I'm running into a strange (and very sporadic) issue with Symfony 1.4. Specifically, my Symfony application (on very rare occasions) shows fresh sessions as logged into my application, even though they aren't.
I use the following code in my header to check to see if the session is from a logged-in user. If it is, we show them a greeting message and invite them to login:
<?php if ($sf_user->isAuthenticated()) { ?>
<div class="btn">
Welcome back, <?php echo $sf_user->getProfile()->getFirstName(); ?>
</div>
<?php }
However, sometimes a new sessions will display a welcome message from a random user from our system. Just recently, someone loaded a fresh sessions and was presented with a "Welcome" message for someone else in our system.
Important note: This is the first time this has happened. I cannot reproduce the issue after trying 40+ browsers and locations.
We are using Symfony 1.4 with the sfGuard authentication that ships with Symfony.
Strangely, though the above code shows that the session comes from a logged in user, the user is not given any other login permissions.
Any help would be greatly appreciated.
We had a very similar problem. Setting
session.hash_functionto a stronger hash function helped us:Details
Due to rather high visit numbers and short session lifetime, sessions were often regenerated (i.e. new session id generated).
It seems like sometimes it caused session ID collision: two different users got the same session ID. That made one of users see the page as she was logged-in as another user.
No need to say that it was damn hard to debug. We were just trying different things to fix or reproduce the issue with no luck. Setting
session.hash_functiontosha256made the issue disappear (no new cases were reported for more then a year).Note on pre PHP 7.1.0
They recommend to set
session.hash_functiontosha256on the official PHP doc page: http://php.net/manual/en/session.security.ini.phpNote on PHP 7.1.0
session.hash_functionsetting was removed since PHP 7.1.0. It's using a strong function by default now.