|
Tom T - 2007-11-29 13:43:06
And if I set $ss->regenerate_id = true; in my session handler that updates a table with session ids, in IE, it will generate 10-20 session records per refresh. Does not do this in any other browser (Firefox, Safari, etc., etc.) and it's inflating my users online count. If I change $ss->regenerate_id = false then the problem goes away but not regenerating the session id kind of defeats the purpose right?
Any ideas?
Vagharshak Tozalakyan - 2007-12-01 12:47:51 - In reply to message 1 from Tom T
Hello. I've just checked the class with IE6 and IE7 and it works as supposed here. Did you check from another computer?
Tom T - 2007-12-01 15:02:48 - In reply to message 2 from Vagharshak Tozalakyan
Yes, I've tried it from different computers and different users using IE trigger this bug.
Here's the session handler code I'm using, maybe something will stick out if I post that.
<?php
ini_set('display_errors', E_ALL);
session_set_cookie_params(3600);
session_start();
$ipaddress = $_SERVER['REMOTE_ADDR'];
if (isset($_SESSION['userid']))
{
$previous_session_id = session_id();
if (strpos($_SERVER["SCRIPT_NAME"], "/scripts/") > 0 || strpos($_SERVER["SCRIPT_NAME"], "/pop/") > 0)
{ require_once '../library/securesession.class.php'; }
else
{ require_once 'securesession.class.php'; }
$ss = new SecureSession();
$ss->check_browser = true;
$ss->check_ip_blocks = 2;
$ss->secure_word = 'SALT_';
$ss->regenerate_id = true;
if (!$ss->Check() || !isset($_SESSION['loggedin']) || !$_SESSION['loggedin'])
{
if (strpos($_SERVER["SCRIPT_NAME"], "/scripts/") > 0 || strpos($_SERVER["SCRIPT_NAME"], "/pop/") > 0)
{
header('Location: ../index.php');
die();
}
else
{
header('Location: index.php');
die();
}
}
$sql = "UPDATE sessions ";
$sql .= "SET sessionid = \"" . session_id() . "\", ";
$sql .= "sessiondatetime = now() ";
$sql .= "WHERE sessionid = \"" . $previous_session_id . "\"";
mysql_select_db($mysql);
mysql_query($sql);
setcookie('loggedin_at', time(), time() + 3602, '/');
}
//first check to see if sessionid exists
$sql = "SELECT * ";
$sql .= "FROM sessions ";
$sql .= "WHERE sessionid = \"" . session_id() . "\"";
$safesql = & new SafeSQL_MySQL;
$sql = $safesql->query($sql);
$recordset = mysql_query($sql);
//remove records inactive for five minutes or more
$sqldelete = "DELETE FROM sessions ";
$sqldelete .= "WHERE TIMESTAMPDIFF(SECOND, sessiondatetime, now()) > 300";
if (mysql_numrows($recordset) > 0)
{
$sql = "UPDATE sessions ";
$sql .= "SET sessiondatetime = now() ";
$sql .= "WHERE sessionid = \"" . session_id() . "\"";
}
else
{
$sql = "INSERT INTO sessions ";
$sql .= "SELECT \"" . session_id() . "\", ";
if (isset($_SESSION['userid']))
{ $userid = $_SESSION["userid"]; }
else
{ $userid = 0; }
$sql .= $userid . ", ";
$sql .= "\"" . $ipaddress . "\", ";
$sql .= "now()";
}
mysql_select_db($mysql);
mysql_query("BEGIN");
mysql_query($sqldelete);
mysql_query($sql);
mysql_query("COMMIT");
?>
Vagharshak Tozalakyan - 2007-12-01 16:55:45 - In reply to message 3 from Tom T
You may try the following:
1. Download the sample at "http://tozalakyan.com/db_sess_test.zip".
2. Install "schema.sql" and edit "includes/db_params.inc.php".
3. Run in IE and check the session records in db.
3. Run in Firefox and check the session records in db.
4. Set "$ss->regenerateId = true;" in "includes.init.inc.php" and check again.
This script should be acting the same way for each browser.
Tom T - 2007-12-01 17:26:22 - In reply to message 4 from Vagharshak Tozalakyan
I downloaded and installed the sample and when I set regenerate = true, the code generates a new record in the session table for each refresh/page load not just in IE, but in Safari (Mozilla) as well now.
The fingerprints are the same but the sessionids are different.
Strange.
Thanks for your help by the way, I really appreciate it.
|