Mar 11
Andy Knasinski sessions being duplicated?
Mar 11, 2014; 16:21
Andy Knasinski
sessions being duplicated?
Mar 11
Steve Piercy - Web Site Builder Re: sessions being duplicated?
Mar 11, 2014; 15:11
Steve Piercy - Web Site Builder
Re: sessions being duplicated?
Mar 12
James Harvard Re: sessions being duplicated?
Mar 12, 2014; 19:45
James Harvard
Re: sessions being duplicated?
Yeah, I too had nightmare with sessions after upgrading 8.6.0 to 8.6.3. The good news is that after a certain amount of blood, sweat and tears last month, I can at least now tell you what the problem is :-)
You're right - there has been an (AFAIK) undocumented change in how expired sessions are handled. You can see the code for session_start() via the following path in your Lasso installation's 'Documentation' directory:
Documentation/3 - Language Guide/LassoApps/Startup/sessiontrackerinit.lasso
Also I've tried uploading both the 8.6.0 and 8.6.3 versions to this site http://diffboard.com/snippets/iALiHfba/versions/2 which displays a 'diff' comparison of the two. (I'm not overwhelmed by difboard.com - anyone know know a better one for publicly posting diffs?)
Previously Lasso issued a new session ID if an attempt was made to load an expired session. However, in 8.6.3 the expired session ID is reused (see line 224 in sessiontrackerinit.lasso). I don't know if this was a deliberate change by Lassosoft, but know I know someone else has had problems I suppose I should take this explanation and whack in a bug report :-/
My problem was with some old code that uses link-based session IDs. We knew that some session IDs had got erroneously hard-coded into links by users (and thence into search engine indexes too), but it hadn't been a serious problem in the past. Suddenly, after 8.6.3 there was considerable chaos with users getting sessions mixed up with one another. It seems users were hitting the site via URLs that included a session ID, and where previously they would at worst have just started a new session, each with a different session ID, now the first user would 'resurrect' the session ID and subsequent users would find they were hitting a live session.
(Actually many of the reports came in as "I keep on getting logged out", which I guess was user A and user B not realising they're sharing the same session, then user B logs out and user A gets a 'you're no longer logged in' error message on their next page request.)
If it helps, here's my new code that fixes the problem by calling session_end (to prevent the session ID being added to links on the page), and redirects to the same URL without the session ID (to try and kill off the session IDs currently lurking in search engine indices).
<?lassoscript
session_start( -name='user', -expires=(60*4), -uselink );
if( session_result == 'expire' );
session_end( -name='user' );
// redirect to non-session URL
var('new_url') = ('http://' + server_name + response_filepath);
$new_url += '?';
iterate( client_getargs->split('&'), var('i') );
! $i->beginswith('-session=user:') ? $new_url += ($i + '&');
/iterate;
$new_url->removetrailing('&')&removetrailing('?');
redirect_url( $new_url, -type='301' );
/if;
?>
HTH,
James
On 11 Mar 2014, at 22:11, Steve Piercy - Web Site Builder wrote:
> Do you use session IDs in the URL? Users can copy and paste the URL in email or messaging, thus granting other users access to it.
>
> --steve
>
>
> On 3/11/14 at 4:21 PM, ajk@nrgsoft.com (Andy Knasinski) pronounced:
>
>> Just migrate a site from Lasso 8.5 on Windows to 8.6.3 with Apache and am having session issues - session id's are being reused across different site users thus munging up some data. I don't see anything in release notes that would explain this oddity.
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso Lasso@lists.lassosoft.com
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
>> Send administrative queries to <Lasso-request@lists.lassosoft.com>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy Web Site Builder Soquel, CA
> <web@StevePiercy.com> <http://www.StevePiercy.com/>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso Lasso@lists.lassosoft.com
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
> Send administrative queries to <Lasso-request@lists.lassosoft.com>
#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso Lasso@lists.lassosoft.com
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>
Mar 12
jordon Re: Re: sessions being duplicated?
Mar 12, 2014; 15:00
jordon
Re: Re: sessions being duplicated?
Mar 12
James Harvard Re: sessions being duplicated?
Mar 12, 2014; 19:54
James Harvard
Re: sessions being duplicated?
Mar 12
Jonathan Guthrie Re: sessions being duplicated?
Mar 12, 2014; 16:26
Jonathan Guthrie
Re: sessions being duplicated?
Mar 12
Jonathan Guthrie Re: sessions being duplicated?
Mar 12, 2014; 16:36
Jonathan Guthrie
Re: sessions being duplicated?
Mar 12
Jolle Carlestam Re: sessions being duplicated?
Mar 12, 2014; 23:55
Jolle Carlestam
Re: sessions being duplicated?
Mar 12
Steve Piercy Re: sessions being duplicated?
Mar 12, 2014; 18:01
Steve Piercy
Re: sessions being duplicated?
Mar 18
James Harvard Re: sessions being duplicated?
Mar 18, 2014; 01:55
James Harvard
Re: sessions being duplicated?
Mar 18
Bil Corry Re: sessions being duplicated?
Mar 18, 2014; 14:40
Bil Corry
Re: sessions being duplicated?
Mar 18
Alan Linnenbank Re: sessions being duplicated?
Mar 18, 2014; 14:55
Alan Linnenbank
Re: sessions being duplicated?
Mar 18
James Harvard Re: sessions being duplicated?
Mar 18, 2014; 14:20
James Harvard
Re: sessions being duplicated?
Mar 18
Bil Corry Re: sessions being duplicated?
Mar 18, 2014; 17:44
Bil Corry
Re: sessions being duplicated?
Mar 18
James Harvard Re: sessions being duplicated?
Mar 18, 2014; 18:19
James Harvard
Re: sessions being duplicated?
Mar 20
Kyle Jessup Re: sessions being duplicated?
Mar 20, 2014; 10:52
Kyle Jessup
Re: sessions being duplicated?
Mar 20
James Harvard Re: sessions being duplicated?
Mar 20, 2014; 18:06
James Harvard
Re: sessions being duplicated?