XF 1.1 User sessions not unique to users

[digitalpoint]

Is it intentional that sessions are not stored on a per user ID basis, but rather a per cookie basis?

I've been running into a bit of an issue where if you are logged in from two different computers/browsers, the session data is different depending on the computer you are logged in with. Normally it's not a huge deal, but it can be annoying when session data is out of sync (things like reported items in the header show different values depending on the computer you are on).

 

[Jake Bunce]

I think it's a pretty standard practice to maintain separate sessions when a user is logged in twice from two different browsers. Enforcing one shared session per user would be awkward in some respects. I think the problem here isn't multiple sessions per user, but rather the fact that XenForo caches forum data in the session record. That leaves open the possibility for inconsistent cached data among multiple sessions for the same user.

A solution might be to move the cache to the session activity record which is shared and is indexed by user_id.

 

[digitalpoint]

Yeah... I can see how a single shared session could cause some issues (like logging out of one computer would log you out of all).

Side note - it's also weird that session data is persistent forever and whatever hash key is being used doesn't change if the password changes. So you changing your password still won't log you out of other computers you might have accidentally stayed logged in to. I saw a really weird thing where I had a test user with user ID #2 in a dev environment, and then like a week later I loaded in real user data, and low and behold, from that browser, I was magically logged in as the *real* user ID #2 a week later because the session persisted indefinitely and obviously changing the user record completely (including password) still kept the "session" for user ID 2 intact.

 

[Jake Bunce]

Side note - it's also weird that session data is persistent forever and whatever hash key is being used doesn't change if the password changes.

Sessions are not persistent forever. Sessions are invalid after the timeout:

Admin CP -> Home -> Options -> User Options -> Online Status Timeout

And the actual session records are pruned by a cron after one hour of inactivity.

When a user's session hits the timeout they are automatically logged out, unless they selected "Stay logged in" in which case they will have a "xf_user" cookie which contains their user_id and remember_key. The remember_key is part of the xf_user_authenticate record. That key is changed whenever the user's password is changed. Refer to:

XenForo_DataWriter_User::_preSaveDefaults

So what you described shouldn't be possible.

 

[digitalpoint]

I may need to go digging... it definitely happened. I wonder if it's some anomaly from using memcached for sessions, and more specifically just caching sessions in general via:

$config['cache']['cacheSessions'] = true;