[BUG]: Destroying all sessions when using axios request in VueJs

[sinbadxiii]

If more than one session, for example, "cart.content" and "compare.content", and then put the values there. Then often refresh the page, soon all sessions are destroyed. The request can be either a POST or GET, there is no difference.
The page uses data retrieval through the Ajax request Vue component, using axios.

Application repository for example:
https://github.com/sinbadxiii/phalcon4-problem-vue-request

Youtube video link:

• Phalcon version: 4
• PHP Version: 7.4.1
• Operating System: Ubuntu 18.04
• Installation type: Compiling from source
• Nginx 1.17.7

The problem manifests itself when using the virtual host in Nginx.
If you run the application through a "phalcon serve", then the destruction of the sessions cannot be achieved.

Has anyone encountered such a problem?

[ruudboon]

Can you check if nginx/php-fpm is having the same extensions loaded as the cmd-line. (get_loaded_extensions() and php -m)

Axios is working with Phalcon serve right?

[sinbadxiii]

Can you check if nginx/php-fpm is having the same extensions loaded as the cmd-line. (get_loaded_extensions() and php -m)

php -m:

[PHP Modules]
apc
apcu
calendar
Core
ctype
curl
date
dom
exif
FFI
fileinfo
filter
ftp
gettext
hash
iconv
igbinary
imagick
intl
json
libxml
mbstring
mongodb
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
phalcon
Phar
posix
psr
readline
redis
Reflection
session
shmop
SimpleXML
sockets
sodium
SPL
standard
sysvmsg
sysvsem
sysvshm
tokenizer
xdebug
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Xdebug
Zend OPcache

var_dump(get_loaded_extensions()):

array (size=56)
  0 => string 'apc' (length=3)
  1 => string 'apcu' (length=4)
  2 => string 'calendar' (length=8)
  3 => string 'cgi-fcgi' (length=8)
  4 => string 'Core' (length=4)
  5 => string 'ctype' (length=5)
  6 => string 'curl' (length=4)
  7 => string 'date' (length=4)
  8 => string 'dom' (length=3)
  9 => string 'exif' (length=4)
  10 => string 'FFI' (length=3)
  11 => string 'fileinfo' (length=8)
  12 => string 'filter' (length=6)
  13 => string 'ftp' (length=3)
  14 => string 'gettext' (length=7)
  15 => string 'hash' (length=4)
  16 => string 'iconv' (length=5)
  17 => string 'igbinary' (length=8)
  18 => string 'imagick' (length=7)
  19 => string 'intl' (length=4)
  20 => string 'json' (length=4)
  21 => string 'libxml' (length=6)
  22 => string 'mbstring' (length=8)
  23 => string 'mongodb' (length=7)
  24 => string 'mysqli' (length=6)
  25 => string 'mysqlnd' (length=7)
  26 => string 'openssl' (length=7)
  27 => string 'pcre' (length=4)
  28 => string 'PDO' (length=3)
  29 => string 'pdo_mysql' (length=9)
  30 => string 'phalcon' (length=7)
  31 => string 'Phar' (length=4)
  32 => string 'posix' (length=5)
  33 => string 'psr' (length=3)
  34 => string 'readline' (length=8)
  35 => string 'redis' (length=5)
  36 => string 'Reflection' (length=10)
  37 => string 'session' (length=7)
  38 => string 'shmop' (length=5)
  39 => string 'SimpleXML' (length=9)
  40 => string 'sockets' (length=7)
  41 => string 'sodium' (length=6)
  42 => string 'SPL' (length=3)
  43 => string 'standard' (length=8)
  44 => string 'sysvmsg' (length=7)
  45 => string 'sysvsem' (length=7)
  46 => string 'sysvshm' (length=7)
  47 => string 'tokenizer' (length=9)
  48 => string 'xdebug' (length=6)
  49 => string 'xml' (length=3)
  50 => string 'xmlreader' (length=9)
  51 => string 'xmlwriter' (length=9)
  52 => string 'xsl' (length=3)
  53 => string 'Zend OPcache' (length=12)
  54 => string 'zip' (length=3)
  55 => string 'zlib' (length=4)

Equally.
And there and there are 56 extensions.

Axios is working with Phalcon serve right?

Yes

[ruudboon]

From what I can see now it must be something with your nginx or php-fpm config. Looks like Nginx is not forwarding the session cookie so php-fpm starts a new session.
Can you check your headers in the browser to see if you receive a cookie set reply from php-fpm after each request?

[sinbadxiii]

From what I can see now it must be something with your nginx or php-fpm config. Looks like Nginx is not forwarding the session cookie so php-fpm starts a new session.
Can you check your headers in the browser to see if you receive a cookie set reply from php-fpm after each request?

@ruudboon For the purity of the experiment, I installed a new ubuntu on 18.04, with default nginx and php-fpm config. http://ph4.sergeymukhin.com

nginx config

user  www-data;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

here is the nginx virtual host.

server {
    listen      80;
    server_name ph4.sergeymukhin.com;
    set         $root_path '/var/www/phalcon4-problem-vue-request/public';
    root        $root_path;

    access_log  /var/log/nginx/phalcon4-problem-vue-request-access.log;
    error_log   /var/log/nginx/phalcon4-problem-vue-request-error.log error;

    index index.php index.html index.htm;
    rewrite ^/(.*)/$ /$1 permanent;
    try_files $uri $uri/ @rewrite;
	fastcgi_intercept_errors on;
    location @rewrite {
        rewrite ^/(.*)$ /index.php?_url=$1;    
    }

    location ~ \.php$ {
        # try_files    $uri =404;
        fastcgi_index  index.php;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;

        include /etc/nginx/fastcgi_params;
        fastcgi_split_path_info       ^(.+\.php)(/.+)$;
        fastcgi_param PATH_INFO       $fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    location ~* ^/(css|img|js|flv|swf|download)/(.+)$ {
        root $root_path;
    }

    location ~ /\.ht {
        deny all;
    }

    location / {
        # if file exists return it right away
        if (-f $request_filename) {
            break;        
        }

    # otherwise rewrite it
        if (!-e $request_filename) {
            rewrite ^(.+)$ /index.php?_url=$1 last;
            break;
    }
    }

}

the problem still remains)
didn’t you manage to reproduce the problem on your server?)

