CODEWITHSUNDEEP
phpsession
Nick
Nick

Reputation: 565

Multiple PHPSESSID collisions

I have noticed that multiple users per day are being assigned the same session_id. I am using php 7.2 now, but looking back into the history of user sessions this has been happening since I was using php 5.4.

I am just using php defaults of session_start(), no custom session handler.

I have read that the session_id is a combo of the client ip and time, but give that I am using a load balancer, that might be limiting the randomness of the ip_addresses?

What is the proper way to increase the uniqueness of session_ids to prevent collisions when using a load balancer?

Upvotes: 4

Views: 1922

Answers (2)

siliconrockstar
siliconrockstar

Reputation: 3664

Assuming you're running PHP-FPM on each web node, but I guess #2 and #3 would probably work running PHP as an Apache plugin as well.

You've got a few options here:

  1. Keep your LB'd web nodes with apache and have each one point to the same upstream PHP-FPM server. Obviously the third box running the single PHP-FPM process might need to be beefier, since it's handling PHP parsing for both web nodes.
  2. Change the session storage to point to a file location (probably a NFS or SMB share) that both servers can access. Not sure if I've ever done this honestly but it seems like it would work. Really, your web files should probably be on an NFS/SMB share already so you can deploy changes to only one location.
  3. Spin up a redis server and have both web nodes' PHP-FPM process use that for session.

Number three is probably the best option in most cases.

Upvotes: 1

Devon Kiss
Devon Kiss

Reputation: 239

If you are using Nginx you may want to check if FastCGI micro-caching is enabled and disable it. This has caused some errors before noted in PHP.net developers bugs listings in PHP 7.1 running nginx

Bug #75496 Session ID Collision happened few times

After the first case [of collision] we changed a hash entropy php settings in php.ini so session_id is now 48 chars but it didn't help to prevent second case.

Solution:

FastCGI micro caching at nginx that cached 200 responses together with session cookies. Of course maybe it was set wrong at our server, but its definitely has nothing to do with PHP.

Please see: https://bugs.php.net/bug.php?id=75496

Upvotes: 1

Related Questions