MySQL session handler problems - PHP bug and more

Mike Baptiste baptiste@cc-concepts.com
Sun, 10 Mar 2002 15:39:09 -0500 

I've got Horde 2.0, IMP 3.0, and Turba 1.0 running on Linux with PHP 
4.1.2 and it works well.  However, in anticipation of our load, I was 
trying to get MySQL session handling working.

I settled on a pear based handler (http://pearsession.sf.net) which 
seemed clean and well written.  However, everytime I logout, I get a 
blank page until I click reload.

I've have spent most of today debugging this issue and felt I'd share my 
findings as this is broken and I've still been unable to fix it.

OK - First I found this post 
(http://marc.theaimsgroup.com/?l=imp&m=101429198728711&w=2) from James 
Noyes and the reply from Henry Blackman 
(http://marc.theaimsgroup.com/?l=imp&m=101429244430003&w=2)

James talks about the very same problem I'm having.  James is on to 
something.  The session start in imp/login.php after the session_destroy 
is hanging every time, resulting in the blank page.  Henry mentioned it 
could be a problem with the session handler. I checked the one I'm used 
and it DOES return '' if the sessionid has no data.  I could not find 
any problem with the handler.  I even switched it from deleteing the 
session record to simply setting the data field to '', this did not help.

My error logs show this after the logout:
[Sun Mar 10 15:16:29 2002] [error] PHP Warning:  Constant sid already 
defined in /home/secure/public_html/horde/lib/Prefs.php on line 91
[Sun Mar 10 15:16:29 2002] [error] PHP Fatal error:  Failed to 
initialize session module in 
/home/secure/public_html/horde/lib/Prefs.php on line 91
[Sun Mar 10 15:16:29 2002] [error] PHP Warning:  Failed to write session 
data (user). Please verify that the current setting of session.save_path 
is correct (mysql://phpsess:xxxxxxx@localhost/php_sessions) in Unknown 
on line 0 (pw removed on purpose)

So I poked around the PHP site some to try and gain some insight and 
came across this comment and PHP bug:

leomaciel@kmail.com.br
28-Jan-2002 07:47

Please note that you can NOT session_destroy() and session_register() in
the same request.

If you do this you'll get the error message 'Constant sid already
defined'.

This bug has been reported on June 
2001(http://bugs.php.net/bug.php?id=11643)
and by the time of this posting was not closed yet.

The bug is unresolved, but this is what IMP is doing.  It is destroying 
the session data and then calling session_start

Of course I commented out the session_start and it still hung on the 
next session_register (which does an implied session_start)  No surprise 
there.

I also noticed in big letters on the session-register pages warnings 
about using session_register and the HTTP_SESSION_VARS:

Caution

If you are using $HTTP_SESSION_VARS/$_SESSION, do not use 
session_register(), session_is_registered() and session_unregister().

I'm not very familiar with the horde code, but use PHP a lot and it 
seems that horde/imp is using the session_var array as well as the 
session_register/unregister.

The session_unregister page also mentions this:

Note:  If $_SESSION (or $HTTP_SESSION_VARS for PHP 4.0.6 or less) is 
used, use unset() to unregister a session variable.

Of course the pages don't say WHY this is a problem os I"m not 100% sure 
this is related.  However....

The login.php program seems to do both:

         $HTTP_SESSION_VARS['imp'] = null;
         session_unregister('imp');

         if ($registry->getMethod('auth/logout') == $registry->getApp()) {
             include_once HORDE_BASE . '/lib/Auth.php';
             Auth::clearAuth();
             session_destroy();
             @session_start();

though it sets the variable to null before unregistering (instead of 
unsetting)

So right now I'm totally stuck.  Using file handler - no problem.  It 
seems that this is a PHP bug/problem, but I'm trying to come up with a 
temporary workaround in IMP/Horde until PHP is fixed.

I realize others are using sql handlers and not having this problem.  So 
I'm a big confused as to why they are getting away from it.

Anyone out there have some ideas on what direction I can go next?  Am I 
chasing a red herring with the above bug report and manual comments? 
I've used debug error logs and execution is absolutely hanging in the 
session_start after the session_destroy.  I'm playign around with 
replacing the various session registers and unregisters wiht explicit 
unsets and HTTP_SESSION_VAR sets.  I'll post any more updates if I get 
any farther.

Mike