Multi-Server Authentication Failure with DB sessions

raugfer · May 17, 2011, 8:55pm

Hi there.

This is not really a bug report but rather an esoteric behavior that I hope can help others save the time I spent debugging it.

I am implementing a scalable multi-server deployment of a Yii application (using haproxy as a round-robin load-balancer, no session affinity) and I took all the necessary/recommended steps:

1- Used DB sessions for session sharing;

2- Made sure the runtime folder contents is shared by all servers;

Nevertheless, I could not get authentication to function properly when submitting requests to different servers, although sessions and authentication cookies seemed to be working in the proper way.

So, after careful study of the framework, I found out that Yii stores authentication information in the session record by prefixing it with the application ID. However, this application ID depends on the base location of the application installation.

It turns out that indeed my application was installed in different locations on different servers and the ID was not matching. Therefore there is a third step to the list above:

3- Make sure your app is installed in the same folder throughout all servers.

Hope this saves your time!

Best

mentel · May 17, 2011, 9:12pm

What about using CApplication::id?

Setting the same id in each server wouldn’t help?

passwind · January 9, 2013, 9:07am

Good suggestions! Thx!

Maybe there is another way.

in CWebUser , it’s

    public function setState(&#036;key,&#036;value,&#036;defaultValue=null)


{


	&#036;key=&#036;this-&gt;getStateKeyPrefix().&#036;key;


	if(&#036;value===&#036;defaultValue)


		unset(&#036;_SESSION[&#036;key]);


	else


		&#036;_SESSION[&#036;key]=&#036;value;


}





    public function getStateKeyPrefix()


{


	if(&#036;this-&gt;_keyPrefix&#33;==null)


		return &#036;this-&gt;_keyPrefix;


	else


		return &#036;this-&gt;_keyPrefix=md5('Yii.'.get_class(&#036;this).'.'.Yii::app()-&gt;getId());


}

So, if we set same CWebUser prefixKey in protected/config/main.php, the session is shared by the key. just like following:

‘components’=>array(

	'user'=&gt;array(


		// enable cookie-based authentication


		'allowAutoLogin'=&gt;true,


		'stateKeyPrefix'=&gt;'justsameuser',


	),

}

shreyas · July 30, 2013, 7:13am

I am struggling to share session on multiple server.

My config file is as follows :

// application components


'components'=&gt;array(


	'user'=&gt;array(


		// enable cookie-based authentication


		'allowAutoLogin'=&gt;true,


		'class'=&gt;'application.components.WebUser',


		'stateKeyPrefix'=&gt;'justsameuser',


	),


	// session configuration





	  'session' =&gt; array(


	        'cookieMode' =&gt; 'allow',


			'sessionTableName' =&gt; 'session',


        	'autoCreateSessionTable' =&gt; true,


			'class' =&gt; 'system.web.CDbHttpSession',


        	'connectionID' =&gt; 'db',


			


	       'cookieParams' =&gt; array(


	           'path' =&gt; 'http://myipaddress/1_blog/runtime/', // the central server to store session


	            'httpOnly' =&gt; true,


			),


	),

I have added the methods getStateKeyPrefix and setState in my CWebUser file.

But still the dont see any session sharing working for me

Please any one have some idea on this ?

Thanks,

Shreyas