Problems with cookies/phpsessid

Discussion in 'General' started by Hbod, Sep 27, 2017.

  1. Hbod

    Hbod Member

    Hi,
    I guess I do have still this Issue here:
    https://git.ispconfig.org/ispconfig/ispconfig3/issues/3827

    The issue existed on Debian 8 and even on 9, no matter which PHP Version I use. My current szenario has FastCGI.
    It is not related to ISPConfig backend, but for example login into Wordpress or REDAXO CMS. I dont know if this is a redirect http to https Issue. When I watch the response and request headers, I can see two PHPSESSIDs which will prevent me from loggin in. Every PHP Setup is totally default.

    [​IMG]

    I need to restart my browser (firefox or chrome, bug exists on both) in order to be able to log in.
     
  2. HSorgYves

    HSorgYves Active Member

    You can delete cookies, no need to restart your browser.
     
  3. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    very interesting, do have that issue with a strict to the install-guide setup?
    I have absolutely never ever seen that and I did a lot of debian+ispconfig setups ^^
    are you carrying old php.ini files with you or other backups?
    are you really using fastcgi on debian9 or fcgid (which are not the same, while fastcgi is better on deb8 it has been superseeded by proxy_fpm and is no longer avail for good reasons ;) )
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    In my opinion, this problem is probably a race condition together with a problem in the session_regenerate_id command in some PHP versions which causes PHP to create two sessions. It might be somehow related to two scripts creating or regenerating a session at the same time (e.g. by calling multiple files with ajax or similar) together with a slow session storage so that both scripts 'think' that they are the first to create a new session, but that's just a rough guess. I never had this on any of my own servers. So this can probably happen in any application that is written in PHP and that uses this function, no matter if the server uses ISPConfig.
     
    ztk.me likes this.
  5. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    good point, I wonder what happens if, tmeporarily b/c of security in shared host environment, you configure memcache as session storage
     

Share This Page