Hello,
A lot of users are complaining that inexplicably they end up getting logged into another user's account. These are users at a school. At first I assumed that they there sharing computers and the previous user had not logged out properly. But at least some users have assured me that this is not the problem.
Can anyone think of a reason why some users may be logged in as a different user? My users are very angry and I don't know what to do.
Drupal 4.7
Thank you for your help.
Daniel.
Quoting Daniel Carrera daniel.carrera@zmsl.com:
Hello,
A lot of users are complaining that inexplicably they end up getting logged into another user's account. These are users at a school. At first I assumed that they there sharing computers and the previous user had not logged out properly. But at least some users have assured me that this is not the problem.
Can anyone think of a reason why some users may be logged in as a different user? My users are very angry and I don't know what to do.
The only thing I can think of is that for some reason users are getting the same session id. Perhaps setting up a cron session that empties the session table once a day might help.
Drupal 4.7
Drupal 4.7 is old and unsupported at this point in time as far as security updates. You might wish to move to version 5.7 sometime in the near future.
Thank you for your help.
HTH, Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Earnie Boyd wrote:
The only thing I can think of is that for some reason users are getting the same session id. Perhaps setting up a cron session that empties the session table once a day might help.
I could try that.
Drupal 4.7 is old and unsupported at this point in time as far as security updates. You might wish to move to version 5.7 sometime in the near future.
Is that hard to do? I've been putting it off because it sounds difficult. I have a lot of plugins and I'm afraid that those will cause a lot of trouble.
Daniel.
Daniel Carrera wrote:
Earnie Boyd wrote:
The only thing I can think of is that for some reason users are getting the same session id. Perhaps setting up a cron session that empties the session table once a day might help.
I could try that.
Drupal 4.7 is old and unsupported at this point in time as far as security updates. You might wish to move to version 5.7 sometime in the near future.
Is that hard to do? I've been putting it off because it sounds difficult. I have a lot of plugins and I'm afraid that those will cause a lot of trouble.
Daniel.
It is as easy as turning off the modules, upgrading Drupal core, installing Drupal 5.x versions of the modules, running update.php and you're done. I would recommend replicating your site on a local server and upgrading it. Once you have successfully upgraded the site, you can upload it to your server. You can even install PHP, Apache and MySQL server on your desktop.
Regards,
Quoting Daniel Carrera daniel.carrera@zmsl.com:
Drupal 4.7 is old and unsupported at this point in time as far as security updates. You might wish to move to version 5.7 sometime in the near future.
Is that hard to do? I've been putting it off because it sounds difficult. I have a lot of plugins and I'm afraid that those will cause a lot of trouble.
You of course want to use a deployment server to get all of the pieces ready and tested before putting into production. Those modules that are converting to version 5.7 have done so by now. If you use any that haven't, you'll need to look in the issue queue for patches others have provided or upgrade it yourself.
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Another thought: Where do you configure how long sessions last before they expire? My first guess was to go to settings.php and change:
ini_set('session.cache_expire', 200000);
To a smaller value. But that didn't do it.
I also have set:
ini_set('session.cookie_lifetime', 0);
Anyways, maybe if sessions expired sooner I could minimize the problems that I'm having.
Thanks for the help.
Daniel.
Earnie Boyd wrote:
Quoting Daniel Carrera daniel.carrera@zmsl.com:
Hello,
A lot of users are complaining that inexplicably they end up getting logged into another user's account. These are users at a school. At first I assumed that they there sharing computers and the previous user had not logged out properly. But at least some users have assured me that this is not the problem.
Can anyone think of a reason why some users may be logged in as a different user? My users are very angry and I don't know what to do.
The only thing I can think of is that for some reason users are getting the same session id. Perhaps setting up a cron session that empties the session table once a day might help.
Drupal 4.7
Drupal 4.7 is old and unsupported at this point in time as far as security updates. You might wish to move to version 5.7 sometime in the near future.
Thank you for your help.
HTH, Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Quoting Daniel Carrera daniel.carrera@zmsl.com:
Another thought: Where do you configure how long sessions last before they expire? My first guess was to go to settings.php and change:
ini_set('session.cache_expire', 200000);
To a smaller value. But that didn't do it.
I also have set:
ini_set('session.cookie_lifetime', 0);
This would cause the user to be logged out when the browser closes.
Anyways, maybe if sessions expired sooner I could minimize the problems that I'm having.
I see at http://drupal.org/node/188710 that you should also ini_set('session.use_only_cookies', 0); in the settings.php file.
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Earnie Boyd wrote:
I see at http://drupal.org/node/188710 that you should also ini_set('session.use_only_cookies', 0); in the settings.php file.
Thanks. I have to say that I don't really understand that option. I made the change, but I don't understand what I just did.
Daniel.
I have some additional information from users:
The problem (being apparently logged as someone else) only appears to happen between users in the same location. Students are a school some times appear to be logged in as a different student. But when they go home, the site functions as it should.
If the problem is that sessions are not expiring and a new user comes in to the computer, that would explain why it only happens at school.
If the problem is that somehow Drupal or PHP is giving out session ids that have not expired yet, I'm not sure why hat should only happen between users in the same location. Is the session id based on the IP address? All users at the school would have the same IP. The school is even likely to be behind a proxy.
Does this give anyone any ideas as to what might be the root problem?
Thanks
Daniel.
Daniel Carrera wrote:
Earnie Boyd wrote:
I see at http://drupal.org/node/188710 that you should also ini_set('session.use_only_cookies', 0); in the settings.php file.
Thanks. I have to say that I don't really understand that option. I made the change, but I don't understand what I just did.
Daniel.
There is a module to have sessions expire after a configurable amount of time (Khalid's).
http://drupal.org/project/session_expire
Could Drupal be seeing similarly located IPs as being the same?
Anyway, the above module only has a version for 5.x, so you would have to upgrade to use it.
I have used it, it is excellent.
Victor Kane http://awebfactory.com.ar
On Tue, Jun 24, 2008 at 5:37 AM, Daniel Carrera daniel.carrera@zmsl.com wrote:
I have some additional information from users:
The problem (being apparently logged as someone else) only appears to happen between users in the same location. Students are a school some times appear to be logged in as a different student. But when they go home, the site functions as it should.
If the problem is that sessions are not expiring and a new user comes in to the computer, that would explain why it only happens at school.
If the problem is that somehow Drupal or PHP is giving out session ids that have not expired yet, I'm not sure why hat should only happen between users in the same location. Is the session id based on the IP address? All users at the school would have the same IP. The school is even likely to be behind a proxy.
Does this give anyone any ideas as to what might be the root problem?
Thanks
Daniel.
Daniel Carrera wrote:
Earnie Boyd wrote:
I see at http://drupal.org/node/188710 that you should also ini_set('session.use_only_cookies', 0); in the settings.php file.
Thanks. I have to say that I don't really understand that option. I made the change, but I don't understand what I just did.
Daniel.
-- [ Drupal support list | http://lists.drupal.org/ ]
Quoting Daniel Carrera daniel.carrera@zmsl.com:
Does this give anyone any ideas as to what might be the root problem?
What version of PHP are you using? What values are in php.ini for the session variables?
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Earnie Boyd wrote:
Does this give anyone any ideas as to what might be the root problem?
What version of PHP are you using? What values are in php.ini for the session variables?
Version 5.1.4. Here is phpinfo:
http://theingots.org/phpinfo.php
Thanks for the help.
Cheers, Daniel.
Quoting Daniel Carrera daniel.carrera@zmsl.com:
Earnie Boyd wrote:
Does this give anyone any ideas as to what might be the root problem?
What version of PHP are you using? What values are in php.ini for the session variables?
Version 5.1.4. Here is phpinfo:
http://theingots.org/phpinfo.php
Thanks for the help.
Hum, this looks interesting to the issue: http://bugs.php.net/bug.php?id=24781; especially the last comment. I don't know if that comment still applies or not but sounds similar to your issue.
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Earnie Boyd wrote:
Hum, this looks interesting to the issue: http://bugs.php.net/bug.php?id=24781; especially the last comment. I don't know if that comment still applies or not but sounds similar to your issue.
It does indeed.
Daniel.
Earnie Boyd wrote:
Hum, this looks interesting to the issue: http://bugs.php.net/bug.php?id=24781; especially the last comment. I don't know if that comment still applies or not but sounds similar to your issue.
The last response to that issue suggests a couple of things:
1. The PHP devs don't think this is a bug, hence we can suppose that it was not "fixed" in PHP 5.
2. It says: "The solution is to keep the session expiry times shorts and send headers indicating to the proxies/caches that the pages are not to be cached."
So I'll try to follow the advice in the last post. Is there a way to "send headers indicating to the proxies/caches that the pages are not to be cached"?
Is there anything else I can do to make sessions expiry times short? I have already set:
ini_set('session.cookie_lifetime', 0); ini_set('session.cache_expire', 10); ini_set('session.use_only_cookies', 0);
Can I improve on this?
Thanks for the help. Incidentally, I do think that this PHP issue is exactly the problem I'm having. The issue talks about proxy servers caching pages and I fully expect the school to be behind a proxy server.
Cheers Daniel.
Quoting Daniel Carrera daniel.carrera@zmsl.com:
Is there anything else I can do to make sessions expiry times short? I have already set:
ini_set('session.cookie_lifetime', 0); ini_set('session.cache_expire', 10); ini_set('session.use_only_cookies', 0);
Can I improve on this?
