I'm struggling with a strange issue that "logs out" users and seems to happen about ten times a day.
The application is an old PHP project. Clients log in; a PHP session is established. Sometimes if a client does nothing for e.g. 2 hours and afterwards sends a new HTTP request, Apache answers with a HTTP 408
error:
1.2.3.4 - - [17/Apr/2020:12:26:30 +0200] "-" 408 3281 "-" "-"
and the user is being sent to the Login page and has to enter their login credentials again, losing their data they have filled in into a form etc. I can't really reproduce the issue, in most cases an idle client can send the next request even 5 hours later and doesn't trigger a 408. It seems pretty random and for all browsers.
I can only reproduce the 408 error if I manually delete the PHP session file on the server. Also strange is that if I do that, I don't see the 408 in Chrome Developer Toolbar, only in the Apache logs.
The Session timeout is high (72 hours). These parameters are configured:
php_value session.gc_maxlifetime 259200
php_value session.gc_divisor 1
php_value session.gc_probability 1
php_value session.cookie_lifetime 0
Now I've read a lot about KeepAlive
, but I think that is not the cause as there is not much traffic on the site. And we're talking about hours in between, not seconds.
Is this a common issue and someone can point me in the right direction?
EDIT:
session_unset()
is unused in the project. session_destroy
is only being called when a user logs out. By deleting the session file in /var/lib/php/sessions
the user is logged out of course, hence it redirects to login.php
. Seems ok to me. So I think the session file is somehow removed.
I also see this in the error.log
:
[Fri Apr 17 22:42:32.386978 2020] [:error] [pid 15563] [client 1.2.3.4:55104] PHP Notice: session_start(): ps_files_cleanup_dir: opendir(/var/lib/php/sessions) failed: Permission denied (13) in /var/www/myproject/htdocs/sessionReload.php on line 2, referer: https://myproject/page.php
Line 2 in sessionReload.php
is:
session_start();