1

On my website on shared hosting on HostGator, few days back I started getting error 500 during the time of heavy traffic ( 249 visits, 148,429 hits, 141,829 pages, 723.01 MB Bandwidth on that day - many people were hitting MySQL queries. And on shared hosting, HostGator only allows 25 running processes at the time). As soon as the traffic decreased, the errors disappeared.

But when I accessed the error logs of that time and day, this is what I found written many times:

[12-Oct-2014 16:37:16] PHP Warning:  session_start() [<a href='function.session-start'>function.session-start</a>]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/amalthea/public_html/tkq/q0.php on line 2
[12-Oct-2014 16:37:16] PHP Warning:  session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cookie - headers already sent by (output started at /home/amalthea/public_html/tkq/q0.php:2) in /home/amalthea/public_html/tkq/q0.php on line 2
[12-Oct-2014 16:37:16] PHP Warning:  session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/amalthea/public_html/tkq/q0.php:2) in /home/amalthea/public_html/tkq/q0.php on line 2
[12-Oct-2014 16:37:16] PHP Warning:  Cannot modify header information - headers already sent by (output started at /home/amalthea/public_html/tkq/q0.php:2) in /home/amalthea/public_html/tkq/user.cookies.php on line 5

What I don't understand is, how the error "The session id is too long or contains illegal characters" was caused by heavy traffic? What has heavy traffic got to do with session id characters?

Currently, the site is working fine. I also visited this Question on Stackoverflow, but it does not explain the error, it only gives a work-around. Please explain why I got the error ONLY under heavy traffic. I want to make sure that my code is correct.

Below is how all my PHP pages start on the site:

<?php
session_start();
require_once("user.cookies.php");

$username = $_SESSION["SESS_USERNAME"];
$id= $_SESSION["SESS_USERID"];

And here is user.cookies.php

<?php

//redirect function
function returnheader($location){
    $returnheader = header("location: $location");
    return $returnheader;
}

if(!strlen($_SESSION["SESS_USERNAME"]) ){

    //redirect
    returnheader("login.php");
}

?>
Community
  • 1
  • 1
dc95
  • 1,319
  • 1
  • 22
  • 44
  • If you manually went into your cookies and set the session id to some absurdly long value, does the same error occur? could someone just be screwing with you or trying to force errors? – Kevin B Oct 15 '14 at 20:29
  • check $_COOKIEs and see what's set for the session id/value whenever you get those errors. – Marc B Oct 15 '14 at 20:30
  • @MarcB, Currently, cookie variable value is coming fine. How do I get the cookie variable value of few days ago? – dc95 Oct 15 '14 at 20:49
  • @KevinB, I don't think someone would be screwing with me to force errors. And what do you mean manually go into the cookies? And my original question, can the cause of error 500 on webpage (in this case, the process limit of 25) be causing this session id error in error log? – dc95 Oct 15 '14 at 20:50
  • To your original question, i doubt it. As far as cookies go, it's certainly possible for a crawler to force a 500 error on purpose such as knowing what a 500 error on your site looks like so that other 500 errors can be correctly ignored. It's also possible for a malicious user(or crawler) to be attempting to view debug information about your server to find weak points. – Kevin B Oct 15 '14 at 21:14
  • @KevinB, what can I do to prevent it from happening in future? other than the link mentioned in my question. Would adding `@` before `session_start()` help? As mentioned [here](https://www.daniweb.com/web-development/php/threads/48284/session_start-cannot-send-session-cookie-headers-already-sent-by#post1173096) ? – dc95 Oct 15 '14 at 21:34
  • All that does is prevent the error from being reported. As long as your application correctly deals with a session not starting due to this error, that might be ok. I would instead just ensure that no debugging information is being reported to the client when such an error occurs and leave it at that. – Kevin B Oct 15 '14 at 21:36
  • "(...) a cookie that links you to a generated session id is client side. If that cookie changes to an invalid format (somebody is trying to exploit something) PHP will notice it." – lbrandao Oct 15 '14 at 21:39

1 Answers1

1

As mentioned in this question

(...) a cookie that links you to a generated session id is client side. If that cookie changes to an invalid format (somebody is trying to exploit something) PHP will notice it.

Community
  • 1
  • 1
lbrandao
  • 4,144
  • 4
  • 35
  • 43