Session problem behind proxy - Mambo

Sundance · October 12th, 2004, 07:14

Hi all,

Server: Apache/PHP4/Mambo 4.5.1
Client: Mozilla Firefox

since yesterday I am having a problem with loggin into the frontend. It seems the sessions expire to quickly or get lost. Also each refresh on the home page without loggin in adds an entry into the session table. So after 9 refreshes Mambo counts 9 guests online.

Sometimes I am lucky and can log in. The user menu shows up. I can access registered content. After a few seconds though I can't anymore and the user menu dissapears. Funny thing is Mambo still says that I am online (in Who's Online).

I have configured an automatic proxy configuration file in my browser (here in the office). As soon as I take that out and tunnel through the proxy via a socks client (e-Border) it works fine. At home, where I have a direct connection to the internet it works as well without problems.

I have searched through many forums and found similar problems but not one definite solution. I am sure this issue must be know here in some way.

Can anybody help me?
Is it possible, that something is cached on the proxy server what is necessary to be in the local cache?

Best regards,
Sundance

Sundance · October 13th, 2004, 04:12

Hi again,

after a few more tests I found that if I am behind the proxy the local sessioncookie is overwritten with a new session id each time I load the page. It still is valid for 24 hrs but it is a new ID every time.

Is there a different way to handle the sessions, maybe on the web server?

Greetz, Sundance

Sundance · October 13th, 2004, 12:57

Hi again,

I guess I know what's going on. In our corporation (quite big network wise) we are using a proxy server farm. Each http request from any internal client is delivered to one of the proxy servers via a round-robin distribution.

That means that each request might be handeled by a different proxy server contacting the web server with a different IP address. So naturally Mambo thinks it is a new client connecting and sends a new session ID. However, it gets back to the same requesting PC - mine.

Does anybody know, how to handle the session logic differently, e.g. with session files on the web server itself?

Best regards,
Sundance

al_stone · October 13th, 2004, 13:40

With round robin proxy servers, they generally only select a new route if it is a new request and not for existing sessions, so I doubt that is the real issue. I have a very similar problem but it is caused by using a redirect from the DNS target server to another domain but retaining the header information. See www.flowersensationtoo.co.uk. The site is being served from within the harryltd.biz domain.

Like you I get incrementing users but with IE. Firefox works fine.

Hope this sheds some light.

Sundance · October 13th, 2004, 13:46

Hi Al,
well, then I am quite startled again. Why is it working then as soon as I bypass the proxy servers? Damn, I hate it if I don't know things!

Sundance

Sundance · October 14th, 2004, 08:36

Hi there,

I believe that I fixed the problem and will describe it here since I think others might run into it as well.

As I said is my client behind a proxy farm (more than one server) that share the internet requests by a round-robin method. So each request might reach the Mambo web server with a different source IP address from one of the proxy servers. You can test that by calling phpinfo(), scroll to the 'Environment' section and check the paramteres HTTP_VIA and REMOTE_ADDR. If they change now and then after each page refresh you will have the same problem.

The problem itself is basically hand-made by Mambo. I would call it bug actually. Mambo is using a random number plus the REMOTE_ADDR to create a unique session ID using the md5() function. See mambo.php, line 2071:

Code:

$this->session_id = md5( $randnum . $_SERVER['REMOTE_ADDR'] );

When checking if a session ID has been given to the client Mambo of course decrypts the session ID (taken from the local cookie) with the same method using REMOTE_ADDR. See mambo.php, line 259:

Code:

if ($session->load( md5( $sessioncookie . $_SERVER['REMOTE_ADDR'] ) )) {

Since the request may come from a different proxy server having a different REMOTE_ADDR the comaprison to the originally assigned one fails. Voila, you get a new session ID.

Since the creation of the session ID is done via md5() applied to a combination of md5(uniqid( microtime(),1)) and REMOTE_ADDR, one can say that it is already unique even without combining it with REMOTE_ADDR. So for the sake of combining it with and IP address you can also use SERVER_ADDR (which at least will not change).

That is exactly what I have done in mambo.php to solved this problem:

mambo.php, line 259:

Code:

if ($session->load( md5( $sessioncookie . $_SERVER['SERVER_ADDR'] ) )) {

mambo.php, line 2071:

Code:

$this->session_id = md5( $randnum . $_SERVER['SERVER_ADDR'] );

Now, if I am majorly wrong on any of my assumptions or actions here I ask for a veto on your side. Otherwise I am currently a happy camper again. Hope this will help others as well.

