Lasso Soft Inc. > Home


LassoSoft Ticket Tracking System

NOTE: If you are using Lasso Server 9.3 please Log your ticket directly via the LUX admin as this will give us more information about your issue.

Lasso 9 Issues

Ticket #7731: session_start reusing expired session IDs

Reported by:
James Harvard
14 Mar, 2014
Lasso 8.6
Issue reported by James Harvard (
Company: Harvard Digital

Component: Lasso Pro 8.6
Version: 8.6.3
Platform: All
Source IP:

Undocumented change in how expired sessions are handled.

Looking at the code for session_start() there are changes between 8.6.0 and 8.6.3 version (see which displays a 'diff' comparison of the two). Previously Lasso issued a new session ID if an attempt was made to load an expired session. However, in 8.6.3 the expired session ID is reused (see line 224 in sessiontrackerinit.lasso).

My problem was with some old code that uses link-based session IDs. We knew that some session IDs had got erroneously hard-coded into links by users (and thence into search engine indexes too), but it hadn't been a serious problem in the past. Suddenly, after 8.6.3 there was considerable chaos with users getting sessions mixed up with one another. It seems users were hitting the site via URLs that included a session ID, and where previously they would at worst have just started a new session, each with a different session ID, now the first user would 'resurrect' the session ID and subsequent users would find they were hitting a live session.

(Actually many of the reports came in as "I keep on getting logged out", which I guess was user A and user B not realising they're sharing the same session, then user B logs out and user A gets a 'you're no longer logged in' error message on their next page request.)

My workaround is to call session_end (to prevent the session ID being added to links and forms - such as the login form - on the page). I also redirect to the same URL without the session ID to try and kill off the session IDs currently lurking in search engine indices.

session_start( -name='user', -expires=(60*4), -uselink );

if( session_result == 'expire' );

session_end( -name='user' );

// redirect to non-session URL to try & remove page from search engines
var('new_url') = ('http://' + server_name + response_filepath);
$new_url += '?';
iterate( client_getargs->split('&'), var('i') );
! $i->beginswith('-session=user:') ? $new_url += ($i + '&');
redirect_url( $new_url, -type='301' );




15 May, 2014 by Eric Knibbe
Looks like that change was made 3 years ago with the message "Fix for not respecting user given id".
Please log in to your LassoSoft account to comment

LassoSoft Inc. > Home



©LassoSoft Inc 2015 | Web Development by Treefrog Inc | PrivacyLegal terms and Shipping | Contact LassoSoft