[sinbadxiii]

I also think that nevertheless the problem is somewhere in nginx with fpm, but is it really just me :))

those. it turns out at some point the session is being regenerated.
have any thoughts?

[andrew-demb]

Please check, is your client sends correct cookies with request.

[sinbadxiii]

@ruudboon I think that most likely this is an axios issue with passing cookies during a request.
but how can this affect a session refresh?

[sinbadxiii]

Please check, is your client sends correct cookies with request.

@andrew-demb cookies are always correct, do not change, in particular PHPSESSID

[sinbadxiii]

I created a simple application on native php, the application repeats the functional of the problem, and there the session is not regenerated, although the request from axios remains the same.

https://github.com/sinbadxiii/example-axios-request

I'm stuck

[sinbadxiii]

@ruudboon if the session adapter is Phalcon\Session\Adapter\Redis, then everything is ok, if the use Phalcon\Session\Adapter\Stream then the session is regenerated.

Can this solve the problem somehow?

[Jeckerson]

Also check what is your session lifetime
https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime

[sinbadxiii]

Also check what is your session lifetime
https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime

by default session.gc_maxlifetime = 1440

[ruudboon]

@ruudboon For the purity of the experiment, I installed a new ubuntu on 18.04, with default nginx and php-fpm config. http://ph4.sergeymukhin.com

@sinbadxiii Trying to reproduce this but can't reach this server at the moment. Maybe you can ping me on Discord?

[sinbadxiii]

@sinbadxiii Trying to reproduce this but can't reach this server at the moment.

@ruudboon I just destroyed the server the day before yesterday :) But with this I wanted to show that the problem exists on default config.

@sinbadxiii Maybe you can ping me on Discord?

Ок

[ruudboon]

I confirmed this on the webserver of @sinbadxiii

Few things I can confirm

• SESSION_ID doesn't change
• No Set-Cookie is fired when session data is lost.

Besides that I'm 95% sure it isn't related to Axios. But I do think it is creating the conditions to fail.

I think it occurs when 2 requests are handled at the same time. My laptop is currently being serviced so cannot fully reproduce this locally but I'm expecting that the file is being written at the same moment an other request tries to read it. We use file_get_contents to open the session and I'm not sure if it handles advisory locks. Not even sure if file_put_contents will trigger these

Update: Looks like we don't set a file lock when writing.

[ruudboon]

file_get_contents doesn't care about file locks.

<?php    
    $file = "test.txt";

    //Write file
    file_put_contents($file, "Test");

    $handle = fopen($file, 'rb');
    //Lock exclusive
    flock($handle, LOCK_EX);
    $contents = file_get_contents($file);
    flock($handle, LOCK_UN);
    fclose($handle);

    print $contents;

[andrew-demb]

May be helpful reference to PHP implementation of files adapter: https://github.com/php/php-src/blob/master/ext/session/mod_files.c

[ruudboon]

@andrew-demb Yes. I'm doing something similar now. ruudboon@6281551#diff-7569882dd2736f23d2142a34913e6d7fR123

[Nomadzy]

Hi, I think we have the same problem. In an api Im working on, randomly (after 10s of simultaneous frontend queries after login) the session file get emptied ..

@ruudboon do have any idea on the 4.0.3 release date?

PHP Version: 7.2.26-1+ubuntu18.04.1+deb.sury.org+1
Phalcon Version: 4.0.0 & 4.0.2

[ruudboon]

@ruudboon do have any idea on the 4.0.3 release date?

@Nomadzy We're aiming for Saturday.

If you have time. Please clone my branch and rebuild Phalcon to test my fixes. @sinbadxiii can probably test this later when he's back from work. But the sooner we know it's working the better.

https://github.com/ruudboon/cphalcon/tree/fix-session-issue-14694

[Nomadzy]

@ruudboon I think its fine now. Compiled it and got the '4.0.0-RC.3' .. been using it for ten minutes, so far so good .. I'll test it more tomorrow

Thanks a lot

[ruudboon]

@Nomadzy then you builded it from the master branch. Please switch branch first after cloning.
Also make sure you have zephir 0.12.16

git checkout fix-session-issue-14694
zephir fullclean
zephir build

[Nomadzy]

@ruudboon I suspected that I did something wrong as I lost more sessions. thx again
Testing .. (4.0.2)
EDIT : looking good after 90 min usage ..

[ruudboon]

@Nomadzy Dropping a pull in that case

[sinbadxiii]

@ruudboon unfortunately the problem remains

UPD: I updated zephir to 0.12.16
and rebuild the phalcon with zephir 0.12.16 .
I think that now everything works fine :)

Thanks very much

[ruudboon]

@sinbadxiii Thnx for confirming. Will merge this today and release it in 4.0.3

[ruudboon]

Fixed in #14759