PHP sessions ends unexpectedly with specific networks and specially with more than one person

Question

Hi I'm having problems with a web application is working perfectly in my home but when I try to use with diferent networks from a company sessions ends frequenlty. It can occurs anytime even if the users are navigating through the site I think that it occurs specially when everybody are using internet. Finally, this company works with another web application and this is using session cookie created with .aspx and works. Also, I can use my site after close my web browser at home Do you have any idea? this is my code:

function signout(){
    unset($_SESSION['username']);
    unset($_SESSION['id']);
    unset($_SESSION['coa']);
        unset($_SESSION['registrar_usuarios']);
unset($_SESSION['capturar_pedidos']);
unset($_SESSION['salida_materiales']);
unset($_SESSION['alta_clientes']);
unset($_SESSION['alta_productos']);
unset($_SESSION['usuario_cliente']);
unset($_SESSION['cliente']);

    session_destroy();
    session_regenerate_id(true);
    redirectTo('index');
}

/**
 *
 * @return bool, true if all good
 */
function guard(){

    $isValid = true;
    $fingerprint = md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);

    if((isset($_SESSION['fingerprint']) && $_SESSION['fingerprint'] != $fingerprint)){
        $isValid = false;
        signout();
    }

    return $isValid;
}

function isValidImage($file){
    $form_errors = array();

    //split file name into an array using the dot (.)
    $part = explode(".", $file);

    //target the last element in the array
    $extension = end($part);

    switch(strtolower($extension)){
        case 'jpg':
        case 'gif':
        case 'bmp':
        case 'png':

        return $form_errors;
    }

    $form_errors[] = $extension . " is not a valid image extension";
    return $form_errors;
}

function uploadAvatar($username){
    if($_FILES['avatar']['tmp_name']){

        //File in the temp location
        $temp_file = $_FILES['avatar']['tmp_name'];
        $ext = pathinfo($_FILES['avatar']['name'], PATHINFO_EXTENSION);
        $filename = $username.md5(microtime()).".{$ext}";

        $path = __DIR__ . "/../../uploadscsrnacional/{$filename}"; //uploads/demo.jpg
        move_uploaded_file($temp_file, $path);

        return $path;
    }

    return false;
}

function _token(){
    $randonToken = base64_encode(openssl_random_pseudo_bytes(32));
    //$randonToken = md5(uniqid(rand(), true))." md5";

    return $_SESSION['token'] = $randonToken;
}

function validate_token($requestToken){
    if(isset($_SESSION['token']) && $requestToken === $_SESSION['token']){
        unset($_SESSION['token']);

        return true;
    }

    return false;
}

function prepLogin ($id, $username, $coa,$registrar_usuarios, $capturar_pedidos,$salida_materiales,$alta_clientes,$alta_productos, $usuario_cliente, $cliente){
    $_SESSION['id'] = $id;
    $_SESSION['username'] = $username;
    $_SESSION['coa'] = $coa;
    $_SESSION['registrar_usuarios'] = $registrar_usuarios;
     $_SESSION['capturar_pedidos'] = $capturar_pedidos;
      $_SESSION['salida_materiales'] = $salida_materiales;
     $_SESSION['alta_clientes'] = $alta_clientes;
     $_SESSION['alta_productos'] = $alta_productos;
     $_SESSION['usuario_cliente'] = $usuario_cliente;
     $_SESSION['cliente'] = $cliente;

    $fingerprint = md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
    $_SESSION['fingerprint'] = $fingerprint;


    echo $welcome = "<script type=\"text/javascript\">
                            swal({
                            title: \"Welcome back $username! \",
                            text: \"You're being logged in.\",
                            type: 'success',
                            timer: 3000,
                            showConfirmButton: false });
                            setTimeout(function(){
                               window.location.href = 'index.php';
                            }, 3000);
                        </script>";
}

my php.ini in public_html godaddy:

session.cookie_lifetime 43200
session.gc_maxlifetime 43200

And I start my session with this:

<?php
$session_lifetime = 3600 * 24 * 2; // 2 days
session_set_cookie_params ($session_lifetime);
session_start();

PHP Version 5.4.45

Are your session files being saved in a central location, or are they saved per domain on the server? Assuming you have more then one domain. I had an issue before where all our company sites saved the session files in the same folders. So those files could get changed by our other sites. We fixed this by making sure the location they were saved was not shared across domains. — ArtisticPhoenix, Nov 01 '17 at 04:09
This could be an issue `using session cookie created with .aspx`, I've never mixed them, but you may have to do something like how SO lets you login using your Facebook, ie. they don't share sessions but let you use an external account to login. — ArtisticPhoenix, Nov 01 '17 at 04:12
I just save cookie without database record and sorry let me expain better the situation I mean the cookie from .aspx is from another web application and is working perfectly in every network from the company, I dont know if there are limitations using php cookie session instead of .aspx — Daniel Treviño, Nov 01 '17 at 04:18
There are only the limits you set. see. https://stackoverflow.com/questions/9904105/php-sessions-default-timeout — ArtisticPhoenix, Nov 01 '17 at 04:23
Well I found the answer I commented this signout and is working with every network: if((isset($_SESSION['fingerprint']) && $_SESSION['fingerprint'] != $fingerprint)){ $isValid = false; // signout(); } DO you know why is working now? — Daniel Treviño, Nov 01 '17 at 18:53

AbsoluteƵERØ · Answer 1 · 2017-11-01T07:55:11.133

0

Setup a script to put on both servers:

<?php
  phpinfo();
?>

Run it and check the sessions settings to compare what needs to change in the php.ini file.

Also compare the PHP versions as things do tend to change.

Update: Since you're using session cookies look at the expiration time of the cookie to see if that's what's triggering it potentially.

On the expire time of 1440, check higher up in the server info to see which php.ini file is being loaded (path) and if you have access to it. Sometimes there are default files on the server, but the actual live configuration might reside in another directory; especially if you're using something like cpanel for control.

edited Nov 01 '17 at 07:55

answered Nov 01 '17 at 04:29

AbsoluteƵERØ

7,816
2
24
35

I used your script and I put the information in my question,well I think that maybe I found something my session.gc_maxlifetime have a different time in the server information using phpinfo() because I put session.gc_maxlifetime 43200 in php.ini inside public_html but with your code this display 1440 by the way I used just one cpanel, I think that is one server, but this company is running another systme .aspx with private server and this system keep open the session with a cookie too – Daniel Treviño Nov 01 '17 at 05:11
That's the value you would need to change, the 1440. – AbsoluteƵERØ Nov 01 '17 at 07:56
Well I found the answer commented signout here if((isset($_SESSION['fingerprint']) && $_SESSION['fingerprint'] != $fingerprint)){ $isValid = false; // signout(); } – Daniel Treviño Nov 01 '17 at 18:52

PHP sessions ends unexpectedly with specific networks and specially with more than one person

1 Answers1