Thread

Hello All,

We’re having problems maintaining a session on a site we’re building. We’ve been working on this for a few weeks so we have lots of supporting information.

First, the site requires the user to login and view a few pages of information before submitting information to a webservice. In putting together the XML webservice request, we recall the user’s data including their email address. It is at this point that the indication of a session failure occurs - in some cases, the user information is unavailable and the session appears to be lost.

The strange thing is that this works in the overwhelming majority of cases, in Chrome, Firefox, Safari and IE, on Mac and PC. The only discernable factor we’ve been able to determine after weeks of testing is that the failure occurs only within the client’s network. The client is looking for an answer, since they believe that if it is happening for them it will happen for others.

We’ve tried using Cookies Only, Sessions Only, and Sessions and Cookies settings to manage the sessions, with no change in the testing results. The IT department has mentioned a possible cause might be the following, that they hash the cookie referring to the requesting user’s source IP, since they have a multi link for load sharing.

This is a very large, high profile company and we’d like to get things sorted out for them, so any insight will be appreciated.

Hi greatbigcircle,

First, thank you so much for an amazingly thorough support request!

I understand the basic setup you’ve got and the issue you’re running into. I suspect it the cause might be that some of the session data is being lost as new information is added to the cookie since a cookie’s limit is 4KB, but I need to know more about the technical side of the multi-page process to be sure. Could you give me some more information about how you’re recalling the user data? How much custom work is being done here? Are there add-ons being used as well?

Hey Kevin,

Thanks also for the speedy response. Site goes live on Monday - <everything>crossed</everything>.

We’ll get you more data after passing along your request to the IT folks in Taiwan - they’re understandably asleep right now. Meanwhile I can get you a link in to our staging server if you want to see how we’re recalling the data and also the amount of custom work done (it’s really just a handful of PHP templates to us, but, then again, we built it.)

Give me the OK and I’ll PM you the login info.

For now, let me just wait on an explanation from you (or your IT folks via you) about how your workflow operates. I just need to know what information you’re trying to store for later, how you’re storing it, and then how it’s being retrieved. Just let me know once you’ve got an update!

Sure will. It’s not complicated, I’ll get you the information shortly.

Followup 8/7: Haven’t dropped this, just reeeeeally busy with pre-launch. I’ll get you some info shortly.

No worries. 😊

Hello Kevin and All,

Whew, busy post-launch too. We’re back and would like to offer some further information on this, and a hypothesis of sorts.

First, on the cookie storage side of the issue - we’ve only used sessions to store the normal user data, i.e., once someone logs in we’re not adding anything to their session data or cookie. I make this distinction because we’ve used both sessions and cookies (and the setting for both) in our testing to see if that change would make a difference - and it hasn’t.

We literally have people logging in, clicking on a link, and being logged out. How do we know? The symptom of this is that, once logged in, they are trying to click from one page to the next restricted in Access to only the Members group. They are redirected and have to log in again, and now might get a page or two in to the process before getting kicked out again.

So I don’t think our cookie’s data limit is getting exceeded in so short a time, and with no further action on our part to write to it.

Therefore, here’s my working theory: the one place this issue reliably raises its head is on a corporate network with a load balance setting that is routinely re-assigning IP addresses. IT confirms that this is occurring, and has given us a bit of information I can send you privately there if needed. We believe EE is using this information in tracking the user’s session, even though we have the Admin > Security & Sessions > Require IP Address for Login? and Require IP Address for posting? settings set to No.

Could it be, we wonder, that EE is still tracking users by IP address and in doing so is using that IP in tracking our client sessions - when the internal network routers reset the user’s IP address, the session would then be lost, the user logged out.

Or is it something stranger still ???

I look forward to investigating this further with you and anyone else who’s got some insight.

And, did I mention that this was happening under our original install of EE 2.2.0, and still occurring on our Production and Staging servers upgraded last week and now running 2.2.2?

The plot thickens…

Hi greatbigcircle,

Your hypothesis is very sound! There are a couple of other things you can check/add that could resolve this. First it might be that your client’s network traffic is being routed out through a limited number of public IPs, so you could add those to the IP Proxy whitelist via a hidden config variable outlined here. And you might also try setting the value for “Process form data in Secure Mode?” in Admin->Security and Privacy->Security and Sessions to “no”.

Thank you for providing such thorough information to troubleshoot with!

Cheers,

Thanks Dan,

Good stuff, thanks for the link to the IP Proxy whitelist, that might just be worth a little investigation (and chin-stroking reflection….)

We’ll investigate and endeavor to be right back once we have more to contribute.

Hi, greatbigcircle -

How have you come with those investigations?  Curious if those settings have helped.

Thanks!

Hello Lisa and All,

We’re waiting for internal testing and IP information from our client on this - just wanted to let you know it’s not dead yet, nor on its way back to health for that matter. Once we know more we’ll post it here.

Thanks again for your wonderful support….

Thanks for keeping us posted. We look forward to hearing how this settles out.

Cheers,

I’m having what I think is the same problem with a client. The client’s network switches between 2 different IP addresses, seemingly randomly and sometimes only minutes apart. Whenever the IP changes, the client is logged out of the control panel. I’m using cookies only for auth and not requiring IPs, but it’s still happening. I even tried adding the two IP addresses to $config[‘proxy_ips’], but no luck.

This happens on Windows XP with both Firefox 6 and IE 8. ExpressionEngine version is v2.2.1 - Build: date 20110705. The site is running on a shared Apache/Linux server with PHP 5.2.17. Below are the items I added to the config to try and fix this.

$config['cookie_domain'] = ".mysite.com";
$config['cookie_prefix'] = "mysite";
$config['cookie_path'] = "";
$config['admin_session_type'] = "c";
$config['user_session_type'] = "c";
$config['require_ip_for_login'] = "n";
$config['require_ip_for_posting'] = "n"; 
$config['secure_forms'] = "n";

So, even when configured not to require IP addresses, it seems that EE is still checking them somewhere and logging the user out when it changes. I am getting in touch with their network admin to find out why the IP is changing, but is there any help on the EE side? Right now, the CP is unusable.

Thanks,
Aaron

Would trying to use “Session Only” for admin sessions be worth a try?

UPDATE: nope, didn’t work.

Just saw that in the exp_sessions table it records the ip_address. Is EE still checking against this even when require_ip_for_login is set to no?

Just confirmed with the client that their traffic is load balanced over 2 lines, hence the IP switching.

Is there ANY way to turn off this IP check in EE, so that it doesn’t log them out? I have no problem hacking the core if that’s the only way.

Thank you,
Aaron