I'm running into a strange (and very sporadic) issue with Symfony 1.4. Specifically, my Symfony application (on very rare occasions) shows fresh sessions as logged into my application, even though they aren't.
I use the following code in my header to check to see if the session is from a logged-in user. If it is, we show them a greeting message and invite them to login:
<?php if ($sf_user->isAuthenticated()) { ?>
<div class="btn">
Welcome back, <?php echo $sf_user->getProfile()->getFirstName(); ?>
</div>
<?php }
However, sometimes a new sessions will display a welcome message from a random user from our system. Just recently, someone loaded a fresh sessions and was presented with a "Welcome" message for someone else in our system.
Important note: This is the first time this has happened. I cannot reproduce the issue after trying 40+ browsers and locations.
We are using Symfony 1.4 with the sfGuard authentication that ships with Symfony.
Strangely, though the above code shows that the session comes from a logged in user, the user is not given any other login permissions.
Any help would be greatly appreciated.
We had a very similar problem. Setting session.hash_function to a stronger hash function helped us:
session.hash_function = "sha256"
Due to rather high visit numbers and short session lifetime, sessions were often regenerated (i.e. new session id generated).
It seems like sometimes it caused session ID collision: two different users got the same session ID. That made one of users see the page as she was logged-in as another user.
No need to say that it was damn hard to debug. We were just trying different things to fix or reproduce the issue with no luck. Setting session.hash_function to sha256 made the issue disappear (no new cases were reported for more then a year).
They recommend to set session.hash_function to sha256 on the official PHP doc page:
http://php.net/manual/en/session.security.ini.php
session.hash_function setting was removed since PHP 7.1.0.
It's using a strong function by default now.