Session don't close since 3.8.4 update #19585
Comments
|
Please test PR #19548. |
|
Sessions do properly expire. A change was made with #19165 to how the optional session metadata (which shows these online user counts in various places) is managed as a means to address performance issues with tracking it. Most specifically, our cleanup operation will not run at all anymore when the database session handler is in use as this conflicts with PHP's native session management (and we store both the "real" session data and the optional metadata in the same table). There was a bug with that PR, fixed in 3.8.5, that prevented the cleanup from running when a non-database handler was in use because the event handler was configured to a non-existing event and therefore never triggered. See #19511 and #19521 for additional discussion, and #19548 for a tool which can be used on servers to run this operation on an as needed basis (can be implemented as a cron job if desired). Note for now though that #19548 actually only works consistently for the metadata portion of cleanup if using the database session handler, to implement a cron job to handle metadata cleanup in general other changes in core are needed which could land in 3.9 (#19578 starts the work on some of the required infrastructure changes). |
|
I missed the information - thanks a lot, changing to php handler worked fine. What a quick answer, you're amazing ! |
ghost
mentioned this issue
|
As we see increasing amounts of reports about that issue in the german-speaking support channels, I would like to question the current "won't fix" for this problem. Yes, the system works as designed when session.gc_probability isn't set to 1 - but the reality is that the 3 largest webhosts in germany using 0 as their default value and therefore sessions aren't cleaned up anymore. This means that a previously working site is now experiencing issues, which makes it a breaking change for me. Using a cronjob isn't a solution imho, because it requires a user action to implement and numerous webhosts don't offer cronjobs at all. Therefore I would suggest to restore the previous behavior if gc_probability is set to 0. |
|
Set to "open" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/19585 |
|
Reopened as stated above. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19585. |
No. Joomla should not be doing PHP's garbage collection job only for the database handler. Either we implement our own universal garbage collection handler and do it for all session handlers, or we continue on the path that we have started down so that it doesn't matter if The optional metadata MUST be split to a separate database table. That is the data that we are concerned with managing. As long as the metadata is stored in the same table as the real session data, and as long as the database handler is coupled to our writing of this metadata, we cannot optimize the workflows managing these two sets of data and the end result is either an arbitrary check on every HTTP request which causes performance issues or where we are now where the table doesn't get cleaned at an adequate interval. Just like I said elsewhere last night, we need to stop accepting quick fix bandaid solutions and actually fix the root issues in our architecture. |
|
Ok, so simple question: how do we fix the current issues for the mentioned users (gc_probability = 0)? Using the CLI job isn't a solution, letting them switch the session handler? That's ok for me if that happens automatically at the next update and also purges the session table. Right now the system is just broken and leaving it like that and telling people that it's their host's fault can't be the solution. |
|
Come up with a way to migrate to this data schema in a B/C manner: CREATE TABLE IF NOT EXISTS `#__session` (
`session_id` varchar(191) NOT NULL DEFAULT '',
`time` varchar(14) DEFAULT '',
`data` mediumtext,
PRIMARY KEY (`session_id`),
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 DEFAULT COLLATE=utf8mb4_unicode_ci;
CREATE TABLE IF NOT EXISTS `#__session_metadata` (
`session_id` varchar(191) NOT NULL DEFAULT '' COMMENT 'FK to #__session',
`client_id` tinyint(3) unsigned DEFAULT NULL,
`guest` tinyint(4) unsigned DEFAULT 1,
`time` varchar(14) DEFAULT '',
`userid` int(11) DEFAULT 0,
`username` varchar(150) DEFAULT '',
KEY `session_id` (`session_id`),
KEY `userid` (`userid`),
KEY `time` (`time`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 DEFAULT COLLATE=utf8mb4_unicode_ci;The problem with the 3.8.3 and earlier behavior is:
Joomla is inconsistent at best. The changes I am working on aim to bring consistency and fix architecture and performance issues. |
