Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

SessionID contains invalid characters in sessions.php

Guest

By Guest
in General Support

Recommended Posts

Guest

Guest

Posted
Posted

We're getting hundreds of lines in our error logs with the following information (IP Address blocked out by me):

 

[Thu Feb 22 14:41:46 2007] [error] [client IP ADDRESS BLOCKED] PHP Warning: session_write_close(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /home/httpd/vhosts/tellico4x4.com/httpdocs/includes/functions/sessions.php on line 106 
[Thu Feb 22 14:41:46 2007] [error] [client IP ADDRESS BLOCKED] PHP Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/home/httpd/vhosts/tellico4x4.com/tmp) in /home/httpd/vhosts/tellico4x4.com/httpdocs/includes/functions/sessions.php on line 106

 

Here's what I know:

  • We have multiple sites. This error is not happening on all of them. I've compared the code for the sessions.php file with the other sites' files and there are no differences. Two of the sites are having this problem. They're all on the same server, though. When it occurs, it slows them all down to a dead crawl.

  • These errors come in bursts of 15 minutes to an hour and then leave.

  • The IP address is the same throughout one of these "events", but different the next time it occurs. I've done whois searches on most of the ip addresses and they're usually something generic like comcast or hughes or something. One of them was an ip address for an attorney's website.

I've tried doing a search in here and I didn't find any results with this topic, but have any of you had a problem like this and have any idea on what the problem might be?

Guest

Guest

Posted
Posted
We're getting hundreds of lines in our error logs with the following information (IP Address blocked out by me):

 

[Thu Feb 22 14:41:46 2007] [error] [client IP ADDRESS BLOCKED] PHP Warning: session_write_close(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /home/httpd/vhosts/tellico4x4.com/httpdocs/includes/functions/sessions.php on line 106

 

Hi Nancy - where are you seeing this error ? In the APache logs ?

 

Have you talked to your host about this ???

I'm sure this is a PHP and server set up issue - although it may be the way that OSC is writting it

What version of PHP is running on your box ?

 

I would recommend changing your sessions to write to the mysql database. You can change this in your /includes/configure.php file.

Or - you can change your path in the configfuration under : My Store --> Config --> Sessions

You are writing to the /tmp dir which is fine if you are running your own server - but if you are on a shared server, then you (need to) create a directory under your own path to store the files.

Login using your FTP client, navigate to like : public_html/catalog/ and then click 'Mkdir' to make a direcotry under the catalog. If you call it MySessions, then go back into the admin panel in OSC and update the path.

I would wirte the entire path to the configuraiton like this :

/home/httpd/vhosts/tellico4x4.com/public_html/catalog/MySessions/

You'll need to chmod this direcotry as well I'm sure - try 644, but it may require 664

 

hth - post back if you have any questions,

 

Corrina

Velveeta

Velveeta

Posted
Posted
We're getting hundreds of lines in our error logs with the following information (IP Address blocked out by me):

 

[Thu Feb 22 14:41:46 2007] [error] [client IP ADDRESS BLOCKED] PHP Warning: session_write_close(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /home/httpd/vhosts/tellico4x4.com/httpdocs/includes/functions/sessions.php on line 106 
[Thu Feb 22 14:41:46 2007] [error] [client IP ADDRESS BLOCKED] PHP Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/home/httpd/vhosts/tellico4x4.com/tmp) in /home/httpd/vhosts/tellico4x4.com/httpdocs/includes/functions/sessions.php on line 106

 

Here's what I know:

  • We have multiple sites. This error is not happening on all of them. I've compared the code for the sessions.php file with the other sites' files and there are no differences. Two of the sites are having this problem. They're all on the same server, though. When it occurs, it slows them all down to a dead crawl.

  • These errors come in bursts of 15 minutes to an hour and then leave.

  • The IP address is the same throughout one of these "events", but different the next time it occurs. I've done whois searches on most of the ip addresses and they're usually something generic like comcast or hughes or something. One of them was an ip address for an attorney's website.

I've tried doing a search in here and I didn't find any results with this topic, but have any of you had a problem like this and have any idea on what the problem might be?

Well, this was the most promising bit of info I dug up in my searching... This is in a message thread on the same kind of topic posted on usenet, and a reply from someone at php.net:

 

Something (possibly mod_deflate) corrupted the session. More then

likely some user tried to pass invalid session or some remote proxy

corrupted it. PHP's session handler correctly returned an error due to

the session containing invalid characters.

 

So possibly, they're coming from some kind of proxy at their work or something that's maybe corrupting the session_id string? Other than that, no clue...

Richard Lindsey

Guest

Guest

Posted
Posted
Hi Nancy - where are you seeing this error ? In the APache logs ?

 

Have you talked to your host about this ???

I'm sure this is a PHP and server set up issue - although it may be the way that OSC is writting it

What version of PHP is running on your box ?

 

I would recommend changing your sessions to write to the mysql database. You can change this in your /includes/configure.php file.

Or - you can change your path in the configfuration under : My Store --> Config --> Sessions

You are writing to the /tmp dir which is fine if you are running your own server - but if you are on a shared server, then you (need to) create a directory under your own path to store the files.

Login using your FTP client, navigate to like : public_html/catalog/ and then click 'Mkdir' to make a direcotry under the catalog. If you call it MySessions, then go back into the admin panel in OSC and update the path.

I would wirte the entire path to the configuraiton like this :

/home/httpd/vhosts/tellico4x4.com/public_html/catalog/MySessions/

You'll need to chmod this direcotry as well I'm sure - try 644, but it may require 664

 

hth - post back if you have any questions,

 

Corrina

 

Thanks Corrina.

 

Yes, I am seeing the errors in the apache logs.

