Session_ID Problem

Resolved dfreeman33
(@dfreeman33)

8 years, 10 months ago

After updating to Memphis Docs 3.6.21 we started having problems with the sessions being duplicated among users.

The PHPSESSID cookie was being set to the same value for all users both authenticated and anonymous. This was causing issues in several areas of our site where we use the session ID.

It appears that the 3.6.21 Memphis Docs is setting a MDOCS_SESSION_ID that is a hard coded (static) value. Somehow this MDOCS_SESSION_ID is making it’s way to the the PHPSESSID.

Any particular reason for this? I’ve had to disable the plugin for now until we can get a fix in.

Viewing 10 replies - 1 through 10 (of 10 total)

Plugin Author bhaldie
(@bhaldie)

8 years, 10 months ago

Im not sure how session data can be passed from one computer to an other, Session are cookie based per computer an unless you are sharing computers there shouldn’t be an issue.

That being said you can disable session from the setting menu if it does not meet your sites requirements. It is not critical that session run with mdocs.
Thread Starter dfreeman33
(@dfreeman33)

8 years, 10 months ago
In the memphis-documents.php file on line 30 you hard coded a MDOCS_SESSION_ID to a static value. Then in the mdocs-functions.php you assignthe php variable “session_id” to the MDOCS_SESSION_ID.

On our website one of the issues it’s caused is that we have a session based shopping cart that stores data in a table with the PHP session_id as one of the identifiers. When everyone is sharing the same session_id then everyone sees the exact same contents of the cart.
- This reply was modified 8 years, 10 months ago by dfreeman33. Reason: spelling
Plugin Author bhaldie
(@bhaldie)

8 years, 10 months ago

Did you try to disable session from the setting menu? Goto Options > Setting > Disable Sessions this should to mdocs from creating session.

Thread Starter dfreeman33
(@dfreeman33)

8 years, 10 months ago

I guess my question is: Is there a reason you’re hard coding a static MDOCS_SESSION_ID instead of using a randomly generated?

Thread Starter dfreeman33
(@dfreeman33)

8 years, 10 months ago

I did disable sessions and that seems to have stopped the problem.

Plugin Author bhaldie
(@bhaldie)

8 years, 10 months ago

My idea was to create a unique session specially for mdocs. I’m taking a look at my code right now I may have to end up just restoring the old way of doing things if it is causing issue.

Thread Starter dfreeman33
(@dfreeman33)

8 years, 10 months ago

Thanks for the quick responses!
Plugin Author bhaldie
(@bhaldie)

8 years, 10 months ago
if you want the old code is still in the session function you could comment out the new code and uncomment out the old code to go back to how it was before version 3.6.21

The file is mdocs-functions.php and the function is mdocs_nonce():
```
if(get_option('mdocs-disable-sessions') == false) {
		session_id(MDOCS_SESSION_ID);
		session_start();
		if(isset($_SESSION['mdocs-nonce'])) define('MDOCS_NONCE',$_SESSION['mdocs-nonce']);
		if(!isset($_SESSION['mdocs-nonce']) || isset($_REQUEST['mdocs-nonce'])) $_SESSION['mdocs-nonce'] = md5(rand(0,1000000));
		session_write_close();
	} else {
		define('MDOCS_NONCE', md5(rand(0,1000000)));
		$_SESSION['mdocs-nonce'] = null;
	}
	/*
	if(!session_id()) {
		session_start();
		//session_start([ 'mdocs-nonce' => md5(rand(0,1000000))]);
	}
	if(get_option('mdocs-disable-sessions') == false) {
		if(isset($_SESSION['mdocs-nonce'])) define('MDOCS_NONCE',$_SESSION['mdocs-nonce']);
		if(!isset($_SESSION['mdocs-nonce']) || isset($_REQUEST['mdocs-nonce'])) $_SESSION['mdocs-nonce'] = md5(rand(0,1000000));
	} else {
		define('MDOCS_NONCE', md5(rand(0,1000000)));
		$_SESSION['mdocs-nonce'] = null;
	}
	*/
```
- This reply was modified 8 years, 10 months ago by bhaldie.
Thread Starter dfreeman33
(@dfreeman33)

8 years, 10 months ago

I’m going to run it as is for now and just leave the sessions disabled in the settings to see how things run. Unless you think that’s a bad idea…

Plugin Author bhaldie
(@bhaldie)

8 years, 10 months ago

You should be fine. The only reason session are using in mdocs is for admin functionality.

It only allows one button press for upload/delete/edit. Basically it doesn’t allow admins to spam the upload button over and over again.

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Session_ID Problem’ is closed to new replies.