PHP using the same session IDs?

[optize]

I'm not sure if this is a Litespeed problem or a PHP problem, however across multiple servers of ours, we are seeing the same session ID being (attemped to be) used by two people.

The second person that tries to use it obviously gets a permission denied as it's already written to /tmp under the first user.

I've googled around and people say this is extremely rare, so I'm not quite sure why we're seeing it on a weekly basis across multiple servers.

People have also suggested using:

session.entropy_length = 512
session.entropy_file = /dev/urandom

in /usr/local/lib/php.ini to help make the session file more random, but it's still occuring.

Anyone run into this before?

 

[XN-Matt]

Yes!

We're seeing this too and it's VERY annoying.

Matt

 

[NiteWave]

it should be a PHP issue. google "php same session id", there return many results.

People have also suggested using:

session.entropy_length = 512
session.entropy_file = /dev/urandom

in /usr/local/lib/php.ini to help make the session file more random, but it's still occuring.

to ensure lsphp read this php.ini. or check if lsphp5 is using /usr/local/lsws/lsphp5/lib/php.ini

 

[XN-Matt]

Done on both counts.. but this has only started occurring with lsphp - does not occur with Apache + suPHP.

Matt

 

[NiteWave]

is lsphp suExec enabled ? so match for apache + suPHP

 

[XN-Matt]

Yes, it is.

Matt

 

[Tony]

I'm going to bump this since we see this as well. I'm just going to throw something out there it's not possible that something with the PHP LSAPI implementation may be causing this?

 

[mistwang]

Does it only start to happen recently? after 4.1.6 or 4.1.7?
It could be caused by some extra event handling coding added to deal with 100% cpu issue.
I have reversed some changes that could affect this, please force reinstall 4.1.8.

 

[Tony]

Does it only start to happen recently? after 4.1.6 or 4.1.7?
It could be caused by some extra event handling coding added to deal with 100% cpu issue.
I have reversed some changes that could affect this, please force reinstall 4.1.8.

This happens in 4.1.8 as well and I'm not sure how recent it is or if it's Litespeed or not. I just don't think it happens typically at such a frequency though on another web server. Never seen session collisions at such a frequency until we switched to Litespeed. I also don't think it happened at all until some recent version.

 

[optize]

This has been an issue since we started using ls, so I don't believe it was due to something recently added.

If you feel it's fixed in 4.1.8, we can test with our customers and see if the issue goes away.

 

[mistwang]

If someone interested in providing a server with high occurring frequency, we may load a special build of LSWS with detailed session loggings to track it down.

 

[XN-Matt]

This is still ongoing. No matter how high the entropy is, it will happen sooner than later.. but is still very intermittent.

This never used to happen but appears to still happen in the latest release and is getting to the point where we ditch LS as it just isn't reliable enough...

 

[webizen]

pm your server temporary root access so we can take a look.

 

[mistwang]

This issue should have been addressed in our 4.1.11 release. It is caused by bug in cookie handling code.