 

Server OS: Linux 2.4.20-021stab028.17.777-enterprise

Database: MySQL 4.0.21

HTTP Server: Apache/2.0.50 (Fedora)

PHP Version: 4.4.1 (Zend: 1.3.0)

 

I apologize for not knowing specifically how to tell you that we're set up, as I am not much of a server / database person. I do know, however, that our session ids are being written to the database. We have actually installed the mall approach where we have multiple stores accessing the same database. We have two servers (one for web files and one for database) that are only ours colocated with our hosting company. We've been up an running in this format for years and have had relatively little problems. This particular error is occurring on two of our websites, while the remaining sites appear to be fine, other than slowing down when the others are getting these errors.

 

We're currently going over any changes that we have done this week to any of the particular files, though none of them are jumping out to me as a possible cause for this. I'll continue to look over every change, but my gut keeps telling me that maybe our database table that holds the session ids is corrupt or something. Could that be possible?

Guest

Guest

Posted
Posted
Thanks Corrina.

I do know, however, that our session ids are being written to the database.

 

Are you sure about this ? According to this line the sessions are being written to the /tmp directory :

Please verify that the current setting of session.save_path is correct (/home/httpd/vhosts/tellico4x4.com/tmp)

If you are astoring to the db, your includes/configure.php file should say :

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

 

 

I'll continue to look over every change, but my gut keeps telling me that maybe our database table that holds the session ids is corrupt or something. Could that be possible?

 

To be hionest - I just don't know. You could try running a repair table on the sessions table using phpMyAdmin, in the SQL window :

repair table sessions

 

http://www.hmailserver.com/documentation/?...to_repair_mysql

However- normally you wuold get an error to this effect from the browser.

 

Does the address bar in the browser include the invalid charatcers that it doesn like ? Something like this :

/?osCsid=c6598c4eb2a34...

or even something like this :

/?PHPSESSID=?cPath=22

 

 

What do you have in the sessions config on this page :

http://demo.opensourcecms.com/oscommerce/a...e9153fad6a21761

 

Corrina

Guest

Guest

Posted
Posted
Well, this was the most promising bit of info I dug up in my searching... This is in a message thread on the same kind of topic posted on usenet, and a reply from someone at php.net:

 

Something (possibly mod_deflate) corrupted the session. More then

likely some user tried to pass invalid session or some remote proxy

corrupted it. PHP's session handler correctly returned an error due to

the session containing invalid characters.

 

So possibly, they're coming from some kind of proxy at their work or something that's maybe corrupting the session_id string? Other than that, no clue...

 

Thank you also, Richard for your reply. What puzzles me still is that this just started happening yesterday, it only does it periodically with no real pattern and it is several different IP addresses.

 

Playing on your suggestion, though, could one of those proxies have corrupted my table so that it is continuing to affect other visitors, or do you think that would have ended when that particular customer left?

Guest

Guest

Posted
Posted
Are you sure about this ? According to this line the sessions are being written to the /tmp directory :

Please verify that the current setting of session.save_path is correct (/home/httpd/vhosts/tellico4x4.com/tmp)

If you are astoring to the db, your includes/configure.php file should say :

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

Well, I am puzzled now. My configure file does say:

define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql'

 

I've looked back over the configure files on the other sites (which are not getting these errors) and they're all listed the same way. In my database, I do have a table called sessions which is being written to. I've looked at it a few times today and it has been different each time.

 

Does the address bar in the browser include the invalid charatcers that it doesn like ? Something like this :

/?osCsid=c6598c4eb2a34...

or even something like this :

/?PHPSESSID=?cPath=22

Someone did a mod for us a couple of years back where the osCsid would not show up when you initially go to our site, it would show up on the first link that was clicked on, but after that, it wouldn't show up any longer. Sometimes, for me, it doesn't show up at all. When it does show up, it looks like this:

http://www.rubicon4x4.com/index.php?cPath=...9627e938e5ab5d8

 

If someone has linked to something on our website and maybe copied the entire link, including the osCsid, would we get an error like this when someone clicked on that link?

 

What do you have in the sessions config on this page :

http://demo.opensourcecms.com/oscommerce/a...e9153fad6a21761

 

And still, further puzzled because we have this set to:

/home/httpd/vhosts/tellico4x4.com/tmp

 

As I checked the other stores in our mall, they are each set to that same url, except for the different domains, of course.

 

This is why I've been so confused. Everything is the same across the board... very uniform, yet only two sites just magically started having the problems. Things seem to be going better today, so maybe the last couple of days were an isolated incident or something, but I'm going to read about repairing that table, just in case.

Velveeta

Velveeta

Posted
Posted
Thank you also, Richard for your reply. What puzzles me still is that this just started happening yesterday, it only does it periodically with no real pattern and it is several different IP addresses.

 

Playing on your suggestion, though, could one of those proxies have corrupted my table so that it is continuing to affect other visitors, or do you think that would have ended when that particular customer left?

I don't think one of those proxies could have corrupted your table... I think what it means is that as the urls and data are handed back and forth between their desk and your site, it's somehow corrupting the url string by adding in an extra character or something, or just plain mangling that sid value... As for trying to repair the database table, I don't think that will do you any good, as you didn't seem to be using the database, as least as far as oscommerce was concerned... Here's a question for you, do all of your various mall stores point to a common database with a central catalog and whatnot? If so, this could be why you were seeing the session table update even though you had that store set to store the files on the disk... If some of your other stores are set to store in the db, and it's a common db, that would be their entries being updated while this problem store is still writing to the disk... I did find a number of these problems when I did a search on that error text you posted, and they nearly all seemed to be oscommerce sites... Even that newsgroup posting I pulled that response from in my first post said he was running an oscommerce store, although I think it was some kind of derivative store, I think he said something like (well, xt:oscommerce) or something...

 

Richard.

Richard Lindsey

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...