagination class used)
  • Should not really matter, clicking on a pagination link is a HTTP GET like any other link.

    Do these pages store additional data in the session? There is only a very limited amount of data you can store in a cookie, if the cookie gets too big, most browsers delete it, effectively deleting your session (which logs you out).
  • I dont think so. Plus, I changed for File session storage driver just in case, same bug...
  • Weird. Never heard from such an issue, never experienced it in any of our apps either.

    You could add some code to your index.php to write $_COOKIE to a file, and check what comes in on each page request. Check if you have a page request without a cookie, on if the session id changes on the request that logs you out.
  • After a little break, i come back for this unresolved issue with news elements : I added another session var for test purpose, it crash at the same time as the logout happend. So now i know all the session var stored are unset from time to time but i have no clue which cause it could be.

    Any clues before i run more serious investigations ? 
  • Wait, wut ? I browsed the file session class to see something and i saw that 

    // do some garbage collection
    if (mt_rand(0,100) < $this->config['gc_probability'])
    {
    if ($handle = opendir($this->config['path']))
    {
    $expire = $this->time->get_timestamp() - $this->config['expiration_time'];

    while (($file = readdir($handle)) !== false)
    {
    if (filetype($this->config['path'] . $file) == 'file' and
    strpos($file, $this->config['cookie_name'].'_') === 0 and
    filemtime($this->config['path'] . $file) < $expire)
    {
    @unlink($this->config['path'] . $file);
    }
    }
    closedir($handle);
    }
    }

    In config my gc_probability is set to 5%. You think it could be that ? When the 5 or less is picked, it erase all sessions file ?
  • No, it says that there is a 5% chance it will dive into that if.

    And if it does, it loops over all files, checks which files have a last-modified timestamp older then the expiry timestamp, and delete those.

    It will not delete all session files, that would be silly... ;-)
  • Yeah, at the time i posted it i felt pretty dumb x) But 5% is one time on twenty, and it fit exactly with my issue, you get logged out every 15 ~ 25 pages displayed so...

    Well, what is the best way to debug this ? The hard part is i can't figure any common denominator. It's append on all pages or actions and pretty randomly, and with more than one session driver. I will start by setting a session in classic PHP without fuel class and see if it's deleted too. All ideas are welcome.
  • That would suggest that if you set gc_probability to 0, all your problems are gone, and if you set it to 100, you can hardly login anymore? If that is not the case, it is unlikely this is the cause of your problem.

    Also, it's the same code that services your frontend and your backend, so it can't be that it only happens in the backend. Is it heavily ajax'd perhaps? Do you have multiple people using the same account (which by default is not supported by Auth)?
  • No multiple users for the same account, and not much ajax. A few around but i don't think enought to cause it. Also it's the same models for public and admin but not the same controllers handling login. I have a Controller_Public and a Controller_Admin, both extended from a Controller_Base, extended himself from the fuel's Controller_Hybrid. And yes, the trouble only take place in Admin part...

    But i red my Controller_admin about a hundred time, nothing in it might lead to a session holocauste
  • Most almost be something specific to your admin environment, otherwise it would happen for other users too?

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion