mahara-contributors team mailing list archive

[Aaron Wells <1446036@xxxxxxxxxxxxxxxxxx>]

So, after that patch was added, most pages in Mahara only add one or two
copies of the session cookie to the header. Admin section pages add at
least 5, perhaps because of all the checking to make sure you're an
admin.

The Mnet landing page adds 102 copies of the session cookie! That's over
7000 characters, 7KB. This is indeed a bit larger than you'd expect an
HTTP response header to be.

I'm going to have to look into some way to mitigate this. There are two
main possibilities:

1. Find some workaround to the PHP bug that causes PHP to send a
duplicate copy of the session header every time you do session_start()

2. OR, stop switching the session on and off when there is no need to do
so. The reason we do that, is so that JSON scripts can run
asynchronously, without having to wait for other scripts to finish using
the session. But there are other possibilities, like asking developers
to manually close the session if they're expecting to use AJAX.

3. OR, reduce the number of times we open & close the PHP session.
Currently, we open/close it each time we do $SESSION->set(),
$SESSION->unset(), $SESSION->clear(), or write messages to the logs.
It's unclear which of these the MNet is doing so much of (I'll need to
add some additional logging to check on that), but perhaps we could do
bulk writes, and/or put the log messages into a DB table instead of the
session.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1446036

Title:
  Session changes in Mahara 15.04 can cause excessively large response
  headers

Status in Mahara ePortfolio:
  Confirmed
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 15.10 series:
  Confirmed

Bug description:
  For the new Ajax progress bar, Bug 1352028, we changed
  htdocs/auth/session.php so that it closes the PHP session when not in
  use. This was necessary in order to allow multiple requests to the
  same session to process simultaneously; PHP by default locks the
  session between the time you call session_start() and
  session_write_close().

  The downside to this approach, though, is that every time you call
  session_start(), PHP adds a new (duplicate) PHP_SESS_ID cookie to the
  request header. Since we open and close the session every time we call
  $SESSION->set() now, this can lead to a very large cookie header.

  On our hosting environment, these headers got too large and started
  causing our Nginx proxy server to throw errors while trying to
  initiate an MNet connection. This causes the proxy server to throw a
  500 error, and to log an error like this:

  2015/04/20 14:59:03 [error] 14845#0: *137093286 upstream sent too big
  header while reading response header from upstream, client:
  2404:130:0:1000:61f4:7e47:8a26:821, server: master-
  mahara.catalystdemo.net.nz, request: "GET
  /auth/xmlrpc/land.php?token=3acfeeb7cad9814471ec5932fc293b30bbc7e387&idp=http
  ://mnet-moodle.testing.elearning.catalyst.net.nz&wantsurl= HTTP/1.1",
  upstream:
  "http://202.78.243.12:9226/auth/xmlrpc/land.php?token=3acfeeb7cad9814471ec5932fc293b30bbc7e387&idp=http
  ://mnet-moodle.testing.elearning.catalyst.net.nz&wantsurl=", host:
  "master-mahara.catalystdemo.net.nz"

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1446036/+subscriptions