Moodle in English: Session problems

I have Mandrake 10.1 server whith 2 instalation of moodle. When many student access to moodle i have a problem that ono user surfing become other user sundenly. So one student can change his session to and admintrative user, so he can chaghe that hi want.

Where is the problem (PHP, APACHE, MOODLE)???
thx for all

ממוצע דרוגים: -

Re: Session problems

על ידי Sean Keogh בתאריך יום שלישי, 21 דצמבר 2004, 5:52 PM

Hi Diego,

This problem has been seen before (by me as well as others). The root cause has not yet been determined but there is a strong feeling that it is related to PHP.

When I first had the problem, I was running Mandrake 9.2 with Apache 2 and PHP 4.3.4. Going back to apache 1.3.x and the 1.3.x version of mod_php fixed it.

I am now running Mandrake 10.1 Community Edition, with PHP 4.3.8 under Apache 1.3.31 and am not seeing the problem. I have not yet tried it with Apache2.

Sean K Beardie

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום שלישי, 21 דצמבר 2004, 10:35 PM

I am preparing some diagnostic code for this, I will need testers soon. I will announce it in 2 weeks.

skodak

ממוצע דרוגים: -

Re: Session problems

על ידי Sean Keogh בתאריך יום רביעי, 22 דצמבר 2004, 12:07 AM

I'm happy to be a tester for you, Petr.

Sean K Beardie

ממוצע דרוגים: -

Re: Session problems

על ידי Teemu Sumi בתאריך יום רביעי, 22 דצמבר 2004, 12:33 AM

Me too.

Teemu

ממוצע דרוגים: -

Re: Session problems

על ידי Lorenzo Nicora בתאריך יום רביעי, 22 דצמבר 2004, 6:00 PM

I'll be glad to be a tester too.
I've the same problem on installations that are going to be "live" in a month and I MUST fix it before.

BTW.
I recently saw the session "sharing" bug with my eyes, while I was doing some testing on the server.

With my browser (in the LAN), I fetched the home page, without doing any other operation (no login, no browsing).
Almost at the same time, a collegue of mine fetched the same home page form his browser (throught the Internet).

We both got the SAME session file (and session cookie, I suppose).
Of course, when we logged in with distinct users and started browsing, it was a big mess...

Bye

Lorenzo

ממוצע דרוגים: -

Re: Session problems

על ידי Penny Leach בתאריך יום חמישי, 23 דצמבר 2004, 4:31 AM

That sounds like a proxy problem to me....

ממוצע דרוגים: -

Re: Session problems

על ידי Lorenzo Nicora בתאריך יום חמישי, 23 דצמבר 2004, 10:47 PM

No proxy.
I'm absolutely sure.

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום ראשון, 2 ינואר 2005, 9:40 PM

Here is a patch for Moodle 1.4.3. The purpose of this diagnostic code is to verify sessions.

I suppose that cookies work and sessions sometimes do not (on some servers??). If the checks do not catch any problems I will make some tests for cookies too.

How to use:

backup original lib/setup.php (for example: rename it to setupxx.php)
extract zip archive to your moodle installation - lib/setup.php is replaced and lib/session_sanity_report.php is added
from time to time inspect http://yoursite.net/lib/session_sanity_report.php
report status of error counters here

I have installed it on my production site, I believe it is safe.

How to uninstall:

restore original lib/setup.php
go to http://yoursite.net/lib/session_sanity_report.php and remove counters
delete lib/session_sanity_report.php

sess1.zip

ממוצע דרוגים: -

Re: Session problems

על ידי Lorenzo Nicora בתאריך יום שלישי, 11 ינואר 2005, 12:28 AM

Hi Petr,

We decided to downgrade Apache from 2.0 to latest 1.3, as I read about people not experiencing session problem with Apache 1.3 and suggestion of not using Apache 2 with PHP (on PHP site). We are not experiencing the problem again, but it does not mean it is over, as it was _very_ random.

Anyway...
I've a look to diagnostic code.
I'm not sure it will capture the "insane" sessions.
What I saw with my own eyes, were two clients using the same newly created php session file, when they first connect to the server (and so, I suppose, having received the same session ID).
Of course they continued with the same (shared ... triste

) session (id and file) until session expired.