Best regards,
Sundance

persianmind · January 8th, 2005, 21:41

thank you very much

its work for me

trickyjoe · March 13th, 2005, 10:08

where is the mambo.php file (i'm a newbie at this)

oldfoot · March 24th, 2005, 08:02

Any solution for 4.5.2?

gregor · April 17th, 2005, 20:09

change line 287

if ($session->load( md5( $sessioncookie . $_SERVER['REMOTE_ADDR'] ) )) {
to
if ($session->load( md5( $sessioncookie . $_SERVER['SERVER_ADDR'] ) )) {

change line 2191

$this->session_id = md5( $randnum . $_SERVER['REMOTE_ADDR'] );
to
$this->session_id = md5( $randnum . $_SERVER['SERVER_ADDR'] );

eikcam · May 5th, 2005, 06:59

Quote:

Originally Posted by gregor

change line 287

if ($session->load( md5( $sessioncookie . $_SERVER['REMOTE_ADDR'] ) )) {
to
if ($session->load( md5( $sessioncookie . $_SERVER['SERVER_ADDR'] ) )) {

change line 2191

$this->session_id = md5( $randnum . $_SERVER['REMOTE_ADDR'] );
to
$this->session_id = md5( $randnum . $_SERVER['SERVER_ADDR'] );

To use the IP of the actual user visiting the site, you could also use HTTP_X_FORWARDED_FOR instead of SERVER_ADDR.

HTTP_X_FORWARDED_FOR will always return the real IP address of the user and not the proxy. Not that it really matters, just thought id offer another varient.

eight32 · June 4th, 2005, 06:55

Critical!

Read GRAM's response to this issue:

http://www.mambers.com/showthread.ph...067#post127067

Ciinien · July 30th, 2005, 06:59

PHP 4.3.9
Apache 1.3.33
MySQL 4.0.22
Mambo 4.5.3
SMF 1.1.b3

I'm still having this multiple admin sessions issue. I've tried both the ...($_SERVER['REMOTE_ADDR']) to ...($_SERVER['SERVER_ADDR']) and the fix Gram outlined in his AOL posting. Niether works. In fact, the latter (Gram's posting) logs me into Mambo and then sends me directly to SMF; NOT desired behavior since I have settings in Mambo Admin set up a certain way.

Sometimes Mambo only creates one admin user, sometimes 5, sometimes 2--it's a totally arbitrary thing, but it surely is annoying and I know it should not be happening. I can click on any of the multiple admin, which takes me back to the admin login screen, log in again, and only one user is created that time, so I'm baffled as to what the fix might be.

I certainly hope this gets addressed in future updates/versions.

Cheers!
Ci

October 12th, 2004, 07:14	#1
Sundance Join Date: Oct 2004 Posts: 67	Session problem behind proxy Hi all, Server: Apache/PHP4/Mambo 4.5.1 Client: Mozilla Firefox since yesterday I am having a problem with loggin into the frontend. It seems the sessions expire to quickly or get lost. Also each refresh on the home page without loggin in adds an entry into the session table. So after 9 refreshes Mambo counts 9 guests online. Sometimes I am lucky and can log in. The user menu shows up. I can access registered content. After a few seconds though I can't anymore and the user menu dissapears. Funny thing is Mambo still says that I am online (in Who's Online). I have configured an automatic proxy configuration file in my browser (here in the office). As soon as I take that out and tunnel through the proxy via a socks client (e-Border) it works fine. At home, where I have a direct connection to the internet it works as well without problems. I have searched through many forums and found similar problems but not one definite solution. I am sure this issue must be know here in some way. Can anybody help me? Is it possible, that something is cached on the proxy server what is necessary to be in the local cache? Best regards, Sundance __________________ They never killed us in Bolivia...

October 13th, 2004, 04:12	#2
Sundance Join Date: Oct 2004 Posts: 67	Hi again, after a few more tests I found that if I am behind the proxy the local sessioncookie is overwritten with a new session id each time I load the page. It still is valid for 24 hrs but it is a new ID every time. Is there a different way to handle the sessions, maybe on the web server? Greetz, Sundance __________________ They never killed us in Bolivia...

October 13th, 2004, 12:57	#3
Sundance Join Date: Oct 2004 Posts: 67	Proxy Farm Hi again, I guess I know what's going on. In our corporation (quite big network wise) we are using a proxy server farm. Each http request from any internal client is delivered to one of the proxy servers via a round-robin distribution. That means that each request might be handeled by a different proxy server contacting the web server with a different IP address. So naturally Mambo thinks it is a new client connecting and sends a new session ID. However, it gets back to the same requesting PC - mine. Does anybody know, how to handle the session logic differently, e.g. with session files on the web server itself? Best regards, Sundance __________________ They never killed us in Bolivia...

October 13th, 2004, 13:46	#5
Sundance Join Date: Oct 2004 Posts: 67	Hi Al, well, then I am quite startled again. Why is it working then as soon as I bypass the proxy servers? Damn, I hate it if I don't know things! Sundance __________________ They never killed us in Bolivia...

