logo
Ask your Symfony questions! Pay money and get answers fast! (more info)

Warning: Please do not give out any FTP or ssh credentials to anyone, unless you trust them completely. Giving out login details is dangerous.

If the asker does not get an answer then they have 10 days to request a refund.

$20
Where can I find my session id?

This site (which you are on now) is running Symfony 1.2.5. The ORM is Propel.

The user system is handled by sfGuardUserPlugin.

I have written a Clojure app which is given a PHP session id and needs to verify that id. On my server, the PHP sessions are kept here:

/var/lib/php5

And the session files look like this:

/var/lib/php5/sess_nolm690lusonkuk4fa7wed2tc6

If I sudo to root, then sometimes I can go:

ls -al /var/lib/php5/sess_nolm690lusonkuk4fa7wed2tc6

and I get:

-rw------- 1 www-data www-data 246 2012-10-29 11:49 /var/lib/php5/sess_nolm690lusonkuk4fa7wed2tc6

(I've altered the session id for security, but you get the idea)

I don't need much security here so merely checking to see if the file exists would be enough security for me.

If you are logged in, then check your browser right now (Firebug in FireFox in especially useful for this). Your browser should be sending an Ajax request to the server, with the session id and some other info.

Unfortunately, sometimes that session file does not exist. Sometimes the Ajax in my browser keeps sending that session_id yet the file on the server is not there.

So, why is that? Does Symfony store it in the database such that the session is no longer recorded in /var/lib/php5?

My question in its simplest form: where can I look to reliably verify that a session id is real? I have to be able to do this from outside of PHP. Though the site was originally written in PHP/Symfony, my long term plan is to re-write the whole thing in Clojure. For now, this means I have to get the Clojure and PHP to sometimes share information.

UPDATE:

This just happened again. Someone's browser just sent in this session id, just a few seconds ago:

8hpvncvd7ahia95bnbe4o5wer7

I saw this session id come in via the server. And, as root, I checked for it and found nothing:

root@www1:/tmp# ls -al /var/lib/php5/sess_8hpvncvd7ahia95bnbe4o5wer7

ls: cannot access /var/lib/php5/sess_8hpvncvd7ahia95bnbe4o5wer7: No such file or directory

At the moment, all of the session ids seem to be false, even mine. But that is not possible. So where are the files?

This question has been answered.

Lawrence Krubner | 10/29/12 at 12:00pm Edit

Previous versions of this question: 10/29/12 at 12:10pm | 10/29/12 at 3:07pm

(10) Responses

See a threaded view of answers?

Warning: Please do not give out any FTP or ssh credentials to anyone, unless you trust them completely. Giving out login details is dangerous.

  • avatar
    Last edited:
    10/29/12
    12:43pm
    Luis Cordova says:

    I think this will bring you close to the answer

    http://www.ens.ro/2012/04/26/setting-up-symfony-1-4-and-uploadify-session-id/

  • avatar
    Last edited:
    10/29/12
    1:09pm
    Milena Dimitrova says:

    Hi Lawrence,

    Normally in PHP (including Symfony with sfGuardUser plugin and Propel ORM) you can find the session file like this:

    echo session_id(); // returns something like hp2i2oabt9jc9fl1mm6mae5la7

    echo ini_get('session.save_path'); // returns the location of the session file, e.g. /var/lib/php5/, so the session file is here: /var/lib/php5/sess_hp2i2oabt9jc9fl1mm6mae5la7


    The content of the file would contain information such as:

    symfony/user/sfUser/lastRequest|i:1351529784;symfony/user/sfUser/authenticated|b:0;symfony/user/sfUser/credentials|a:0:{}symfony/user/sfUser/attributes|a:2:{s:30:"symfony/user/sfUser/attributes";a:8:{s:8:"settings";O:13:"SystemSetting":9:{s:5:"...

    Of course you can store any specific data in the session and then you can retrieve or just check if it exists it in the session directory without using PHP.

    Hope this helps,

    Milena

  • avatar
    Last edited:
    10/29/12
    3:15pm
    Martin Palacio says:

    But then later the file seems to disappear

    Strange behavior. The file is supposed to be deleted when the session_id is regenerated with, say, session_regenerate_id() (I don't know if symfony performs this internally).
    So, maybe the most clean way is to implement your PHP sessions in MySQL instead of plain files (the default).

    Moreover, regarding PHP sessions you need to check some
    session.gc*
    configuration options...

    Your browser should be sending an Ajax request to the server, with the session id and some other info.


    As a side note, if you ask me, I don't like to have my username, profile name "and some other info" to be transferred over plain HTTP through the wire. Just sayin'.

    Previous versions of this answer: 10/29/12 at 3:12pm | 10/29/12 at 3:15pm | 10/29/12 at 3:15pm

  • avatar
    Last edited:
    10/29/12
    1:22pm
    Lawrence Krubner says:

    I am sorry if I wasn't clear. The application is being written in Clojure, not PHP. But the site is in PHP, and the user's create their sessions in PHP. Normally the session id info is stored in:

    /var/lib/php5

    The file is as you describe.

    The Clojure app is sent the session id via Ajax. At that point, it needs to figure out whether the session is real, or whether someone is lying.

    I originally wrote this app thinking it would be enough to check and see if the file existed. But I am getting false negatives.

    I am thinking perhaps sometimes Symfony stuffs this info into a database? Or the session id changes?

  • avatar
    Last edited:
    10/29/12
    1:23pm
    Lawrence Krubner says:

    You write:

    " or just check if it exists it in the session directory without using PHP."

    That is the part I am having trouble with. In FireFox, I log into a site, and using FireBug I can see the Ajax calls that send my session id to the Clojure app. And at first the Clojure app can find a session file in /var/lib/php5 that matches my session id. But then later the file seems to disappear.

  • avatar
    Last edited:
    10/29/12
    1:55pm
    Lawrence Krubner says:

    It says:

    "Uploadify (currently on version 3.1.0) has the option to send the session name and id to the upload script so you can secure the action handling this in Symfony"

    I am already sending the session id without a problem. The problem is that the Clojure app does not always find a file in /var/lib/php5 that matches the session.

  • avatar
    Last edited:
    10/29/12
    3:22pm
    Lawrence Krubner says:

    I agree that the info needs to be hidden. My goal was simply to get the app working this week. Next week I plan to switch to a more secure protocol. I don't like sending anyone's session_id over the plain wire as plain http.

  • avatar
    Last edited:
    10/30/12
    1:52pm
    Milena Dimitrova says:

    Regarding this problem

    ...at first the Clojure app can find a session file in /var/lib/php5 that matches my session id. But then later the file seems to disappear.
    - please search in your project if you have any custom authentication related method that is calling this:
    $storage->regenerateID();

  • avatar
    Last edited:
    11/02/12
    10:42am
    Lawrence Krubner says:

    Okay, that is a good thought. I'm searching for anything that restarts the session.

  • avatar
    Last edited:
    11/02/12
    10:44am
    Lawrence Krubner says:

    Hmm, possibly the PHP session times out? Or...

    It is hard to imagine where PHP would put the session if not in /var/lib/php5.

    Though it occurs to me, I can have the PHP on the server ping the Clojure app directly, and tell it, directly, what PHP session ids are valid.

This question has expired.



Lawrence Krubner voted on this question.



Current status of this question: Completed



Warning: Please do not give out any FTP or ssh credentials to anyone, unless you trust them completely. Giving out login details is dangerous.

If the asker does not get an answer then they have 10 days to request a refund.