Updated

I am getting the following DB error. DB Error #1062, Clients and Agents.

I understand that the session can not be created because it all ready exists and needs to be cleared. After I get this error, I find the session has now been cleared and the user can login.

Is there a way to clear these expired sessions automatically and avoid this error?

thank you,

Paul

Server Information
osTicket Version v1.15.6 (1a64b84) — Up to date
Web Server Software Apache
MySQL Version 8.0.28
PHP Version 7.4.3
OS Unbuntu 20.04 LTS

Error Log information

[Thu Apr 07 15:10:33.498138 2022] [php7:warn] [pid 383432] [client X.X.X.X:60080] PHP Warning: session_name(): Cannot change session name when session is active in /usr/share/osticket/include/class.ostsession.php on line 34, referer: https://mysite.site.com/scp/logs.php

[Thu Apr 07 15:10:33.498172 2022] [php7:warn] [pid 383432] [client X.X.X.X:60080] PHP Warning: ini_set(): A session is active. You cannot change the session module's ini settings at this time in /usr/share/osticket/include/class.ostsession.php on line 40, referer: https://mysite.site.com/scp/logs.php

[Thu Apr 07 15:10:33.498185 2022] [php7:warn] [pid 383432] [client X.X.X.X:60080] PHP Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/share/osticket/include/class.ostsession.php on line 57, referer: https://mysite.site.com/scp/logs.php

[Thu Apr 07 15:10:33.498194 2022] [php7:warn] [pid 383432] [client X.X.X.X:60080] PHP Warning: session_set_save_handler(): Cannot change save handler when session is active in /usr/share/osticket/include/class.ostsession.php on line 82, referer: https://mysite.site.com/scp/logs.php

[INSERT INTOost_sessionSETsession_id= 'fb7knrkebem3lv9qc485do5qm2',session_data= 'csrf|a:2:{s:5:\"token\";s:40:\"3b024deeafb4cb0b25787258f480553e8324d20b\";s:4:\"time\";i:1649267368;}_auth|a:1:{s:5:\"staff\";N;}',session_expire= (NOW() + INTERVAL 86400 SECOND),user_ip= 'x.x.x.x',user_agent` = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36']

Duplicate entry 'fb7knrkebem3lv9qc485do5qm2' for key 'ost_session.PRIMARY'<br /> <br />
---- Backtrace ----<br />
#0 (root)/include/mysqli.php(201): osTicket->logDBError()<br />
#1 (root)/include/class.orm.php(3466): db_query()<br />
#2 (root)/include/class.orm.php(658): MySqlExecutor->execute()<br />
#3 (root)/include/class.ostsession.php(234): VerySimpleModel->save()<br />
#4 (root)/include/class.ostsession.php(159): DbSessionBackend->update()<br />
#5 [internal function]: SessionBackend->write()<br />
#6 [internal function]: session_write_close()<br />
#7 {main}
`

PaulFender

I would first truncate and repair the ost_session table and make sure you have a cron job setup so it can regularly clear expired sessions (among other cleanup tasks).

Cheers.

    I will look into/test this more. After my first truncate of the session table, the site still gave me a Valid CSRF Token Required message when I logged in along with the same error in the log.

    With the truncate script running I see the session table cleared. Going back to the site (still loaded) I am redirected to a login page. If I try to login I get the error again.

    I logged in an confirmed there were sessions in the table and waited for the script to run. Script runs and clears the table.

    Site still open in the browser, click any link redirected to login. This time I hit F5 and refresh the login page before logging in. This time no DB error.

    Maybe a cookie is holding some old session data?
    What are your thoughts?

    Paul

    @PaulFender

    I did the following testing:

    1. My browser session/token expires
    2. I attempt to login
    3. On login we check the token and if it's expired we rotate it
    4. The browser token is expired and produces the Valid CSRF Token Required error and redirects you to the login page with the updated token expiration
    5. I can then login normally

    I also tested:

    1. My browser session/token expires
    2. I force refresh the page to clear session/cache
    3. A new session/token is generated in the browser
    4. I can then login normally

    In your case I believe the current browser session/token did exist in the database but was truncated via script or completely expired. Now your browser sends that old session/token and when you login the browser token does not exist in the database (or is expired) and causes the token rotation and redirect with rotated token data. I believe that this is all valid but will review with the team to get their thoughts.

    I forgot to mention that I have not yet received a DB Error email or log entry so I will have to do further research on that part.

    Cheers.

      6 days later
      Write a Reply...