PHP using the same session IDs?

Discussion in 'General' started by optize, Oct 29, 2011.

  1. optize

    optize Well-Known Member

    I'm not sure if this is a Litespeed problem or a PHP problem, however across multiple servers of ours, we are seeing the same session ID being (attemped to be) used by two people.

    The second person that tries to use it obviously gets a permission denied as it's already written to /tmp under the first user.

    I've googled around and people say this is extremely rare, so I'm not quite sure why we're seeing it on a weekly basis across multiple servers.

    People have also suggested using:

    session.entropy_length = 512
    session.entropy_file = /dev/urandom

    in /usr/local/lib/php.ini to help make the session file more random, but it's still occuring.

    Anyone run into this before?
  2. XN-Matt

    XN-Matt Well-Known Member


    We're seeing this too and it's VERY annoying.

  3. NiteWave

    NiteWave Administrator

    it should be a PHP issue. google "php same session id", there return many results.

    to ensure lsphp read this php.ini. or check if lsphp5 is using /usr/local/lsws/lsphp5/lib/php.ini
  4. XN-Matt

    XN-Matt Well-Known Member

    Done on both counts.. but this has only started occurring with lsphp - does not occur with Apache + suPHP.

  5. NiteWave

    NiteWave Administrator

    is lsphp suExec enabled ? so match for apache + suPHP
  6. XN-Matt

    XN-Matt Well-Known Member

    Yes, it is.

  7. Tony

    Tony Well-Known Member

    I'm going to bump this since we see this as well. I'm just going to throw something out there it's not possible that something with the PHP LSAPI implementation may be causing this?
  8. mistwang

    mistwang LiteSpeed Staff

    Does it only start to happen recently? after 4.1.6 or 4.1.7?
    It could be caused by some extra event handling coding added to deal with 100% cpu issue.
    I have reversed some changes that could affect this, please force reinstall 4.1.8.
  9. Tony

    Tony Well-Known Member

    This happens in 4.1.8 as well and I'm not sure how recent it is or if it's Litespeed or not. I just don't think it happens typically at such a frequency though on another web server. Never seen session collisions at such a frequency until we switched to Litespeed. I also don't think it happened at all until some recent version.
  10. optize

    optize Well-Known Member

    This has been an issue since we started using ls, so I don't believe it was due to something recently added.

    If you feel it's fixed in 4.1.8, we can test with our customers and see if the issue goes away.
  11. mistwang

    mistwang LiteSpeed Staff

    If someone interested in providing a server with high occurring frequency, we may load a special build of LSWS with detailed session loggings to track it down.
  12. XN-Matt

    XN-Matt Well-Known Member

    This is still ongoing. No matter how high the entropy is, it will happen sooner than later.. but is still very intermittent.

    This never used to happen but appears to still happen in the latest release and is getting to the point where we ditch LS as it just isn't reliable enough...
  13. webizen

    webizen Well-Known Member

    pm your server temporary root access so we can take a look.
  14. mistwang

    mistwang LiteSpeed Staff

    This issue should have been addressed in our 4.1.11 release. It is caused by bug in cookie handling code.

Share This Page