-1

I've got a questionnaire with some fields checking (written on PHP + HTML). So i send data over https.

It works like this

<form id="frm_order" method="post" action="https://site/service_for_businesses" autocomplete="off">
<input name="username" id="username" size="40" maxlength="500" type="text" value="">
<button name="Submit" id="Submit" value="Отправить" type="submit" onclick="return final_check();"></button>
</form>

After a user clicks Submit Button all the data is moved to $_SESSION['params'] and then is passed to HELPER class where this data is being checked. If everything is ok then a user is redirected to "SUCCESS PAGE" (this part works fine), but if there is any mistakes in USER's data from the form fields then $_SESSION[..] is passed to VIEW-controller and the page is refreshed and warnings appear near form fields where there is a mistake. The problem is that there is a strange behaviour like this:

1) i wrote some data, for example i wrote down a username "Mi%^XS"
2) pressed Submit
3) there is an error in checking data, cause users are not allowed to use special symbols so there is a redirect
4) i saw a page with my wrong username and a warning below
5) i did nothing but just pressed SUBMIT -> redirect
6) i got empty fields with no warnings
7) i pressed SUBMIT -> redirect
8) i got the same thing as in the step 4 -my username with warnings
etc

i cannot understand why.

My website is deployed to 2 web-servers (to avoid DdoS) with balancer. It's like there are 2 session with the same ID on both of the servers

Andrey Eremin
  • 287
  • 1
  • 4
  • 14
  • finally i solved the problem. It appeared that there are 2 extra servers with nginx which act as proxy. So i edited its config files and the problem solved. – Andrey Eremin Sep 09 '11 at 11:36

3 Answers3

1

Sessions in apache are usually stored on a local disk. (see the php config for the location.)

If you set your PHP session save path to some shared resource (e.g. a network disk through NFS); it might actually share the session information and thus allow you to have the same session on both servers.

At the very least, unless both PHP+Apache instances actually have the same session storage; they will have different sessions for the same (or even other) SIDs.

Yhn
  • 2,785
  • 2
  • 13
  • 10
1

by default, php generates session ids and stores them in the directory defined by session.save_path in the php.ini

Also, if you send to php a session cookie that does not exist, php will create the corresponding session.

So, if you make a request on server 1 that creates a session, it will create a cookie for that session. If you then switch to server 2, it will recognize the session cookie, and if the session already exists, it will use it (your case obviously). In that case, you have the same session ID for 2 servers with distinct data on each.

The solution to that problem is to store the sessions in a place that is common for the 2 servers (e.g a database). See : http://fr.php.net/manual/en/function.session-set-save-handler.php

Benjamin Dubois
  • 971
  • 7
  • 11
1

By default PHP saves the session files into /tmp directory. If you're running your website in 2 webservers directory where are saved must be accessible from both of them, otherwise each webserver will store his own session files.

You can change directory by setting session.save_path on your php.ini. See details here: http://www.php.net/manual/en/session.configuration.php

You can also store sessions on database.

Pablo Leal
  • 51
  • 6