1

I'm running a Yii-app on Appfog. Whenever I try to have more than 1 instance it is no longer possible to stay signed in.

I know that multiple instances requires a shared storage for sessions, and I have implemented that using EDMSHttpSession. And it does work on localhost, that is I can sign in, restart Apache and remain signed in. Also, if I remove the session record in the database I am signed out. This makes me conclude that PHP is using the database for storing sessions.

I can't understand why my shared storage for sessions doesn't work on Appfog and I would like suggestions on how to debug this.

Some more background info:

  • I use cookies for auto login. They should be valid for 30 days (and they are according to Chrome inspector) but that never works for more then a few hours (browser session I guess) - not on localhost, not on Appfog.
  • With multiple instances and autologin enabled (that is I click "remember me") I still get kicked out randomly, usually after 2 or 3 page refreshes. As I understand a cookies should sign you in automatically regardless of server sessions?
  • On Appfog i have a SSL-endpoint, on localhost I do not.
  • I have checked that my shared session storage on Appfog is getting new sessions (looking in the database tables)

Update:

I did some tests and perhaps my results will make sence to some one.

I clear all Cookies and restart my Appfog app. I sign in, and check "Remember me". Now the following response Set-cookie headers are:

Set-Cookie:PHPSESSID=vrfoi0o15v3qps2644uqtvkfa1; path=/  
Set-Cookie:PHPSESSID=db38s1k1vp5ngll837ac0vh0u7; path=/  
Set-Cookie:73dfaf673b71b1f92d34b8ab63dab17b=812bbcfd4f5b3be91f8c85d39c3b37bb93e4c6b8a%3A4%3A%7Bi%3A0%3Bs%3A24%3A%225087ea0b3145a75545000000%22%3Bi%3A1%3Bs%3A22%3A%22demo%40playbackenergy.se%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; expires=Sun, 09-Jun-2013 08:32:24 GMT; path=/

In the subsequent request the request Cookie-headers are:

Cookie:PHPSESSID=db38s1k1vp5ngll837ac0vh0u7; 73dfaf673b71b1f92d34b8ab63dab17b=812bbcfd4f5b3be91f8c85d39c3b37bb93e4c6b8a%3A4%3A%7Bi%3A0%3Bs%3A24%3A%225087ea0b3145a75545000000%22%3Bi%3A1%3Bs%3A22%3A%22demo%40playbackenergy.se%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D

I use "db38s1k1vp5ngll837ac0vh0u7" to find my session in the database. That row looks like this (note that vrfoi0o15v3qps2644uqtvkfa1 is not found in the database):

{
  "_id" : ObjectId("518cb0981045979e06000000"),
  "data" : "73dfaf673b71b1f92d34b8ab63dab17b__id|s:24:\"5087ea0b3145a75545000000\";73dfaf673b71b1f92d34b8ab63dab17b__name|s:22:\"demo@playbackenergy.se\";73dfaf673b71b1f92d34b8ab63dab17b__states|a:0:{}73dfaf673b71b1f92d34b8ab63dab17brole|s:4:\"demo\";",
  "expire" : 1368176186,
  "id" : "db38s1k1vp5ngll837ac0vh0u7"
}

Now I restart my Appfog app again and try to navigate to another page in my app.Now I get signed out.

The request Cookie-headers before redirection to login page were (the same as before):

Cookie:PHPSESSID=db38s1k1vp5ngll837ac0vh0u7; 73dfaf673b71b1f92d34b8ab63dab17b=812bbcfd4f5b3be91f8c85d39c3b37bb93e4c6b8a%3A4%3A%7Bi%3A0%3Bs%3A24%3A%225087ea0b3145a75545000000%22%3Bi%3A1%3Bs%3A22%3A%22demo%40playbackenergy.se%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D
luttkens
  • 1,272
  • 8
  • 16

2 Answers2

1

You only asked for suggestions on how to debug, so there you go:

  • Add different hidden strings to each of your instance layout files so that you can see which instance served the current request
  • Inspect the cookies in your request/response headers in your browser to find out, if the same session id is sent with every request and when a new one is sent back from your server

This may help you to find out under which condition the session is lost.

UPDATE

  • Find out if the session is really destroyed or if Yii just logs you out. To do this, write something to the session as guest user and then try if this information is lost at some reload.
  • Disable allowAutoLogin and see if it works now.
Michael Härtl
  • 8,428
  • 5
  • 35
  • 62
  • Thanks! I did some check on what happens with cookies and sessions in database and updated the question. Is there any thing that you find strange in the Cookie-headers? – luttkens May 10 '13 at 08:56
  • Hmm. See update. It seems session is not lost. You could verify that in your DB. – Michael Härtl May 10 '13 at 11:00
  • 1
    Got it now! First I realized that as a guest user the session id was changed on every page load. I looked at the headers and noticed that all my pages had `Pragma: no-cache` and `Cache-Control: no-cache, no-store, must-revalidate`. When removing `no-store` the session id stayed the same and now mulitple instances works (almost, now I have issues with Yii's assets folder that's different for each instance and breaks javascript references. But CDN should solve that). – luttkens May 13 '13 at 06:23
0

Finally I have successfully debugged this issue, thanks to Michael Härtl suggestions.

I had to fix two things

1) Specify an application-id in protected/config/main.php

array(
    'name' => 'My App',
    'id' => 'yourdomain',
    ...,
)

If you don't to this, multiple instance will have different ids. Since Yii uses a hash of the app-id to prefix the session variables, it be share among different instances - eventhough you have shared sessions storage. This Yii-article explains it more in depth: http://www.yiiframework.com/wiki/135/single-sign-on-across-multiple-subdomains/

2) Use a CDN for the assets along with shared chaching. Appearently the assets folder (eg. 3f4ad45) may differ between this instance, and therefore you must use a shared storage. I used the extension http://www.yiiframework.com/extension/s3assetmanager/ for managing the assets and https://github.com/aarondfrancis/yii-CMemCacheSASL for the cache (MemCachier).

luttkens
  • 1,272
  • 8
  • 16