It's not only about "seeing" that in the UI, it quickly becomes a performance issue (I have a client site with "some" traffic, pilled up 600k rows in the session table causing a TTFB of 20 seconds in the backend) and a quota issue (mentioned table quickly grew to 2GB). I fully agree that the old design was a pita and refactoring makes sense, but I don't think that this should have happend in a patch release but in J4, because it turns out to be a breaking change for a lot of users. |
|
Just a comment - I found this discussion after searching for a reason why my Joomla 3.8.5 website database has grown from the usual 11 mb to almost 500 mb. Had to truncate the session table to shrink it. In Joomla configuration the session handler is set to 'database'. Never had that problem with previous versions. |
|
So what are you going to do about systems where If you want Joomla to do session garbage collection, it needs to be consistent for all the same reasons for all handlers. Or, revert the changes I made for 3.8.4, wire up a bot to automatically reject changing any code that ever touches anything related to session management in Joomla (the real data or the optional metadata, where all these performance problems exist), and accept the status quo that Joomla is garbage as it relates to session management, especially because of this metadata because these who's online modules are so important to some users. And yes, I am very annoyed because I'm sick and tired of defending fixing architecture issues when everyone else is content with amateur hour shortsighted fixes that just work around the real problems. |
That's exactly what I suggested. Not because I don't like the idea of a clean architecture, not because I want to piss you off, not because I don't appreciate all the work that you put in there - but because it's a breaking change in a patch release. Do I really need to explain that this is a bad thing? |
|
We don't need to fully revert. The change from 2 to 5 is fine, we just need to make small change to that PR (remove the check for database handler and everyone would be happy) |
|
Fine, I will revert the &($* pull request and rescind all pull requests I have because clearly this community would rather have a broken CMS that displays a semi-accurate count of online users. What a joke. |
I do not agree. |
|
I'm done. |
|
@mbabker Is moving session garbage collection to plugins is a bad idea? |
|
I don't care anymore. People don't give a damn that garbage collection isn't happening for the non-database handlers, why should I? They don't care there's a major performance impact in running this one query over 100 times per minute, why should I? They just want their who's online module to be right, give the people what they want, not what they need. |
In my case I don't use that module, but nevertheless encounter this issue. However, the problem seems to disappear if I disable the 'User Status' module. |
|
Sure, because you have one less UI element making a query into the session table. |
|
I'm quite sure that I never ever touched that module's (default) settings before. :-) |
|
Here are the practical options:
Reverting to 3.8.3 behavior is a garbage answer, but the one everyone seems to want. Because they see a bloated DB table. Seriously, if your server has A plugin which forces PHP garbage collection to run is a workaround to a broken server configuration. It might fix the issue users are seeing, but it's still crap because it is relying on an application to address a server level misconfiguration. |
|
this is an old post but i strongly suspect that its still valid The important line is
|
|
Could this not all be solved by adding a new configuration setting: Session garbage collection frequency:
And then use Joomla for garbage collection? |
|
That's the plugin approach mentioned above. It's still a workaround to a bad server config but would get the job done. |
|
based on the article I linked to it is not "a bad server config" |
|
"bad server config" basically being "there is no garbage collection happening by way of PHP". Not necessarily that the config itself is bad. |
|
if you read the article it explains that debian decided to use a cron job instead of gcprobability but thats no good for us. |
|
Just to close the loop on this one. This is a screenshot of the session config on one of my Ubuntu 16.04 servers using the PHP 7.1 package (basically defaults), and the cron task that is set up to handle the garbage collection operation. (writing as you posted the cron job comment) So there is SOMETHING handling the garbage collection, but it's not PHP (for Ubuntu it's this cron job, on a WHM/cPanel server you've probably got an entry for
|
|
Here is the spec for a GC plugin, the internals of which are modeled around class PlgSystemSessionGc extends JPlugin
{
public function onAfterRespond()
{
$probability = $this->params->get('gc_probability', 1);
$divisor = $this->params->get('gc_divisor', 1000);
$random = $divisor * lcg_value();
if ($probability > 0 && $random < $probability) {
JFactory::getSession()->gc();
}
}
} |
|
hello, this is another very important change which was hardly documented before the patch release. we take care of all PHP file sessions by using custom CRON jobs and we do not expect Joomla do to anything about it since in Joomla, this is called "none" and it's not called xcache/apc/file or else... It is just "none" which means that session storage + medium encryption + SHM or directory access + any garbage or session cleaning is hanled by server administrators and not by the application. Since joomla implements "custom" (user) session handler called "database" everybody would expect that it takes care of the session storage + encryption + serialization/deserialization + cleaning by itself. there are PHP variables for "cookie path" and "cookie domain" and nobody expects them to be set by the server, but rather by the application itself (Joomla) so what is the proper config (joomla or server) now for enviroments where "gcprobability" is set to zero (i.e. custom cleaning) and there are sites both using file and database session that share the same php.ini ? (i.e. 2 sites per inside a customer enviroment) Session GC CLI is not really a solution since most hostings do not provide a secured CLI access to PHP and for an hosting company it would mean to locate all Joomla installations and execute such CLI file. GC in the database could be also done:
|
Not necessarily true. Our handler can do garbage collection operations, as long as it is told to do so. Clearly, there are PHP configurations (almost the default?) where PHP does not handle garbage collection at all and this cleaning is done by way of server level tasks (i.e. the pointed out cron jobs on Ubuntu or WHM configured servers). And again, this does not only affect the database handler, it is the most visible with the database handler for a plethora of reasons.
Again, not a viable option:
Again, the changes in 3.8.4 only exposed the fact that servers are not configured to run session garbage collection operations, and again at least in the case of filesystem stored sessions this is balanced by a cron job that is routinely set up in Linux servers to clear this storage path. We don't know what is in place for the other backend stores though, so continuing to give the database handler preferential treatment is a wrong practice too. The above spec'd GC plugin:
|
|
Do I as one of the more unsuspecting Joomla users understand that correctly, that one (intermediate) solution could be to set session.gc_probability = 1 in the php.ini file? |
|
Yes. |
|
Ok, thank you. :-) |
|
I'll tell you all what. In the next 18 hours, I will prepare one pull request which gets to the end state I am trying to achieve within the B/C limitations of 3.x for the session related code (both real storage and metadata). That is going to be a take it or leave it pull request because it is going to have a large quantity of changes in it (the code from #19578, a full plugin implementation of #19585 (comment), new config options in the application class to disable metadata cleanup from the HTTP request cycle (not exposed in the UI, users will have to direct change What I am NOT going to do is remove the check on triggering the metadata cleanup in the application class so that it does not run for the database handler. With the session GC plugin, it will get cleaned up, but at a lesser frequency to the metadata cleanup operation than if you were using any other handler. Because I am moving the system to treat the metadata as a separate entity to the actual session data. And in 4.0 the two data types will be correctly differentiated in two different tables (requiring a B/C break in our data schema and inherently integrations which work with the metadata) so that there does not need to be a handler check in front of the metadata cleanup task. |
|
Can you put a cleaning metadata process in that plugin too?
The end user will not notice any problem, and an advanced user can change the probability at his own discretion. |
ghost
mentioned this issue
|
Set to "closed" on behalf of @Quy by The JTracker Application at issues.joomla.org/joomla-cms/19585 |
|
See PR #19687 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/19585. |
|
Excuse me. Why do we need to force a user to edit the php.ini? Instead, we can set a runtime directive:
|
|
In Debian PHP distributives There is a conflict with permissions. Instead, a cron task is executed every 30 minutes: |
and others
Since 3.8.4 update, Joomla sessions don't close : dozen of connected users are wrongly shown on frontend Community Builder Online module, and also shown backend admin panel in the last 5 connected users module.
The text was updated successfully, but these errors were encountered: