mahara-contributors team mailing list archive

[Aaron Wells <1446036@xxxxxxxxxxxxxxxxxx>]

Having looked through it some more, it looks quite unlikely that PHP is
going to fix this bug. They've closed a couple of bug reports about it,
saying that you shouldn't open and close the session like this anyway,
because it can cause race conditions. Which is true, but based on the
kinds of things we store in the database, I don't think it's a
particularly big danger for us.

I ran some tests and found that every time you call session_start(), it
refreshes $_SESSION with the latest contents from the session store. So,
having asynchronous scripts that write to session in the way we do
(bookended by session_start() and session_write_close()) pretty much
works out.

The only problem is that bug with sessid. I'm looking into a couple of
workarounds. One (hacky) solution would be to use headers_list() and
header_remove() to detect the multiple session headers and remove them.
This would need to be done *before* the headers get sent, so perhaps in
the call to smarty().

Another possibility is to use the SessionHandler class to manually open
and close the session without running session_start():
http://php.net/manual/en/class.sessionhandler.php

The downside to this, is that it requires PHP 5.4, so we'd have to raise
our minimum supported version. On the other hand, support for PHP 5.3
ended in August 2014 (and support for 5.4 is ending in September 2015!)
so perhaps its time we upped our minimum PHP version anyhow.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1446036

Title:
  Session changes in Mahara 15.04 can cause excessively large response
  headers

Status in Mahara ePortfolio:
  Confirmed
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 15.10 series:
  Confirmed

Bug description:
  For the new Ajax progress bar, Bug 1352028, we changed
  htdocs/auth/session.php so that it closes the PHP session when not in
  use. This was necessary in order to allow multiple requests to the
  same session to process simultaneously; PHP by default locks the
  session between the time you call session_start() and
  session_write_close().

  The downside to this approach, though, is that every time you call
  session_start(), PHP adds a new (duplicate) PHP_SESS_ID cookie to the
  request header. Since we open and close the session every time we call
  $SESSION->set() now, this can lead to a very large cookie header. (See
  https://bugs.php.net/bug.php?id=38104 )

  On our hosting environment, these headers got too large and started
  causing our Nginx proxy server to throw errors while trying to
  initiate an MNet connection. This causes the proxy server to throw a
  500 error, and to log an error like this:

  2015/04/20 14:59:03 [error] 14845#0: *137093286 upstream sent too big
  header while reading response header from upstream, client:
  2404:130:0:1000:61f4:7e47:8a26:821, server: master-
  mahara.catalystdemo.net.nz, request: "GET
  /auth/xmlrpc/land.php?token=3acfeeb7cad9814471ec5932fc293b30bbc7e387&idp=http
  ://mnet-moodle.testing.elearning.catalyst.net.nz&wantsurl= HTTP/1.1",
  upstream:
  "http://202.78.243.12:9226/auth/xmlrpc/land.php?token=3acfeeb7cad9814471ec5932fc293b30bbc7e387&idp=http
  ://mnet-moodle.testing.elearning.catalyst.net.nz&wantsurl=", host:
  "master-mahara.catalystdemo.net.nz"

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1446036/+subscriptions