The system is opencart, but anyway, I describe the condition.
Currently my site has a daily visit of around 500 unique visitors. From some time ago, I started getting complaints that a user has logged in but has seen that she/he has indeed being logged into another user's account. What comes to my mind is that the session id of the victim customer is assigned to the new one. Anyway, what is confusing to me:
1- The number of visitors are not as high as to cause duplication of session IDs. 2- It happened suddenly.
I use Nginx and Apache (nginx as reverse proxy), files session handler and php-fpm. Just to give extra info.
In my php.ini, entropy length is 32 and it is set to use /dev/urandom.
Also, I pasted the stupid, simple opencart's session.php library file:
class Session {
public $data = array();
public function __construct($session_id = '', $key = 'default') {
if (!session_id()) {
ini_set('session.use_only_cookies', 'Off');
ini_set('session.use_cookies', 'On');
ini_set('session.use_trans_sid', 'Off');
ini_set('session.cookie_httponly', 'On');
if (isset($_COOKIE[session_name()]) && !preg_match('/^[a-zA-Z0-9,\-]{22,40}$/', $_COOKIE[session_name()])) {
exit();
}
if ($session_id) {
session_id($session_id);
}
session_set_cookie_params(0, '/');
session_start();
}
if (!isset($_SESSION[$key])) {
$_SESSION[$key] = array();
}
$this->data =& $_SESSION[$key];
}
public function getId() {
return session_id();
}
public function start() {
return session_start();
}
public function destroy() {
return session_destroy();
}
}
It has confused me for several days, to no avail.