I'm not sure this diagnostic code can detect this problem.
I think the only way is to store in session some client unique informations not related with session (as client IP, user agent...) and warn if they changes during a session.
I added these two check to your code.
Please have a look

Lorenzo

sess2.zip

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום שלישי, 11 ינואר 2005, 1:42 AM

Thanks for feedback!!

For me it is a new and important information that the problems occured at the start of the session.

I was thinking about detecting some static info (user agent + something else) and making md5 hash from it and check it. The problem with IP is that it may change - some ISPs (AOL) have strange proxies that change IP on each request and others have short DHCP lease time. User agent and OS are usually the same for the whole lab

I will investigate the session start more today...

Thanks again!

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום שלישי, 11 ינואר 2005, 3:13 AM

To rule out all possibilities we should also try to use entropy pool for session data, see PHP man page here:

session.entropy_file string: session.entropy_file gives a path to an external resource (file) which will be used as an additional entropy source in the session id creation process. Examples are /dev/random or /dev/urandom which are available on many Unix systems.
session.entropy_length integer: session.entropy_length specifies the number of bytes which will be read from the file specified above. Defaults to 0 (disabled).

I do not think that it is the case, but you never know. Entropy length 2 should be enough for testing...

ממוצע דרוגים:Useful (1)

Re: Session problems

על ידי Lorenzo Nicora בתאריך יום שלישי, 11 ינואר 2005, 9:49 PM

In the tests I did with Apache2, I tried to use both /dev/random and /dev/urandom (with a length of 8).
Apparently, it does not remove the problem.

Anyway, IMHO, it seems a PHP/Apache fault. It is very strange that in official php bug tracker there is nothing like this problem Eh?!

For testing, I was thinking about another strategy.
Use a random token, stored both in Session and in a (non-persistent) cookie.

If both exists, they must be equals. Otherwise there may be two browsers sharing the same session
If either or both does not exist, generate a new token and store in both places

This should point this specific problem, if it happens.
Do you see any flaw?

ממוצע דרוגים: -

Re: Session problems

על ידי Martin Dougiamas בתאריך יום שלישי, 11 ינואר 2005, 11:19 PM

In Moodle 1.5 there is a new config variable called $CFG->tracksessionip (which you can set in your config.php if you like).

When enabled, Moodle checks the current IP address against one stored in the session from login time and if they don't match then an error page is put up.

The problem still needs to be solved (and I too think it's a PHP bug) but this at least prevents the issue from being a security risk ...

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום שלישי, 11 ינואר 2005, 11:23 PM

I have seen some 3 reports in PHP bug tracker, but they were closed because the reporters did not cooperate

Well apache might send requested page to another user, PHP might send SESSION ID as cookie on each session_start() (I might have seen such bug in tracker) and thus the session would be shared...
If this is the case we may simply store the SID in cookie twice (one automatic from PHP session management and the other set manualy during session creation) and compare them in setup.php.

This is getting a bit paranoid, but we should try it

ממוצע דרוגים:Useful (1)

Re: Session problems

על ידי Lorenzo Nicora בתאריך יום שלישי, 11 ינואר 2005, 11:55 PM

Storing SID twice will not work if the same session is sent to two browsers when it is created.
Also, as Petr told (I did not think about it, regardless of my own home ISP having the same problem arrossito

), client IP shifting will make IP+session matching not very usefull.

Today I've a little free time, so I implemented a session+cookie matching using the scheme I told.
It should rise error#6 if two browsers get the same session, even if it happens on session creation.

sess3.zip

ממוצע דרוגים: -

Re: Session problems

על ידי Martin Dougiamas בתאריך יום רביעי, 12 ינואר 2005, 12:27 AM

Yes, true, client IP shifting could cause problems there (I missed that point above).

So this code is implementing a second separate session cookie, and making sure its data matches the copy stored in the main session? Sounds like a good detection mechanism to me, even though it does mean accepting yet another cookie from the server.

We're still left with the problem of what to do about it ... terminating the session is secure but not very user friendly ... can we rebuild the session in a secure way?

ממוצע דרוגים: -

Re: Session problems

על ידי Lorenzo Nicora בתאריך יום רביעי, 12 ינואר 2005, 1:13 AM

No, my code is just a little modification to Petr code to record possible sessions "going insane".
This is not supposed to be a useful production patch.
If things goes wrong, it just increment an error counter that can be seen in ./lib/session_sanity_report.php (please, see Petr instructions).

