PHP sessions problem

Discussion in 'Troubleshooting' started by juniorm, Mar 13, 2012.

  1. juniorm

    juniorm Member

    Joined:
    Nov 13, 2005
    Messages:
    46
    hello,

    I have had Amember running on my sites for almost 5 years now and this last week a problem arose.

    on one site, it is possible for a person to randomly assume the membership session details of another member who may have recently logged on.

    i use php_include and run he check on all pages
    every so often this has recently happened and this can have disastrous results for our site.

    i rebuilt the dbase a few times now, but stil the problem is there
    is there anything that can be done to beef up session security/uniqueness?

    this is forcing me to have to close my busy website until support or someone can shed some light

    (linux latest 3.x amember)

    I have had a ticket since the weekend but there is no answer yet.
  2. alex

    alex Administrator Staff Member

    Joined:
    Jan 24, 2004
    Messages:
    6,020
    Have you enabled WP cache or something like that?
  3. alex

    alex Administrator Staff Member

    Joined:
    Jan 24, 2004
    Messages:
    6,020
    Have you enabled WP cache or something like that?
  4. skippybosco

    skippybosco CGI-Central Partner Staff Member

    Joined:
    Aug 22, 2006
    Messages:
    2,526
    1. In addition to WP Super Cache, APC or Memcache included in your environment?

    2. Is a live customer seeing the issue or are you concerned because you were able to produce the issue in your testing?
  5. juniorm

    juniorm Member

    Joined:
    Nov 13, 2005
    Messages:
    46
    hello,

    sorry for the delay getting back..

    1. memcache is being used on the server, but not for session handling or user-page caching.

    2. live customers at one point did see this issue quite a lot. I had to put some temporary ip-checking
    in to see if the ip address they logged in with changed at all during their time on the site... (it does for quite a few, and for those i log them out immediately).

    3. it is not a wordpress site.

    4. is there a possibility that the cookie size could get too big and get corrupted or cause issues?

    5. i do use some ajax polling around twice a minute and that also calls the check.inc.php routine.

    The problem was very strange because member would seem to inherit the session of another member.
  6. skippybosco

    skippybosco CGI-Central Partner Staff Member

    Joined:
    Aug 22, 2006
    Messages:
    2,526
    Only time I've seen session cross over issues was with caching (and actually wasn't a session issue, but rather showing a statically cached page that included content for other user).

    Based on your list, I would investigate memcache as a possible culprit.

Share This Page