From: Demian K. <dem...@vi...> - 2010-04-23 12:51:29
|
I think the key problem here is that there are actually two pieces to the session lifetime -- there's the server-side session data and the client-side cookie that points to the session data. By default, the client-side cookie lasts as long as the browser remains open. If a session expires on the server side, PHP will wipe out the data, but the client will still have the same session ID if they return later. If all the session data is truly gone, this doesn't matter -- PHP will just create a brand new session and associate it with the old identifier. However, since we're using the PHP session identifier to store data external to the session itself, this is a problem if PHP wipes out its own session data but fails to trigger the necessary callbacks to remove our subsidiary data. The best solution to this problem may actually be to set the session cookie lifetime to match the server-side session lifetime. As long as the session ID expires client side at the same time that the session data expires server side, then users coming in after the expiration will get assigned new session IDs, and they won't see any search history bleeding over from the past. Here's an article which explains the issue in more detail: http://www.captain.at/howto-php-sessions.php I would still be interested to know exactly how PHP is behaving -- it seems strange to me that it would wipe out the primary session data but not trigger appropriate callbacks to get rid of related data at the same time -- but the cookie timeout solution may solve everything if nobody has time to dig more deeply into PHP's behavior. - Demian From: Greg Pendlebury [mailto:gre...@gm...] Sent: Friday, April 23, 2010 4:28 AM To: Demian Katz Cc: ho...@hs...; vuf...@li... Subject: Re: [VuFind-Tech] Session Timeout I'm not an expert on PHP garbage collection but I believe you need to first rule out the possibility nothing is wrong at all. >From what I recall back then garbage collection in PHP runs as a random event for each instance of PHP (ie. web user visit) because there's no central 'daemon'-like app process running. So basically each visit there's like a 1% chance of a background GC algorithm firing off. Garbage collection isn't going to run just because the session finished. BUT as I mentioned at the start I'm not an expert, and I only looked into it briefly during implementation, so I'm happy to look into it in more detail over the long weekend here. I'd guess though, that junk data aside, their aren't security concerns there. The sessions are expired so the session IDs in the table aren't going to match up anymore. Greg On 22 April 2010 22:22, Demian Katz <dem...@vi...<mailto:dem...@vi...>> wrote: Perhaps the first thing you should try is to add code to log events to a file from the garbage collection and destruction methods of the session class. It may be informative to know exactly what is or is not happening when a session gets expired. Perhaps your system is behaving differently than Greg's was when he first developed this logic. If you would like help developing the logging code, or if you would like me to run tests on my system to compare against your results, just let me know and I'll be happy to help. This isn't a heavily tested area of the code, so it's not surprising that there are bugs, and I don't mind spending some time to help improve it. - Demian ________________________________________ From: John Houser [joh...@gm...<mailto:joh...@gm...>] On Behalf Of John Houser [ho...@hs...<mailto:ho...@hs...>] Sent: Wednesday, April 21, 2010 4:23 PM To: Demian Katz Cc: vuf...@li...<mailto:vuf...@li...> Subject: Re: [VuFind-Tech] Session Timeout Demian, I'm using the default (MySQL-based) sessions and have not modified anything except the theme and Evergreen driver. The expire_searches.php utility will clean up things 2 days or older but that is not anywhere close to a session timeout. So, from what you're saying, this would be a bug, I guess. Pretty big one from a public library standpoint. We've got to clear user searches when the session times out. J On Apr 21, 2010, at 4:03 PM, Demian Katz wrote: > There is some code in web/sys/SessionInterface.php which is supposed to get called when sessions are garbage collected in order to clean up search history. It sounds like perhaps this is not happening as expected in your installation. You might want to t > ake a look at the comments in that file for more information. > > On a related note, the absence of garbage collection can also cause build-up of junk in the database. There is a tool available in the Admin module or as a command-line PHP script to clean this up -- for details, see: > > http://vufind.org/jira/browse/VUFIND-235 > > If you need more information, or if you find out anything that might inform improvements to the trunk, please let me know! > > - Demian > >> -----Original Message----- >> From: John Houser [mailto:ho...@hs...<mailto:ho...@hs...>] >> Sent: Wednesday, April 21, 2010 2:58 PM >> To: vuf...@li...<mailto:vuf...@li...> >> Subject: [VuFind-Tech] Session Timeout >> >> Hi All, >> I'm experimenting with the session timeout on our test server. I have >> set the timeout to be very quick for testing. That has resulted in my >> getting logged out appropriately. However, my search history is not >> purged when the session times out. Is this the intended behavior or a >> bug? Am I missing something? >> >> J >> >> -- >> John Houser >> Technology Coordinator >> HSLC >> 215-534-6820 >> ho...@hs...<mailto:ho...@hs...> >> >> >> >> >> ----------------------------------------------------------------------- >> ------- >> _______________________________________________ >> Vufind-tech mailing list >> Vuf...@li...<mailto:Vuf...@li...> >> https://lists.sourceforge.net/lists/listinfo/vufind-tech -- John Houser Technology Coordinator HSLC 215-534-6820 ho...@hs...<mailto:ho...@hs...> ------------------------------------------------------------------------------ _______________________________________________ Vufind-tech mailing list Vuf...@li...<mailto:Vuf...@li...> https://lists.sourceforge.net/lists/listinfo/vufind-tech |