0

We have a recurring issue related with an unexpected random User session expiration within all the applications hosted in subdomains of the same domain. Forcing us to re-authentication every time we are kicked.

Our system is:

  • 3 Dedicated Servers run by a server provider, 3 static IPs
  • Each server acts as a Virtual server, we can have as many hostings as we need
  • 200-300 different users working simultaneously in the applications

Server 1

  • A main domain "example.com" that points to a Wordpress website in a hosting of the server
  • A forum application, phpBB 3.2, hosted in "forum.example.com"
  • 4 wiki sites in wikiX.example.com
  • apache 2.4.46-1~bpo9+1
  • PHP 7.3
  • mysql-server 10.1.48-0+deb9u2
  • PHP Session folder: /home/.example.com/tmp

Server 2

  • Several SugarCRM CE 6.5.15 instances in PHP 5.6 running in different subdomains sugarcrmX.example.com
  • apache 2.2.22-13+deb7u11
  • php 5.6
  • mysql-server 5.5.57-0+deb7u1
  • PHP Session folder: /home/sugarcrm.example.com/tmp
  • Each app with a different unique_key in config.php

Server 3

  • Several SuiteCRM 7.11.15 instances running in different subdomains suitecrmX.sinergiacrm.org
  • apache 2.4.46-1~bpo9+1
  • PHP 7.3
  • mysql-server 10.1.48-0+deb9u2
  • PHP Session folder: /home/suitecrmX.example.com/tmp
  • Each app with a different unique_key in config.php

We are working often in parallel within the different applications: SuiteCRM, SugarCRM, Forums and Wikis. Then, at some point that we can't define, the applications kick us out with the message 'You have been logged out because your session has expired.'. Redirecting us to the Login page of each of the applications that we were using in that moment. From this moment and for several hours, the situation happens again and again, kicking us out repeatably. Until a time that it seems to stop, leaving us for a couple of hours

This happens to all the members of our team: 8 people working from different locations with different devices, operating systems and browsers. Some of the users (within the 200-300 we metioned) reported this as well, but we presume isn't happening as often as us.

This issue started happening a few months after we upgraded our Wordpress, integrated the Server 3 and the SuiteCRM applications, but we can't say the exact moment it started. Before this, it never happened. So it is a bit difficult for us to find the reason right now.

We have already tried to change the PHP session parameters session.cookie_domain. Setting a different cookie_domain for each of the subdomain of each of the hosts, accordingly. Then deleting cookies of each of the browsers. At the beginning, it seemed we found the solution because our session was persisting. But after a few days, the sessions expiration issue came again.

Are we missing some crucial configuration within any service configuration?

Any idea about how to debug this?

Thanks

EDIT: We have a subdomain for each application sugarcrm1.example.com, sugarcrm2.example.com, etc... Each session is currently stored in different folder /home/sugarcrm1.example.com/tmp, /home/sugarcrm2.example.com/tmp

We don't need them to work in a common session, each application/subdomain has a different user/password management authentication.

The unique_key in config.php is a guid code used by SugarCRM Core to generate a unique user session ID.

We haven't tried changing the default session name "PHPSESSID" yet.

aamping
  • 11
  • 4
  • So the SugarCRM all share _one_ session folder, or did you forget to include the `X` in there? – CBroe Jun 08 '21 at 08:23
  • _“Each app with a different unique_key in config.php”_ - what does that mean, how does this key relate to sessions? – CBroe Jun 08 '21 at 08:24
  • Are all of those apps using the default session name `PHPSESSID`? And if so, have you tried using a unique name for each instance, and checked if that changes anything? – CBroe Jun 08 '21 at 08:25
  • Thanks for your reply. I misspelled the X, so each application has their own session folder. The unique_key in config.php is a guid code used by SugarCRM Core to generate a unique user session ID. We haven't tried changing the default session name "PHPSESSID" yet. – aamping Jun 08 '21 at 08:42

1 Answers1

0

You need to consider the following things:

  1. Move your session storage to a third party/mount it outside/database. I would recommend memcache for a scalable solution. Refer Is it recommended to store PHP Sessions in MemCache?
  2. WordPress, PhpBB, Wiki, and SugarCRM have different session management mechanisms. Firstly you need to make changes to all these to work with the common session
siddhesh satoskar
  • 61
  • 1
  • 1
  • Sorry, didn't explain properly. I added some Edits: EDIT: We have a subdomain for each application sugarcrm1.example.com, sugarcrm2.example.com, etc... Each session is currently stored in different folder /home/sugarcrm1.example.com/tmp, /home/sugarcrm2.example.com/tmp We don't need them to work in a common session, each application/subdomain has a different user/password management authentication. – aamping Jun 08 '21 at 07:59
  • memcache isn't available within our server provider. But thanks for the suggestion. Although I am not sure that would solve the problem here. – aamping Jun 08 '21 at 08:43