Serious Session Problems With Custom Login Area

Permalink
Hi All,

I am Webmaster of a annual Athletic Competition Website. Part of that Competition Website is a Online Signup where People can signup their Children for the Competition. The Signup Application is written in PHP, Ajax and JSON. Since originally, the website was NON-C5 and I ported it to C5, I also did the transformation for the Signup Application. For last years Competition, the Signup was a standalone Application not Using C5 Structures and just living in a Subfolder and everything was fine and working correctly.

This February, I transformed the Signup App to be a C5 Package built with Single Pages, MVC, State of the art. First everythink worked fine. People can register and login for the signup app and their data gets written into the session like this:

$_SESSION['userdata'] = $row;

where $row is the database query result row being an associative array containing user-id, user-email and so on.

This Session Variable Userdata is used all over the App to get and set Data from and to the Database.
So far so good. On all following single page controller within the view Method, I am calling a checkLogin Method within a Helper class to see, if the user is logged in, otherwise I redirect back to the login page. Fairly Standard stuff.

So on the next page, the user is able to signup athletes for the competition and he also see's already signed up athletes, which he signed up in an earlier session.

Here the problems start:
Suddendly users started to see athletes signed up by other users and not their own.. The already registered athletes are loaded from the Database with the user-id taken from the session. So it seems to me, that the session variables are either not correctly stored on the server or somehow mixed up with different users.
This problem leeded to users overriding athletes from other users and got so serious, that I had to take down the signup up :-(.

Here a summary of the used codes for session handling:

1. Write user data to session
$_SESSION['userdata'] = $row;
with $row being the result of the database call, containing pID, name, prename, email

2. check if the user is logged in on every further page
public function checkLogin(){
if(isset($_SESSION['userdata']['pID'])){
return true;
}
else{
return false;
}
}

3. e.g. Loading already signed up athletes for the user
$pID = $_SESSION['userdata']['pID'];
=> Do databse query based on $pID

4. User completes Signup and logout is done
unset($_SESSION['userdata']);
Note: Since C5 is apparently also using the session, I do not destroy it, but only unset the used session variable

There are some more actions based on the pID of the user and it seems to be wrong on several different pages.

Is there something I obviously do wrong or any Input you can give me? I am trying to fix that since several hours and if it stays a problem, I have to go back to the Solution of not using the C5 and make it standalone..

I also read some other forum posts where other users had really weird problems with session handlings and session variables not being correct..

Any help is greatly appreciated.

With best regards
Jan

janwidmer
View Replies:
janwidmer replied on at Permalink Reply
janwidmer
Hi all,

Finally I assume I figuered out, what the cause for my problems was:

Problem was, that the full page cache was turned on globally for all pages. So when the user came on the page, logged in, he never got actual data based on his user id written in a session variable, the page was just loaded from cache containing I assume the data from the last cache rebuild, which is either no data or data from another user, if one was logged in and on that page while the cache was rebuild.

So within the view method of the controller, the data was being loaded correctly based on the user Id from the session and then passed to the view, but somehow within the view, the variable was overritten by content coming from the full page cache.

So it kinda seems, that the full page cache seems to oversteer session variables.

Does that even sound plausible to you guys? Is that maybe a bug or even desired behaviour? It seems pretty weird to me..

Regards Jan
mnakalay replied on at Permalink Reply
mnakalay
Hi there,
Maybe you need to modify how you save your data in the session.
Right now what you do is save data like so:
$_SESSION['userdata'] = $row;


Maybe (just maybe) it would solve your problem with cache if you added a dynamic element to the session's name, that would be unique to each user. Their uID for instance. So you would have:
$_SESSION['userdata-'.$uID] = $row;
janwidmer replied on at Permalink Reply
janwidmer
Hi,

The thing is, that the values within the section variables always where correct. After loading data based on the user id, the data was written to a property stored on the controller. At the point when it was acessed from the view, the wrong content magically popped up..

since I cannot really figure out what happens in the background, I will probably just keep full page cache turned of for these pages.

Still it seems wheird to me and I wonder how that is handled on other pages where there is content based on user data.

Should it theoretically work to have full page cache enabled and see actual content?

Thanks Jan