Ask your Symfony questions! Pay money and get answers fast! (more info)

Where can I find my session id? Symfony

  • SOLVED

This site (which you are on now) is running Symfony 1.2.5. The ORM is Propel.

The user system is handled by sfGuardUserPlugin.

I have written a Clojure app which is given a PHP session id and needs to verify that id. On my server, the PHP sessions are kept here:

/var/lib/php5

And the session files look like this:

/var/lib/php5/sess_nolm690lusonkuk4fa7wed2tc6

If I sudo to root, then sometimes I can go:

ls -al /var/lib/php5/sess_nolm690lusonkuk4fa7wed2tc6

and I get:

-rw------- 1 www-data www-data 246 2012-10-29 11:49 /var/lib/php5/sess_nolm690lusonkuk4fa7wed2tc6

(I've altered the session id for security, but you get the idea)

I don't need much security here so merely checking to see if the file exists would be enough security for me.

If you are logged in, then check your browser right now (Firebug in FireFox in especially useful for this). Your browser should be sending an Ajax request to the server, with the session id and some other info.

Unfortunately, sometimes that session file does not exist. Sometimes the Ajax in my browser keeps sending that session_id yet the file on the server is not there.

So, why is that? Does Symfony store it in the database such that the session is no longer recorded in /var/lib/php5?

My question in its simplest form: where can I look to reliably verify that a session id is real? I have to be able to do this from outside of PHP. Though the site was originally written in PHP/Symfony, my long term plan is to re-write the whole thing in Clojure. For now, this means I have to get the Clojure and PHP to sometimes share information.

UPDATE:

This just happened again. Someone's browser just sent in this session id, just a few seconds ago:

8hpvncvd7ahia95bnbe4o5wer7

I saw this session id come in via the server. And, as root, I checked for it and found nothing:

[email protected]:/tmp# ls -al /var/lib/php5/sess_8hpvncvd7ahia95bnbe4o5wer7

ls: cannot access /var/lib/php5/sess_8hpvncvd7ahia95bnbe4o5wer7: No such file or directory

At the moment, all of the session ids seem to be false, even mine. But that is not possible. So where are the files?

Answers (3)

2012-10-29

Milena Dimitrova answers:

Hi Lawrence,

Normally in PHP (including Symfony with sfGuardUser plugin and Propel ORM) you can find the session file like this:

echo session_id(); // returns something like hp2i2oabt9jc9fl1mm6mae5la7

echo ini_get('session.save_path'); // returns the location of the session file, e.g. /var/lib/php5/, so the session file is here: /var/lib/php5/sess_hp2i2oabt9jc9fl1mm6mae5la7


The content of the file would contain information such as:

symfony/user/sfUser/lastRequest|i:1351529784;symfony/user/sfUser/authenticated|b:0;symfony/user/sfUser/credentials|a:0:{}symfony/user/sfUser/attributes|a:2:{s:30:"symfony/user/sfUser/attributes";a:8:{s:8:"settings";O:13:"SystemSetting":9:{s:5:"...

Of course you can store any specific data in the session and then you can retrieve or just check if it exists it in the session directory without using PHP.

Hope this helps,

Milena


Lawrence Krubner comments:

I am sorry if I wasn't clear. The application is being written in Clojure, not PHP. But the site is in PHP, and the user's create their sessions in PHP. Normally the session id info is stored in:

/var/lib/php5

The file is as you describe.

The Clojure app is sent the session id via Ajax. At that point, it needs to figure out whether the session is real, or whether someone is lying.

I originally wrote this app thinking it would be enough to check and see if the file existed. But I am getting false negatives.

I am thinking perhaps sometimes Symfony stuffs this info into a database? Or the session id changes?


Lawrence Krubner comments:

You write:

" or just check if it exists it in the session directory without using PHP."

That is the part I am having trouble with. In FireFox, I log into a site, and using FireBug I can see the Ajax calls that send my session id to the Clojure app. And at first the Clojure app can find a session file in /var/lib/php5 that matches my session id. But then later the file seems to disappear.


Milena Dimitrova comments:

Regarding this problem <blockquote>...at first the Clojure app can find a session file in /var/lib/php5 that matches my session id. But then later the file seems to disappear.</blockquote> - please search in your project if you have any custom authentication related method that is calling this:
$storage->regenerateID();


Lawrence Krubner comments:

Okay, that is a good thought. I'm searching for anything that restarts the session.

2012-10-29

Martin Palacio answers:

<blockquote>But then later the file seems to disappear</blockquote>
Strange behavior. The file is supposed to be deleted when the session_id is regenerated with, say, session_regenerate_id() (I don't know if symfony performs this internally).
So, maybe the most clean way is to implement your PHP sessions in MySQL instead of plain files (the default).

Moreover, regarding PHP sessions you need to check some session.gc* configuration options...

<blockquote>Your browser should be sending an Ajax request to the server, with the session id and some other info.</blockquote>

As a side note, if you ask me, I don't like to have my username, profile name "and some other info" to be transferred over plain HTTP through the wire. Just sayin'.


Lawrence Krubner comments:

I agree that the info needs to be hidden. My goal was simply to get the app working this week. Next week I plan to switch to a more secure protocol. I don't like sending anyone's session_id over the plain wire as plain http.


Lawrence Krubner comments:

Hmm, possibly the PHP session times out? Or...

It is hard to imagine where PHP would put the session if not in /var/lib/php5.

Though it occurs to me, I can have the PHP on the server ping the Clojure app directly, and tell it, directly, what PHP session ids are valid.

2012-10-29

Luis Cordova answers:

I think this will bring you close to the answer

http://www.ens.ro/2012/04/26/setting-up-symfony-1-4-and-uploadify-session-id/


Lawrence Krubner comments:

It says:

"Uploadify (currently on version 3.1.0) has the option to send the session name and id to the upload script so you can secure the action handling this in Symfony"

I am already sending the session id without a problem. The problem is that the Clojure app does not always find a file in /var/lib/php5 that matches the session.