Some users losing session

[Zboyet]

I have a login system that I built that uses urls and cookies to pass the session data. A lot of my users are reporting that they log in fine but when they browse to another page they appear to be logged out.

This has been a very frustrating bug to try to squash since no matter what I do I cannot reproduce the error and everything works exactly like it is supposed to. I have even went as far as completely blocking cookies and useing the exact same browsers they are (which range from IE to Firefox) and everything still works fine.

Does anyone know why some users would have problems with their sessions getting dropped and others would not? I am sure I could fix the problem if only I could reproduce it.

Some users report their age changing to the date or their name changing to the DB username

[metho]

e.g. code plz

[Zboyet]

This is included in all login based pages

Code:

<?php
session_start();
header("Cache-control: private");


//require the PEAR::DB classes.
require_once 'DB.php';

$db_engine = 'mysql';
$db_user = '***';
$db_pass = '***';
$db_host = 'localhost';
$db_name = '***';

$datasource = $db_engine.'://'.
			  $db_user.':'.
			  $db_pass.'@'.
		 	  $db_host.'/'.
	  		  $db_name;


$db_object = DB::connect($datasource, TRUE);

/* assign database object in $db_object, 

if the connection fails $db_object will contain

the error message. */

// If $db_object contains an error:

// error and exit.

if(DB::isError($db_object)) {
	die($db_object->getMessage());
}

$db_object->setFetchMode(DB_FETCHMODE_ASSOC);

// we write this later on, ignore for now.

/* check login script, included in db_connect.php. */
if (!isset($_SESSION['site_username']) || !isset($_SESSION['site_password'])) {
	$logged_in = 0;
	return;
} else {
$site_username = $_SESSION['site_username'];
$site_password = $_SESSION['site_password'];

	// remember, $_SESSION['password'] will be encrypted.

	if(!get_magic_quotes_gpc()) {
		$site_username = addslashes($site_username);
	}


	// addslashes to session username before using in a query.
	$pass = $db_object->query("SELECT password FROM author_profiles WHERE username = '$site_username'");

	if(DB::isError($pass)) {
		$logged_in = 0;
		unset($_SESSION['site_username']);
		unset($_SESSION['site_password']);
		// kill incorrect session variables.
	}

	$db_pass = $pass->fetchRow();

	// now we have encrypted pass from DB in 
	//$db_pass['password'], stripslashes() just incase:

	$db_pass['password'] = stripslashes($db_pass['password']);
	$site_password = stripslashes($_SESSION['site_password']);



	//compare:



	if($site_password == $db_pass['password']) { 
		// valid password for username
		$logged_in = 1; // they have correct info
					// in session variables.
	} else {
		$logged_in = 0;
		unset($_SESSION['site_username']);
		unset($_SESSION['site_password']);
		// kill incorrect session variables.
	}
}


// clean up
unset($db_pass['password']);

$site_username = stripslashes($site_username);

?>

I use these to make mysql queries etc
$logged_in
$site_username
$site_password

[KDesigns]

Just a thought, but you may want to check into the hosting company. I had a similar problem where sessions seemed to be just dropping. Turns out the host had the site piped through 5 different servers.

[Zboyet]

That should not be a problem since I operate my own servers

[sam_rich]

Did you ever find an answer to this session dropping problem? I am now having the same problem.

Thanks,
Sam

[wonshikee]

Have you asked if they enabled cookies for your site?

[superuser2]

IE5 can't keep track of a vBulletin session without a remember-me cookie - perhaps it's browser related?

Try perhaps using database-powered sessions?

You can follow those instructions and make sure the code runs before session_start on every page - try using auto_prepend_file if there's too many to edit manually.

Keeping sessions in the database obviously doesn't fix the problem with your default session mechanism but it does solve your problem and is no less clean than regular sessions - go ahead and use it.

[auricle]

Err... the obvious question is under what circumstances are users' sessions being lost? Perhaps when they get up from their machines and don't come back for a while? The default session timeout is 1440 seconds (24 minutes).

To implement session expiry, a Db-based session handler will have to have a either for expiry or for the last request.