0
votes

I'm running into a strange (and very sporadic) issue with Symfony 1.4. Specifically, my Symfony application (on very rare occasions) shows fresh sessions as logged into my application, even though they aren't.

I use the following code in my header to check to see if the session is from a logged-in user. If it is, we show them a greeting message and invite them to login:

<?php if ($sf_user->isAuthenticated()) { ?>
  <div class="btn">
    Welcome back, <?php echo $sf_user->getProfile()->getFirstName(); ?>
  </div>
<?php }

However, sometimes a new sessions will display a welcome message from a random user from our system. Just recently, someone loaded a fresh sessions and was presented with a "Welcome" message for someone else in our system.

Important note: This is the first time this has happened. I cannot reproduce the issue after trying 40+ browsers and locations.

We are using Symfony 1.4 with the sfGuard authentication that ships with Symfony.

Strangely, though the above code shows that the session comes from a logged in user, the user is not given any other login permissions.

Any help would be greatly appreciated.

1

1 Answers

0
votes

We had a very similar problem. Setting session.hash_function to a stronger hash function helped us:

session.hash_function = "sha256"

Details

Due to rather high visit numbers and short session lifetime, sessions were often regenerated (i.e. new session id generated).

It seems like sometimes it caused session ID collision: two different users got the same session ID. That made one of users see the page as she was logged-in as another user.

No need to say that it was damn hard to debug. We were just trying different things to fix or reproduce the issue with no luck. Setting session.hash_function to sha256 made the issue disappear (no new cases were reported for more then a year).

Note on pre PHP 7.1.0

They recommend to set session.hash_function to sha256 on the official PHP doc page: http://php.net/manual/en/session.security.ini.php

Note on PHP 7.1.0

session.hash_function setting was removed since PHP 7.1.0. It's using a strong function by default now.