October 14th, 2004, 08:36	#6
Sundance Join Date: Oct 2004 Posts: 67	Fixed it Hi there, I believe that I fixed the problem and will describe it here since I think others might run into it as well. As I said is my client behind a proxy farm (more than one server) that share the internet requests by a round-robin method. So each request might reach the Mambo web server with a different source IP address from one of the proxy servers. You can test that by calling phpinfo(), scroll to the 'Environment' section and check the paramteres HTTP_VIA and REMOTE_ADDR. If they change now and then after each page refresh you will have the same problem. The problem itself is basically hand-made by Mambo. I would call it bug actually. Mambo is using a random number plus the REMOTE_ADDR to create a unique session ID using the md5() function. See mambo.php, line 2071: Code: $this->session_id = md5( $randnum . $_SERVER['REMOTE_ADDR'] ); When checking if a session ID has been given to the client Mambo of course decrypts the session ID (taken from the local cookie) with the same method using REMOTE_ADDR. See mambo.php, line 259: Code: if ($session->load( md5( $sessioncookie . $_SERVER['REMOTE_ADDR'] ) )) { Since the request may come from a different proxy server having a different REMOTE_ADDR the comaprison to the originally assigned one fails. Voila, you get a new session ID. Since the creation of the session ID is done via md5() applied to a combination of md5(uniqid( microtime(),1)) and REMOTE_ADDR, one can say that it is already unique even without combining it with REMOTE_ADDR. So for the sake of combining it with and IP address you can also use SERVER_ADDR (which at least will not change). That is exactly what I have done in mambo.php to solved this problem: mambo.php, line 259: Code: if ($session->load( md5( $sessioncookie . $_SERVER['SERVER_ADDR'] ) )) { mambo.php, line 2071: Code: $this->session_id = md5( $randnum . $_SERVER['SERVER_ADDR'] ); Now, if I am majorly wrong on any of my assumptions or actions here I ask for a veto on your side. Otherwise I am currently a happy camper again. Hope this will help others as well. Best regards, Sundance __________________ They never killed us in Bolivia...

October 13th, 2004, 13:40	#4
al_stone Join Date: Aug 2004 Location: Bath, England Posts: 32	With round robin proxy servers, they generally only select a new route if it is a new request and not for existing sessions, so I doubt that is the real issue. I have a very similar problem but it is caused by using a redirect from the DNS target server to another domain but retaining the header information. See www.flowersensationtoo.co.uk. The site is being served from within the harryltd.biz domain. Like you I get incrementing users but with IE. Firefox works fine. Hope this sheds some light.

January 8th, 2005, 21:41	#7
persianmind Join Date: Jan 2005 Posts: 2	thank you very much its work for me

March 13th, 2005, 10:08	#8
trickyjoe Join Date: Mar 2005 Posts: 1	where is the mambo.php file (i'm a newbie at this)

March 24th, 2005, 08:02	#9
oldfoot Join Date: Jan 2005 Posts: 11	Any solution for 4.5.2?

April 17th, 2005, 20:09	#10
gregor Join Date: Apr 2005 Posts: 1	here's for 4.5.2 change line 287 if ($session->load( md5( $sessioncookie . $_SERVER['REMOTE_ADDR'] ) )) { to if ($session->load( md5( $sessioncookie . $_SERVER['SERVER_ADDR'] ) )) { change line 2191 $this->session_id = md5( $randnum . $_SERVER['REMOTE_ADDR'] ); to $this->session_id = md5( $randnum . $_SERVER['SERVER_ADDR'] );

June 4th, 2005, 06:55	#12
eight32 Join Date: May 2005 Location: South Africa Posts: 2	Critical! Read GRAM's response to this issue: http://www.mambers.com/showthread.ph...067#post127067

July 30th, 2005, 06:59	#13
Ciinien Join Date: Jun 2005 Location: Texas Posts: 14	PHP 4.3.9 Apache 1.3.33 MySQL 4.0.22 Mambo 4.5.3 SMF 1.1.b3 I'm still having this multiple admin sessions issue. I've tried both the ...($_SERVER['REMOTE_ADDR']) to ...($_SERVER['SERVER_ADDR']) and the fix Gram outlined in his AOL posting. Niether works. In fact, the latter (Gram's posting) logs me into Mambo and then sends me directly to SMF; NOT desired behavior since I have settings in Mambo Admin set up a certain way. Sometimes Mambo only creates one admin user, sometimes 5, sometimes 2--it's a totally arbitrary thing, but it surely is annoying and I know it should not be happening. I can click on any of the multiple admin, which takes me back to the admin login screen, log in again, and only one user is created that time, so I'm baffled as to what the fix might be. I certainly hope this gets addressed in future updates/versions. Cheers! Ci __________________ Azeroth Irregulars ************* "Don't Help! I've fallen and I just don't wanna get up."

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode