LassoSoft Ticket Tracking System
NOTE: If you are using Lasso Server 9.3 please Log your ticket directly via the LUX admin as this will give us more information about your issue.
Ticket #7731: session_start reusing expired session IDs
- Reported by:
- James Harvard
- 14 Mar, 2014
- Lasso 8.6
Issue reported by James Harvard (firstname.lastname@example.org)
Please log in to your LassoSoft account to comment
Company: Harvard Digital
Component: Lasso Pro 8.6
Source IP: 22.214.171.124
Undocumented change in how expired sessions are handled.
Looking at the code for session_start() there are changes between 8.6.0 and 8.6.3 version (see http://diffboard.com/snippets/iALiHfba/versions/2 which displays a 'diff' comparison of the two). Previously Lasso issued a new session ID if an attempt was made to load an expired session. However, in 8.6.3 the expired session ID is reused (see line 224 in sessiontrackerinit.lasso).
My problem was with some old code that uses link-based session IDs. We knew that some session IDs had got erroneously hard-coded into links by users (and thence into search engine indexes too), but it hadn't been a serious problem in the past. Suddenly, after 8.6.3 there was considerable chaos with users getting sessions mixed up with one another. It seems users were hitting the site via URLs that included a session ID, and where previously they would at worst have just started a new session, each with a different session ID, now the first user would 'resurrect' the session ID and subsequent users would find they were hitting a live session.
(Actually many of the reports came in as "I keep on getting logged out", which I guess was user A and user B not realising they're sharing the same session, then user B logs out and user A gets a 'you're no longer logged in' error message on their next page request.)
My workaround is to call session_end (to prevent the session ID being added to links and forms - such as the login form - on the page). I also redirect to the same URL without the session ID to try and kill off the session IDs currently lurking in search engine indices.
session_start( -name='user', -expires=(60*4), -uselink );
if( session_result == 'expire' );
session_end( -name='user' );
// redirect to non-session URL to try & remove page from search engines
var('new_url') = ('http://' + server_name + response_filepath);
$new_url += '?';
iterate( client_getargs->split('&'), var('i') );
! $i->beginswith('-session=user:') ? $new_url += ($i + '&');
redirect_url( $new_url, -type='301' );