You might try setting both of the following in your php.ini file:
<snippet> session.entropy_file string session.entropy_file gives a path to an external resource (file) which will be used as an additional entropy source in the session id creation process. Examples are /dev/random or /dev/urandom which are available on many Unix systems.
session.entropy_length integer session.entropy_length specifies the number of bytes which will be read from the file specified above. Defaults to 0 (disabled). </snippet>
The only other thing you might consider is changing the session table primary key to a combination of sid and uid and then modify the queries for sid to also include the uid in the includes/session.inc file.
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Quoting Daniel Carrera daniel.carrera@zmsl.com:
Earnie Boyd wrote:
I see at http://drupal.org/node/188710 that you should also ini_set('session.use_only_cookies', 0); in the settings.php file.
Thanks. I have to say that I don't really understand that option. I made the change, but I don't understand what I just did.
From http://php.net/session.configuration we see:
session.use_only_cookies boolean session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0. Defaults to 1 (enabled) since PHP 6.0.
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Earnie Boyd wrote:
Thanks. I have to say that I don't really understand that option. I made the change, but I don't understand what I just did.
From http://php.net/session.configuration we see:
session.use_only_cookies boolean session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0. Defaults to 1 (enabled) since PHP 6.0.
Yes. I had read that. But I don't see what that has to do with sessions expiring. For that matter, I don't know what else PHP would be using besides cookies.
Oh oh.... I think I get it. That says that the cookie will only the session id and and other than that no other information will be stored.... Is that right?
Sorry, I'm dumb. When I read that the first time I thought it meant "session id will be stored in cookies but nowhere else" and my reaction was "where else would you store it?".
Daniel.
I am getting an error which is kind of similar to this..After read thru PHP Memory issue & Server tuning concepts i did change some ini settings. Now my browser(Internet Exlorer) is working differently. If i open my drupal site and do some operations it works..if i leave the browser idle for sometime and then click on any link in the site, it is not working..the IE seems to be exploring(i.e that internet symbol in the right top most corner seems revolving allways)..Please suggest how i could rectify this issue
Thanks Bharathi
On Tue, Jun 24, 2008 at 6:49 PM, Daniel Carrera daniel.carrera@zmsl.com wrote:
Earnie Boyd wrote:
Thanks. I have to say that I don't really understand that option. I made the change, but I don't understand what I just did.
From http://php.net/session.configuration we see:
session.use_only_cookies boolean session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0. Defaults to 1 (enabled) since PHP 6.0.
Yes. I had read that. But I don't see what that has to do with sessions expiring. For that matter, I don't know what else PHP would be using besides cookies.
Oh oh.... I think I get it. That says that the cookie will only the session id and and other than that no other information will be stored.... Is that right?
Sorry, I'm dumb. When I read that the first time I thought it meant "session id will be stored in cookies but nowhere else" and my reaction was "where else would you store it?".
Daniel.
[ Drupal support list | http://lists.drupal.org/ ]
Quoting "bharathi.selvan" bharathi.selvan@gmail.com:
I am getting an error which is kind of similar to this..After read thru PHP Memory issue & Server tuning concepts i did change some ini settings. Now my browser(Internet Exlorer) is working differently. If i open my drupal site and do some operations it works..if i leave the browser idle for sometime and then click on any link in the site, it is not working..the IE seems to be exploring(i.e that internet symbol in the right top most corner seems revolving allways)..Please suggest how i could rectify this issue
Not the same thing at all. My guess at *your* issue is that it is server resource related.
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Quoting Daniel Carrera daniel.carrera@zmsl.com:
Earnie Boyd wrote:
Thanks. I have to say that I don't really understand that option. I made the change, but I don't understand what I just did.
From http://php.net/session.configuration we see:
session.use_only_cookies boolean session.use_only_cookies specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0. Defaults to 1 (enabled) since PHP 6.0.
Yes. I had read that. But I don't see what that has to do with sessions expiring. For that matter, I don't know what else PHP would be using besides cookies.
Oh oh.... I think I get it. That says that the cookie will only the session id and and other than that no other information will be stored.... Is that right?
No, with a TRUE value this prevents the session id being passed in the $_GET array. PHP used to pass the session id by default appended to the URL. Now by default it only uses cookies to store the session id.
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Earnie Boyd wrote:
No, with a TRUE value this prevents the session id being passed in the $_GET array. PHP used to pass the session id by default appended to the URL. Now by default it only uses cookies to store the session id.
Ah. Thanks. So, if I set ini_set('session.use_only_cookies', 0); that means that PHP will then include the session id in $_GET ? How does this make sessions expire more easily?
Daniel.