Every once in a while, when refreshing the forums index, a screen like the maintenance screen shows up with the message that dragonflycms.org/Forums.html is a bad request.

confirmed

yes me too

im also getting a lot of cookie errors on another DF site

I Guess new Session system check on your session...........

i do confirmed it.

Quote::

Bad Request The URL that you requested, /Forums/search/search_id=newposts.html, was a bad request.session expired [ Go Back ]

Been getting it all day here

02/25/06

i've gotten it twice today so far. i just got another one a few seconds ago. i was over at myndworx checking out their forums and used my dragonfly bookmark to come back here and got the error. it displayed for a few seconds then put me in the news where my bookmark is directed. so no big deal.

a session expires after 24 minutes (default php behavior).
However when expired the data gets deleted and you start a new one.

There's a script that managed to post as anonymous using a fixed session cookie so i'm checking if this forcefull session destroyer will work.
This means you can't use your previous session ID but just get a new one.

I too get this error message, and all the new forum message is marked as read, even I don't have been in the forum today before now.

so why did this start happening all of a sudden? what are you guys up to? i'm sure it's good things but i'd be interested to hear what your shooting for when it happened.

djdevon3 wrote:

so why did this start happening all of a sudden? what are you guys up to? i'm sure it's good things but i'd be interested to hear what your shooting for when it happened.

DJMaze wrote:

There's a script that managed to post as anonymous using a fixed session cookie so i'm checking if this forcefull session destroyer will work.

I've seen this happen a few times aswell, and my first thought after seeing djmaz's explanation was "so now it works the way it should" sessions are supposed to expire and a new ID should be given when you start a new session.
However i think the error page about expired sessions should be skipped if it's not a secured area such as the admin area. I'd hate to explain to all my users why theres an error everytime they refresh a page, I don't think they should be notified that their session expired, just start a new one and send them to the page the requested immediately.

My 2 cents

Kuragari wrote:

djdevon3 wrote: so why did this start happening all of a sudden? what are you guys up to? i'm sure it's good things but i'd be interested to hear what your shooting for when it happened. DJMaze wrote: There's a script that managed to post as anonymous using a fixed session cookie so i'm checking if this forcefull session destroyer will work. I've seen this happen a few times aswell, and my first thought after seeing djmaz's explanation was "so now it works the way it should" sessions are supposed to expire and a new ID should be given when you start a new session. However i think the error page about expired sessions should be skipped if it's not a secured area such as the admin area. I'd hate to explain to all my users why theres an error everytime they refresh a page, I don't think they should be notified that their session expired, just start a new one and send them to the page the requested immediately. My 2 cents

I agreed with you there Karagari, I rather not want to explain that to my users too.

I did try a redirect but a redirecting page doesn't destroy the cookie which caused it to be endless looping. You must show a temporary page that refreshes to properly destroy it.

The issue is that $_COOKIE[session_name()] exists and session_start() always uses that "expired" ID.

unset($_COOKIE[session_name()]) is unreliable since we don't know in which PHP versions its protected.

DJMaze wrote:

I did try a redirect but a redirecting page doesn't destroy the cookie which caused it to be endless looping. You must show a temporary page that refreshes to properly destroy it.

Well, that shows how much I know about sessions

I guess a redirection page isn't a big deal, but my main point was the error page. I think it might make people think they didnt something wrong, or the site is broken if they keep getting error messages. Maybe a different message like "Redirecting you to the requested page" or something similar

yeah session expired would cause new users to think they've gotten an error or try to login again. i like kuragari's idea of showing a redirect message. that way no one is none the wiser. you wouldn't even have to explain it to df admins either as it would become part of the cms. but you might eventually get some questions about how to take out the redirect message and explain it then. thanks for explaining it more maze.

What Happen if you try comment cpg_error('session expired', 400, get_uri());?