I was able to resolve this issue by modifying session.php
(concrete/startup/session.php).

I added a "session_destroy()" just after the first line of code.

I think this issue has something to do with server configurations
where "session.auto_start" is on.

Everything works fine now. (no access issues, auto logouts or missing
files after upload)

This is just a hack, but I think it points to an issue.

Ok - I'll explain what we're doing in regards to session.

We typically start session in startup/session.php, as you've seen. However, when uploading files, we rely on the flash uploader to pass the session ID through flash. This is because the flash uploader doesn't use the same session cookie as your browser. If we don't pass the session through and use that session ID in the uploader, then the permissions calls that we make to check whether a user is actually uploading a valid file, has permissions to upload, etc...won't work - because the script won't think that user's logged in.

So by destroying session - I'm not sure HOW uploading is working. I'm sure session might auto start correctly - but how is it sharing the same session ID and authorization between your browser and the uploader?

(One last question - which browser are you using? I've heard that possibly Internet Explorer and flash WILL share the same cookies, due to the way that IE is setup on Windows - but I haven't been able to verify this for myself.)

I came about the solution after looking at my servers error log. I kept seeing the following lines.

[Mon Nov 10 08:24:20 2008] [error] [client 216.39.58.78] PHP Warning: ini_set() [<a href='function.ini-set'>function.ini-set</a>]: A session is active. You cannot change the session module's ini settings at this time. in /home/virtual/site49/fst/var/www/html/devsite/concrete/startup/session.php on line 19

[Mon Nov 10 08:24:20 2008] [error] [client 216.39.58.78] PHP Notice: A session had already been started - ignoring session_start() in /home/virtual/site49/fst/var/www/html/devsite/concrete/startup/session.php on line 30

After I added the session_destroy function the messages disappeared?

I am using FF and Safari on an intel mac. Our webserver is running UNIX and Apache (2.0) PHP 5.1.6) under an ensim control panel.

Below are the PHP/Server session vars.

session
Session Support enabled
Registered save handlers files user
Registered serializer handlers php php_binary wddx

Directive Local Value Master Value
session.auto_start On On
session.bug_compat_42 Off Off
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /tmp /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0

Same problem. The work Around did not workend.

I just installed concrete on another site and the session_destroy() fix was needed again. As before it solved the issue, and I have not noticed any side-effects?

I can´t!

I tried several times, re-install several times and nothing.

How can I upload new images?

Thanks!

I'm getting the same problem on a site I've just set up to have a play with, has anyone managed to figure out how to fix this?

Edit:
Just seen the thread on sourceforge related to this, sounds like it's related to suhosin. So now I need to find out how I can get round this. I've put in a standard upload form as a workaround for now.