Petr code does many session information consistency.
The code I added is to identify eventual session assigned to more than one browser (the problem I experienced myself).

My additional check store a random token (just an int) in Session AND in a cookie.
If either the session stored value OR the cookie, OR BOTH are missing it generates a NEW random value and stores it in session AND a cookie.
If both cookie AND session stored value exists, they must be equal.
If I'm not missing something important, session stored value and cookie may both exist, but be different, only in this scenario:

A new Session is created and assigned to browser A. It generate a random value alpha, send it to browser A as cookie and store in session.
The same session is erroneously assigned to browser B. Browser B has no cookie, so it generate a new value beta, send it to browser B as cookie and store in session.
Browser A gets back. It has the cookie with alpha, but beta is stored in session: warning!

My error counte is #6

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום רביעי, 12 ינואר 2005, 1:35 AM

IMO the random token in both session and cookie is a useful test.

Lorenzo got it right, this code is only good for detection, it should be safe to deploy on productions sites - that is why it only gathers information and nothing else.

As soon as we know what is wrong we can:

indentify problematic servers
report bugs to Apache and PHP folks
make special hacks to remedy broken sessions

ממוצע דרוגים:Useful (1)

Re: Session problems

על ידי Lorenzo Nicora בתאריך יום רביעי, 12 ינואר 2005, 11:05 PM

If someone else is going to use this patch in a production server (as I'm going to do Eh?!

), here is a slightly modificated version of Petr's/mine patch.

In this version, if an "insane" session is detected, the session is immediately reset.
This is not a very fair behaviour as users are immediately logged out, but
this will avoid a user becoming another one (as it happened to me, when a student became Admin! triste

)

Installation:

(please see Petr instruction in this thread)

and also...

to enable session reset, if a garbled session is detected, add

$CFG->dropgarbledsessions = TRUE;

somewhere in config.php (...before "requiring" setup.php ammiccante

)

THIS IS FOR 1.4.3 ONLY (sorry, I'm not working with 1.5)

I don't know if this hack (removing error accouting, if necessary) could be implemented in a production release.

sess4.zip

ממוצע דרוגים: -

Re: Session problems

על ידי Martin Dougiamas בתאריך יום שבת, 15 ינואר 2005, 10:44 AM

I'd like to see this in 1.5 ... I think we also need to look ahead (on the assumption that Apache and PHP fixes will take years to filter through to all servers) and see if there is a secure way we can rebuild the session after we have detected a problem.

ממוצע דרוגים: -

Re: Session problems

על ידי Lorenzo Nicora בתאריך יום שני, 17 ינואר 2005, 7:30 PM

Martin said:

IMHO, if the problem is that the same php session (same session ID and storage), is assigned to two clients when clients first connect, I think there is no way to rebuild session, as there is nothing to rebuild.

I think you can at most detect the user who finds himself with the session of started by another user first and kicking him out.

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום שני, 17 ינואר 2005, 9:46 PM

I do not agree that we can not repair sessions if we detect problems. Because if we can somehow detect the problem, we can store original session ID somewhere. If we have session ID we can send cookie with that session ID, redirect user to http://yoursite.something/ and here we go, the session is switched back. If the original session does not exist user will have to login again.

Of course I expect that the sessions are not merged, only switched.

Am I right??

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום שני, 17 ינואר 2005, 11:35 PM

I did not read your post about restoring sessions properly, sorry Lorenzo.

You are right that if the problem starts at login time, we can only kick the later user.

ממוצע דרוגים: -

Re: Session problems

על ידי Martin Dougiamas בתאריך יום שלישי, 25 ינואר 2005, 9:21 AM

I know of at least one occasion where the session switched mid-session (not at login time)

ממוצע דרוגים: -

Re: Session problems

על ידי Martín Langhoff בתאריך יום שבת, 15 ינואר 2005, 7:06 PM

Petr, have you seen the reports about seeing the session doubled-up in the cookie? Perhaps if the logging code was to report contents of the $_COOKIE array?

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום שבת, 15 ינואר 2005, 8:13 PM

I do not have any report that the sessions diagnostic code works.

