1

I'm helping develop a website based on Zend Framework which has begun to experience session swapping issues that appear at random. WE have found no way of detecting this issue except when our users and ourselves experience session swaps when refreshing or navigating the site. we have found no order or pattern to help us determine what the cause is. Our system uses two database, standard website database and an API database. We have noticed that the cron jobs for these two database create a large number of sessions except this should not cause a session swapping issue with the number of occurrences we have experienced.

We are attempting to discover some way of detecting the cause of this issue. We would appreciate any tips or advice on how to find the cause of this issue. Any advice would be greatly appreciated.

UPDATE: we have development and testing subdomains which have never had the session swapping occur there. it seems it only occurs on the live production website.

briar140
  • 11
  • 2
  • I'm guessing you are noticing the swap on the Zend_Session object. Does the session id cookie get changed as well? – haknick May 08 '11 at 01:33
  • we are noticing it in both the local cookies of a user and inside of the database for sessions. We think it may be a Zend_Auth issue. At first we thought it was someone attempting session highjacking. But our testers have been noticing it. At first we thought it was an issue with the session table getting loaded but we have seen it happen equally as fast and as often on an empty session table as one with 30,000+ rows – briar140 May 08 '11 at 01:41
  • Just a simple question, are you setting an unique name when staring the application session? Also, why your cronjobs use sessions? – Keyne Viana May 08 '11 at 02:09
  • What do you mean by a unique name? If you mean unique session id, then no, there is not a 100% guarantee that it's unique - the sessions are default Zend_Session, which are essentially PHP's native sessions; this uses "unique" user info as input to a hashing function that creates such entropy that yes, you should almost be guaranteed never to see a duplicate session id created for two separate users, but obviously something is going on either to circumvent the probability in duplicating an id, or else to trample over an existing id. – briar140 May 08 '11 at 02:33
  • Cron jobs create sessions because the cron jobs under discussion are ones that access the website as a quasi-RESTful API to run some web based scripts. Site accesses create sessions. – briar140 May 08 '11 at 02:38
  • Do you use any proxy cache in production envirronment, like Varnish or Squid? Do you use application levels caches? You're maybe caching a page response with a Set-Cookie instruction inside, so that all user get the same session cookie. – regilero May 10 '11 at 15:21
  • Hi, these might be dumb questions but here goes. If you just started, are you using the database to manage your sessions or are you doing file based sessions? If you're doing file based, are your using a cluster of servers? By sessions swapping you mean what? Users will get someone else's ' session? Or, Users will switch between two sessions that are considered "theirs" but not anyone elses? – Jerry Saravia May 27 '11 at 20:51

0 Answers0