View Full Version : What could interfere with reading cookies?

04-02-2010, 12:00 AM
Apologies if this ends up being more about Apache config than PHP config, I can't really tell where that line is. (Or some other config somewhere, I don't know.)

My site uses a login, cookie based PHPSESSID. Nothing too exotic, here are the relevant php.ini lines for sessions:

session.save_path = "/var/lib/php/session"
session.use_cookies = 1
session.use_only_cookies = 0
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 18000
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 10000
session.bug_compat_42 = 0
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5

Most of that's default. And it works for some of the people all of the time, and all of the people some of the time. But once in a while I would get visitors reporting they couldn't log in, which clearly indicated that the session cookie wasn't properly being created or read. So you'd think "well that user just has cookies disabled." But those who were patient enough to walk through their browser's configuration with me confirm that cookies are enabled. Plus other sites seem to work for them.

But it wasn't a universal problem, I couldn't reproduce it and plenty of other users were logging in fine. But it did recur enough that I had to discount user insanity.

So I created a page that steps in if a session can't be read after login, which you can get to directly here:

All it does, very simply, is setCookie("TestCookie", 12345, time()+3600); on one page, tell you the cookie was set, and link to page 2.

Page 2 has

$TestCookie = "Not Found";
if (isset($_COOKIE['TestCookie'])) {
$TestCookie = $_COOKIE['TestCookie'];
then tells the user what was found (either "12345" for success or "Not Found") for failure. And there's a form which asks for info and logs the result (and their IP) for me to investigate. And it confirmed my suspicion. Even with no session setting involved, these users aren't having the cookie stick. So I again entertained the idea that they do have cookies turned off and just don't know it.

As of two weeks ago I can't accept that. On a Wednesday everything was fine, hundreds of regular users. On Thursday 12 different people, on different browers, from different part of the world, all were unable to log in. When they got directed to the test page, every one of them resulted in Cookie Not Found.

I didn't have a lot of time that day but apologized for the inconvenience while I tried to figure it out. I didn't make any configuration changes, and mind you I and hundreds of other users all logged on without incident during this period.

By the next day (Friday) the problem had cleared up, and all 12 were again able to log in. (Actually I suspect it cleared up later that day, this was mostly clustered within a few hours.) Since then there has been maybe one random other person, but no clustering.

How does this make any sense? It's inconceivable that a dozen unrelated people would simultaneously disable cookies and get amnesia about it. Once again, 98% of users were unaffected. I made no changes to the server before, during, or after this. My server hosts might have done something, but I'd pretty much have to know exactly what could have happened before I could ask them about it.

(Not in any way an April Fools joke btw, though I wouldn't believe me either. This is just the soonest I've had time to ask about it.)