views:

391

answers:

2

Hello, I have a login script for a small application that works by storing session cookies and checking them on each page to make sure the user is logged in. One of the two users who uses the system keeps getting logged out randomly. This appears to be down to the session cookie that shows then authenticated no longer being present.

After a lot of investigation the only thing I can see that is different about this user is that their IP address is changing (today it was changing every hour (their on Sky)). The only thing is the change of IP address has happened 5 times this morning and only once has the user been logged off.

Has anyone had a similar issue?

Are session cookies in someway tied to IP addresses?

Any help or links much appreciated.

Thanks

C

+2  A: 

By default the PHP Session does not account for IP changes. It's only based in the cookie value.

So perhaps maybe there is some customized code in your web app that invalidates the session when a user changes the IP address.

rogeriopvl
+2  A: 

Are session cookies in someway tied to IP addresses?

No. As long as the browser is connecting to the same IP name serverside it doesn't matter if the clients address changes or goes via a different proxy.

It's more likely that something is getting cached where it shouldn't. (assuming you are doing no validation against IP address).

Have you got your webserver configured to log session ids against the request/client/user agent? (i.e. in the access log)

C.

symcbean
Thanks. There's no IP checking in my code. However I do log the IP address against user activity - but no descisions are made on this. I may write some session stuff to the . Do session cookies get cached? I would have thought not but I am requently wrong.I am however storing the system time in a session variable for timeout purposes and after reading your post I am wondering if this is being picked up from a cached location. This feels like a lightweight solution, I think I may store some stuff in the DB to make the sessions more robust.
Columbo
For me, the evidence is mounting against IPs being the issue...I only have a set of 2 users to go on. One's IP is fixed (well it hasn't changed in a day) the others changes randomly around about every 1.5 hours or so. Its the user with the changing IP that has the issue. BUT, she mailed me at 12:36 last Friday saying she'd just been logged out and I can clearly see that her IP address remained the same from 12:10 to 12:54pm - so it would appear the IP is not to blame here. But she may have delayed mailing. I'm going to put in some data collection bits to try to get some more clues.
Columbo
Having added some tracking code it appears like the users cookie session just dissapears. Next step is to get on her machine and have a look at Norton whcih may be messing with the sessions.
Columbo
sometimes the users session cookie ID is resused when they log back in but the session variables within are not set. Other times when they log back in they have a new session id. I'm stuck on this one.If it was a firewall/cookie security thing of some kind surely it would delete the cookies.
Columbo
The issue seemed to be that the user in question was using the browser refresh button. I created a custom refresh button that allowed be to do a refresh in a controlled manner and there have been no more log outs. In summary, I think that FF and IE (I had the user try IE) when browser refresh is used are causing some issue that results in the sessions being lost.
Columbo