Encrypted session data with suhosin

47 Posts

prioritypie Reply #1, 11 years, 1 month ago

I moved my site to a live server that was running the suhosin patch, with session encryption enabled. The "data" field in the _sessions table now contains an encrypted string, whereas before it was just a serialized array.
Now, on most pageviews, I get an error in the logs:

There was an error retrieving or creating session id: {session_id_here}

And the _sessions table fills up. I've done some debugging statements, and the _getSession method of the sessionHandler class always fails when it tries to get the session object, even when the session id it is using is in the table. It therefore creates a new one.
Everything else seems to work OK, but it's not good with the logs and table filling up constantly.
Has anyone else experienced this? Is there a setting I'm missing somewhere?

My modx site settings are all default (for the sessions and cookies).
Using 2.2.6

MODX Staff
10,725 Posts

opengeek Reply #2, 11 years, 1 month ago

Can you enter a ticket for this in the tracker? I don't think the database session handler in MODX is handling the suhosin encrypted data properly.

For a workaround, you can try disabling the database session handler MODX Revolution uses by default by changing the System Setting called session_handler_class to a blank value. This will make MODX use whatever is configured in your php.ini session configuration; typically the standard PHP files handler.

Jason Coward
Chief Architect @ MODX
http://www.jasoncoward.com | http://twitter.com/drumshaman | https://github.com/opengeek

72 Posts

modxnooby Reply #3, 11 years, 1 month ago

Please look at my question on sessions here:
http://forums.modx.com/thread/83378/does-login-snippet-use-sessions#dis-post-459955
I need help!