I did not see any session problem on my production server (FreeBSD 4.10 + latest MySQL 4.0 + latest Apache 1.3 + latest PHP 4.3.x - users coming from Internet or lab separated by m0n0wall firewall doing NAT translation).

I might have seen swapped page content in Firefox frames on my test box (Win32 + PostgreSQL 8 + Apache 2.0.52 + PHP 4.3.10. But it could be a browser problem, not server. Anyway it was a special case - I did messed up the content length in page header while serving stream of data from infinite loop. The stream appeared in several browser tabs at once (though the original tab with the test page was closed), no matter what Moodle page I asked (??) and the page refresh button acted weird too...

I think it could be commited to HEAD, IMO we could get the needed information during beta testing of 1.5.

ממוצע דרוגים: -

Re: Session problems

על ידי Lorenzo Nicora בתאריך יום שני, 17 ינואר 2005, 7:12 PM

Just a bug report update...

As I told in past days, using Apache 2 and Moodle 1.4.3, I experienced the problem many times, just working on one Moodle site with a coulple of collegues. I had no error reporting patch at that time timido

On this weekend we starded using two of our Moodle installation in a real class with 10 users for 12 hours of almost continuous activity...
and WE HAD NO SESSION PROBLEM! (and detecting patch did not record any error)

Apache has been downgraded to 1.3.31 (Apache-AdvancedExtranetServer/1.3.31, standard Mandrake binary distribution).
PHP is the same (PHP/4.3.8)
Moodle is not changed (1.4.3 stable)
Just error detecting patch has been added, not the patch killing the session on error.
The server is the same (Mandrakelinux/7.1.101mdk)

Lorenzo

ממוצע דרוגים: -

Re: Session problems

על ידי Martin Dougiamas בתאריך יום שלישי, 25 ינואר 2005, 9:23 AM

Lorenzo, are you using a PHP accelerator? If so, which one? Have you tried switching it off?

ממוצע דרוגים: -

Re: Session problems

על ידי Dirk Grunwald בתאריך יום רביעי, 26 ינואר 2005, 7:05 AM

Hi - I had filed a bugtraq on this problem. I had been encountering it on a moodle using Apache2 (mandrake 10.1 community) and the php_accelerator. This site is servering about 300-400 students right now.

I just recently disabled the phpa on that apache2 server.

Last semester, using apache1( & phpa), I didn't notice it at all. I've installed the detection patch by Pter & will leave that in place for a couple of days. If there are no positives on that after a couple of days, I'll try enabling phpa again & see if the problem surfaces.

ממוצע דרוגים: -

Re: Session problems

על ידי Lorenzo Nicora בתאריך יום חמישי, 27 ינואר 2005, 9:34 AM

No accelerator.

Bad news...
the problem exists using Apache 1.3.x too....
I hailed victory too fast after downgrading to 1.3.31 occhio nero

...
After some days of work with the first course and a dozen of students I found my error #6 counter = 2 triste

(this is the error detected using combined cookie and session stored random token).

I'm using Mandrake 10.1 (official)

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום חמישי, 27 ינואר 2005, 3:13 PM

Great! Now we know how to test it. I will remove the other tests now and add some more diagnostics to see exactly what happened

Thanks!

ממוצע דרוגים: -

Re: Session problems

על ידי diego dubois בתאריך יום שישי, 15 אפריל 2005, 2:30 AM

I see that when i used the last version of book module, the problem increase. It's posible that this module is the key to solve the problem?

Sorry for my english.

Regards.

Diego

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום שישי, 15 אפריל 2005, 4:52 AM

Could you send me address of your server by email? I need to check page headers to gather some information about affected sites. Thanks.

skodak

ממוצע דרוגים: -

heads up: session error detection in 1.5dev

על ידי Petr Skoda בתאריך יום שני, 18 אפריל 2005, 5:41 AM

I am going to commit some session diagnostic code to 1.5dev tommorow. It is based on the code from Lorenzo, it detects problems and logs out only one user (not both as before). The problems are displayed in the health center.

I hope there will not be many problems

skodak

PS: If you know about any problematic server, please send me a link.

ממוצע דרוגים: -

Re: heads up: session error detection in 1.5dev

על ידי Pio Garcia בתאריך יום שבת, 23 אפריל 2005, 10:29 PM

We have thesame problem. So, we are planning to use moodle 1.5dev with your session diagnostic code. Is this code already incorporated in the 1.5dev version? Or should we install it?

