Session is getting overwritten in php

Question

Hi,

I am facing a problem that my session is getting overwritten by other logged-in user in php.

when we have a reasonable load of about 50 -100 users sessions start getting mixed up. For instance if a user logins as A after a while his session switches to User B who is also logged in. The system has been in operation for over a year and this is the first time we are facing the problem.

The server is running Centos.

I am not having any code error anywhere but somehow one's data getting overwritten with others.

Please help me because I am trying to solve this error but not success.

Is there is any php ini setting which will overwrite user session data? or Is this anything on the server end like session id randomization is not proper ?

Thanks in advance.

Answer 1

Yes, I am using PHP’s default session handler I have set the session variable in the login page.

<?php  
session_start(); 
include("dbconfig.php"); 

if($_POST['login']) { 

    $user = $_POST['user']; 
    $pass = $_POST['pass']; 
    $msg = ''; 

    $check = mysql_query("SELECT * FROM `user` WHERE username = '{$user}' AND pass = '{$pass}'") or die(mysql_error()); 
    $row = mysql_num_rows($check); 
    $ck = mysql_fetch_assoc($check); 

    if($row == 1) {       
            $_SESSION['name'] = $user; // used to be set to $ck['iname']; 
            $_SESSION['isadmin'] = 1;            
            $_SESSION['team'] = $ck['teamstatus']; 
            $_SESSION['logintime'] = time(); 
            $_SESSION['priority'] = $ck['priority'];
            $_SESSION['id'] = $ck['id'];
            $_SESSION['designation'] = $ck['designation'];
            $_SESSION['course'] = $ck['course'];
            $_SESSION['year'] = $ck['year'];            
            $_SESSION['no'] = $ck['no'];            
            $_SESSION['div'] = $ck['div'];
            $_SESSION['sp_designation'] = $ck['sp_designation'];      
            header("Location: index.php"); 
            exit;                 
    } else { 
        $msg =  "Invalid Username or Password"; 
    }  
} 
?> 

and then every top of the page, I will verify that the person is logged in

<?php 
session_start(); 

if(!(isset($_SESSION['name'])) && ($_SESSION['isadmin'] == 1) && (isset($_SESSION['id'])) && (isset($_SESSION['designation']))) { 
    header("Location: error.php"); 
    exit; 
} 

otherwise perform the action
?>

Answer 2

By reading your problem I think there are might be these reasons:

First, I'll suggest you that if you are passing the search string from one page to another, you can use querystring because creating lots of session variable maight slow down your application speed.

Second, as session depends upon the session state provider which create a unique session Id for each session which, afaik, nearly impossible to regenerate [although it is not universally unique id], just check if you are using cookieless session, in which your session is not dependent upon the cookies asnd rely on the URL, which may reinvoke your session.

Hopefully it will solve your problem

Answer 3

erk, I'm hoping that the code you've posted is for illustration only it would be really easy to implement an infection attack against it (e.g.

user = "admin' OR ('bla'='"
password="')"

Its also trivial to implement session hijacking - you should generate a new session id when the user is authenticated.

Assuming you are using the default session handler, the fault is not likely to be within the session handler code. This is in use in thousands (millions?) of applications and is working for everyone else.

Most likely cause is bad caching of data - can you replicate it in the absence of any intermediate proxies? Have you checked the headers coming out of the webserver?

C.

Answer 4

I have studied the problem and found that a few session files with 1 bit id's are getting created amongst the 32 bit ones. eg. sess_1 and sess_8 along with sess_f1d9037025f544376ff0d44511ed3192.

What i have seen is that if user A is lying idle and user B logs in, then Both user A and user B have an extra PHPSESSID in their cookie which contains one of the single bit session id's like sess_1. They still keep their 32 bit PHPSESSID's as well, however, these get deleted from the server, so both the users default to the same session id and therefore user A now gets user B's session and his access.