>I think that might be an unrelated problem, but we'll need to check it out to know for sure.

Yes, I think that you are right.

I observe more errors since the publication of my message. And, I did not succeed in reproducing this error.

The script is attached to a form. Also, it is perhaps related to a use which was not conformity (…)

Thanks again!

Djulia

I think that might be an unrelated problem, but we'll need to check it out to know for sure.

What was happening with the previous error is that the AutoBackup plugin was calling backupDatabase() which had an optimization to "close" sessions before long backup operations.  So all the patch does was "not" close sessions that were previously opened by CMSB.

If you want to print out what CMSB thinks the session name is you can add a debug line in /lib/init.php

// Initialize session
$session_name = cookiePrefix() . 'PHPSESSID'; // use a unique session cookie for each CMS installation
ini_set('session.name', $session_name); // sets session.name
die("ini_set('session.name', $session_name)");

And check the cookie prefix value which comes from /data/settings.*.php and is stored in 'cookiePrefix'.

You could also check what the session name and ID is before that line:

print "session_name(): " .session_name(). "<br/>\n";
print "session_id(): " .session_id(). "<br/>\n";
if (!isset($_SESSION)) { session_start(); }


Actually, I'm not sure that we change session_id() at all.  Session_id is the name of the session file, and session_name of the cookie that stores the session_id.

If you'd like to  send server details to me at dave@interactivetools.com I can debug it for you.

Thanks!

Interesting, but that causes a warning with use session_start in our script.

" if (!isset($_SESSION)) { session_start(); } "

PHP Warning:  session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'

An idea?

I found this post: :

http://stackoverflow.com/questions/3185779/the-session-id-is-too-long-or-contains-illegal-characters-valid-characters-are

Thanks!
Djulia

The solution is as follows:

update /lib/database_functions.php and replace all instances of this:

session_write_close()

with this:

#session_write_close()

If you also have the Autobackup plugin installed, please make sure the backup folder is writeable.

Dave has updated the CMSB source code so the next release shouldn't have this issue. If anyone is still having problems, please post here!

<IfModule mod_php5.c>
#Session timeout
php_value session.cookie_lifetime 86400
php_value session.gc_maxlifetime 86400
</IfModule>

'checkReferer' => '0',

'session_save_path' => '/directory/path/',
I can see the session files being stored in this directory and they are not being deleted

I get the _CSRFToken immediately on login on all browsers. 

I also have a support ticket in #RDJ-694185

This is probably happening because the session that contains the users _CSRFToken (which is used to prevent Cross-Site Request Forgery) is being unset. There are a couple of things you could look into to fix this:

1. Try setting a directory to store your session data in, you can do this in the CMSB General settings area (see attached). On some hosting services the session files are deleted extremely often by the server unless you store them in a directory you can control.
2. CMS Builder is set up so that session cookies remain for 24 hours, but some servers ignore this and use their own session limits, you might have to contact your hosting company and see if you have access to the session.gc_maxlifetime variable:

3. ini_set('session.gc_maxlifetime', 3600);

You could also try disabling the `Check Referer` check box in the General Settings of the CMS, and see if this makes a difference, although your CMS backend will be slightly less secure if you do this.

If none of these items work, you can fill out a second level support request here: 

https://www.interactivetools.com/support/email_support_form.php

and we will take a look into what is causing the issue.

Thanks,

Greg

in settings.dat.php tried changing:
'checkReferer' => '0',
'session_save_path' => 'xxxxxx',

in htaccess tried adding:
php_value session.gc_maxlifetime 3600

Php Info:
Version: 5.3
PHP Safe Mode: off
Register Globals: off

Not running Spambot Email Protector either. 

Suggestions?