HAProxy as frontend for UCP backend? PHPSESSID repeated 41 times in response? Why?

Has anybody gotten UCP working through a reverse proxy? HAProxy?

I’m getting a 502 Bad Gateway. Seems as UCP doesn’t like to be reverse proxied.

It seems the issue is caused by the response headers delivered to HAProxy by UCP are HUGE!

PHPSESSID=nkdp292ug2jpmhmcqc9kn5r4o7; path=/

is repeated like 41 times.


Yes. That’s normal and fine.

1 Like

If you don’t mind me asking, why is that considered normal?

It causes the response header to be arbitrarily large.

In fact, I believe this behavior is actually a violation of RFC6265

I can HAProxy the Admin site just fine and it’s headers are just a few hundred bytes (as opposed to UCP which is multiple kilobytes).

Ref: https://tools.ietf.org/html/rfc6265

It’s normal because it’s php doing that. We don’t set the header for phpsessionid. We can’t. It’s happening multiple times because we are starting and stopping the php session to add and removing items from it (but not 41 times). Which is normal (normal because Php adds the sessions 41 times)

Not to be the “a hole” here but if you believe this is a violation of RFC6265 then you need to go report it to php.

So then why does the admin side return a nice and lean response header?

How is the difference in response header behavior between the admin panel and the UCP a PHP issue?

Sorry for seemingly triggering a defensive response from you…

So here is a response from the PHP guys on an identical issue (Bug# 38104). Albeit there was significant discussion following their comment, I believe the consensus was that this isn’t a bug.

Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php
Session is created every time you call session_start(). If you want to avoid multiple cookie, write better code. Multiple session_start() especially for the same names in the same script seems like a really bad idea.

Ref: https://bugs.php.net/bug.php?id=38104

I’m merely letting you know what sets phpsessid. You seem to be the only person with the issue. Since freepbx isn’t actually setting phpsessid but php is and php is setting it multiple times then php is violating the rfc not freepbx. The tool that is doing the job of setting phpsessid is violating the rfc. If asterisk violates an rfc do you report the bug against freepbx because freepbx uses asterisk? This is the reasoning.

The issue here is caused by output buffering in the UCP code.

The function headers_sent() will always return false when buffering the output. Only after the buffer is flushed out to the client will headers_sent return true. So, analyzing the code I do see an attempt to only call session_start() once in Session.class.php. However, because buffered output is used, headers_sent is always returning false, so you are indeed calling session_start() >40 times. The logic in Session.class.php is fundamentally flawed, imo.

1 Like

Patches are gladly welcomed.

Just registered to write an answer for the problem.

in function private startSession()

add the folowing line after session_start()
if (SID) header('Set-Cookie: '.SID.'; path=/', true);

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.