We are facing very odd session issue since last month where multiple users are getting same session ID. Previously, all should be working fine as we never received complains from user or noticed such thing.
We received complains from some of our users. As per them, their account had suddenly switched to another user account on our website and they had gained access to the another user account.
We don’t have any recent update in server or code base which could have caused this issue and we also tried to produce this issue in production with test account but we are not able to reproduce it.
Few point related to this issue:-
-
We are using Memecache to store session and PHP version is
5.3.3
. -
Traffic on our site is very nominal (not exceeded more than few hundred requests per minute) and so we dont doubt session_id() gets duplicated.
-
Our current cache control header
"no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
is already informing client to not cache anything. So as per our understanding, it should not be anything related to cache.
4. As per our debugging, we can see that, somehow session values of User-1 is getting overwritten by the data of User-2. So it looks that, User-2 never see any problem in his account, but User-1 is able to see the account of User-2. Also, we can see that User-2 is consistently active on the service.
Can anyone help us finding the reason?
2
Answers
Please be more elaborate about the session variables , means how you are assigning the values and at which point of time you are assigning the values . What we think that in the middle of a process your session variable is getting reset with another record by mistake . But nothing can be said properly right now , please let us have a look at your session variables first .
If you are generating session_id with your loggedin user_id, concatenate current time_stamp to that session_id. If you are generating normal session id with some random text or numbers, there might be a possibility of mixing up sessions.