Other question: we are specially concern about confusion session during exams, What happens when your session diagnostic code detect an anomalous session?. It logs out a user before or during an exam? We are not sure about when an anomalous session begins.

Thank you

Pio

ממוצע דרוגים: -

Re: heads up: session error detection in 1.5dev

על ידי Petr Skoda בתאריך יום שבת, 23 אפריל 2005, 11:27 PM

Session diagnostic is in 1.5dev, it is turned on by default. The check is done on each page at the end of setup.php.

If there is a problem, error message is displayed and user is logged out. There is also a database counter that is accessible through admin/health.php.

I hope that the mechanism works and we will have much more reports from servers experiencing random user switching. Then we can find out more about the problem - or at least find the problematic server configuration.

If the detection works we can add some optional logging (user IP, time, server load, etc.)

skodak

ממוצע דרוגים: -

Re: heads up: session error detection in 1.5dev

על ידי Pio Garcia בתאריך יום ראשון, 24 אפריל 2005, 12:26 AM

Ok, we will try this option. But what happend if there is a session problem during an exam (when a students is making a quiz)?. Is this student log out?.
Thanks for your help
Pio

ממוצע דרוגים: -

Re: heads up: session error detection in 1.5dev

על ידי Petr Skoda בתאריך יום ראשון, 24 אפריל 2005, 12:37 AM

If there is a problem, user is logged out.

The actual problem is in Apache or PHP (or both?). Could you send me a link to your server by email, I would like to check page headers (the problems seem to happen on servers that set session cookie on each page).

ממוצע דרוגים: -

Re: Session problems

על ידי diego dubois בתאריך יום ראשון, 24 אפריל 2005, 12:36 AM

aulavirtual.unc.edu.ar apache2 + php 4.3.4 in this server we have the problem

in aulavirtual.psyche.unc.edu.ar we had apache2 + php 4.3.4 but last week we change to apache 1.3.x + php 4.3.8 and we not problem report yet. but we don't have a lot of users connected at the same time yet.

thx for all

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום ראשון, 24 אפריל 2005, 12:55 AM

To Diego: You server sets session cookie on each page again and again. Try to change the server configuration so that the cookie is set only once (do not ask me how, I do not know

).

IMO the best tool for header diagnostics is Web Developer Toolbar for Firefox - menu Information/View Response Headers...

skodak

PS: here is the link explaining repeated sending of session cookie.

ממוצע דרוגים: -

Re: Session problems

על ידי diego dubois בתאריך יום שלישי, 26 אפריל 2005, 1:46 PM

I search on the web and i can't find how to do that.
my php.ini (session section) is

[Session]
session.save_handler = files
session.save_path = /tmp
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

can you send me a copy of your php.ini file?
regards,
Diego

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום שלישי, 26 אפריל 2005, 2:37 PM

I told you I do not know how to fix it

My php.ini's are slightly modified default ones on each platform I use - Windows, FreeBSD, Gentoo. You can fetch the Windows version from http://www.php.net.

I have once installed Mandrake 10.2 and the default installation had problems with headers...

ממוצע דרוגים: -

Re: Session problems

על ידי diego dubois בתאריך יום חמישי, 28 אפריל 2005, 3:41 AM

I make a new installation on Windows XP with IIS and PHP 4.3.3 and cookie session is send on each page too.

I really don't understand why there is no bug about switching session in PHP.net

thx for all

ממוצע דרוגים: -

Re: Session problems

על ידי Petr Skoda בתאריך יום חמישי, 28 אפריל 2005, 5:14 AM

I have installed 4.3.3 - you are right. Do not use 4.3.3, use 4.3.11 instead.

There are MANY reports of session problems in php.net bug tracker - most of them are marked bogus, because the developers are unable to reproduce them.

The repeated sending of session cookie is IMO bug (though PHP devs called it a feature) that was fixed in 4.3.9 on Win32, but it is not mentioned in changelog. Some info is in weekly#214 too.

As I said before, I believe that it is not a bug in PHP itself but it is an apache bug. The repeated sending of cookie might be only prerequisite for the apache bug to manifest itself....

ממוצע דרוגים: -