Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-17702

tc-409 (ez Sessions on Oracle env) Refreshing frontpage generates a session

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Medium Medium
    • Resolution: Cannot Reproduce
    • Affects Version/s: 4.4.0
    • Fix Version/s: QA tracked issues
    • Component/s: Misc
    • Labels:
      None

      Description

      Hi,

      In Oracle environment, refreshing the frontpage generates a session.
      This happens independent of having sessions handler pointing to db or to a file

      Steps to reproduce

      Teste repeated and failed:
      - Set sessions to file or DB
      - Set debug off
      - Delete sessions
      - Enter frontpage on "private browsing" on Firefox as anonymous
      - Verify that *NO* session is created
      - Enter frontpage again or refresh frontpage
      - A session was created and it shouldn't
      

        Activity

        Hide
        Gaetano Giunta added a comment -

        Can you be more precise:

        • how do you count sessions if session handler is set to 'file' ?
        • what is the impact of firefox's 'private browsing' setting on this? Does it also happen in normal usage?
        Show
        Gaetano Giunta added a comment - Can you be more precise: how do you count sessions if session handler is set to 'file' ? what is the impact of firefox's 'private browsing' setting on this? Does it also happen in normal usage?
        Hide
        Paulo Cardiga added a comment -

        >- how do you count sessions if session handler is set to 'file' ?

        • The session files are the sess* files stored on /tmp. This folder is defined on php.ini. On the start of the test, the session files are deleted. Before refreshing, they are again deleted and verified that no sess* file exists.

        >- what is the impact of firefox's 'private browsing' setting on this? Does it also happen in normal usage?
        The 'private browsing' on firefox is to be sure all cookies, cache, ... are not affecting the test. If we do the same test cleaning all cookies, cache, ..., the problem still occurs.

        Aditional note: This behaviour is not happening on eZFS handler.

        Show
        Paulo Cardiga added a comment - >- how do you count sessions if session handler is set to 'file' ? The session files are the sess* files stored on /tmp. This folder is defined on php.ini. On the start of the test, the session files are deleted. Before refreshing, they are again deleted and verified that no sess* file exists. >- what is the impact of firefox's 'private browsing' setting on this? Does it also happen in normal usage? The 'private browsing' on firefox is to be sure all cookies, cache, ... are not affecting the test. If we do the same test cleaning all cookies, cache, ..., the problem still occurs. Aditional note: This behaviour is not happening on eZFS handler.
        Hide
        Gaetano Giunta added a comment -

        In reply to comment #053213
        Tried with ezp 4.4.0, using chrome, opera firefox browsers.

        Debug off, ezflow design (using a frontpage object for homepage).

        Session storage set to db:
        [Session]
        Handler=ezpSessionHandlerDB

        No sign of sessions being generated...

        Show
        Gaetano Giunta added a comment - In reply to comment #053213 Tried with ezp 4.4.0, using chrome, opera firefox browsers. Debug off, ezflow design (using a frontpage object for homepage). Session storage set to db: [Session] Handler=ezpSessionHandlerDB No sign of sessions being generated...
        Hide
        Gaetano Giunta added a comment -

        In reply to comment #053213
        Tried also using file-based session storage, no problem can be detected.

        Using php 5.3.5 on windows btw.

        Could you try to reproduce again?

        Show
        Gaetano Giunta added a comment - In reply to comment #053213 Tried also using file-based session storage, no problem can be detected. Using php 5.3.5 on windows btw. Could you try to reproduce again?
        Hide
        Richard Bayet added a comment - - edited

        In reply to comment #053209
        Hi all,

        Sorry to jump on the wagon, but isn't it completely normal (that eZ would auto-create PHP sessions) ?

        IMHO, private browsing in Firefox or whatever web browser simply stands for "I, the web browser, won't accept any cookie from this site, nor in case I accepted some before 'private browsing' was activated for this site, will send some back to the site."

        Hence, the logical behavior of a web solution auto-generating cookie-based sessions for anonymous users will be to keep creating on the server side new sessions again and again and again.

        UNLESS, of course, there is a new mecanism I'm not aware about in 4.4 (via settingsq?) that prevents such a behaviour, be it IP / IP block based, HTTP User-Agent based, etc, for instance to NOT create sessions for major and known search engine crawling bots.

        Show
        Richard Bayet added a comment - - edited In reply to comment #053209 Hi all, Sorry to jump on the wagon, but isn't it completely normal (that eZ would auto-create PHP sessions) ? IMHO, private browsing in Firefox or whatever web browser simply stands for "I, the web browser, won't accept any cookie from this site, nor in case I accepted some before 'private browsing' was activated for this site, will send some back to the site." Hence, the logical behavior of a web solution auto-generating cookie-based sessions for anonymous users will be to keep creating on the server side new sessions again and again and again. UNLESS, of course, there is a new mecanism I'm not aware about in 4.4 (via settingsq?) that prevents such a behaviour, be it IP / IP block based, HTTP User-Agent based, etc, for instance to NOT create sessions for major and known search engine crawling bots.
        Hide
        Gaetano Giunta added a comment -

        In reply to comment #053210
        There is a new mechanism in place, that allows anon users not to have sessions auto-started. And it is in fact enabled by default: unless you change a specific setting in site.ini, you should not see any sessions being created.
        Of course, this is very good for bots/crawlers/cache-warmup scripts/big traffic sites etc...

        Show
        Gaetano Giunta added a comment - In reply to comment #053210 There is a new mechanism in place, that allows anon users not to have sessions auto-started. And it is in fact enabled by default: unless you change a specific setting in site.ini, you should not see any sessions being created. Of course, this is very good for bots/crawlers/cache-warmup scripts/big traffic sites etc...
        Hide
        Richard Bayet added a comment -

        In reply to comment #053211
        OK, thanks for the info.

        Then the issue is legitimate as long as the default setting hasn't been tampered with / overriden...

        Show
        Richard Bayet added a comment - In reply to comment #053211 OK, thanks for the info. Then the issue is legitimate as long as the default setting hasn't been tampered with / overriden...
        Hide
        Paulo Cardiga added a comment -

        Hi,
        This problem no longer occurs here at the moment.

        Show
        Paulo Cardiga added a comment - Hi, This problem no longer occurs here at the moment.

          People

          • Assignee:
            Gaetano Giunta
            Reporter:
            Paulo Cardiga
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: