Session size of 276672 exceeded allowed session max size of 256000 - but in Magento 2.4.3 backend

[groomershop-mt]

UPDATE: as per discussion, we agreed that is ok to have a low limit for session size to prevent DDOS attacks, value can be changed via the admin panel if needed.
Another problem that should be addressed is - suppressed problem, without any error notification to the user and solution for the issue should be provided.

After upgrading to Magento 2.4.3, when we log into backend (admin panel), everypage hangs/is loading about 30 seconds.

In logs we see exceptions:
Session size of 276672 exceeded allowed session max size of 256000.

We are ursing Redis for sessions.

Does anybody else have similar issue after upgrading to Magento 2.4.3?

From redis-cli monitor we see that in each second is repeated:
1628681344.757076 [3 127.0.0.1:34310] "hincrby" "sess_1g2sgh25saul85a424puad785d" "lock" "1"

Steps to reproduce (*)

Upgrade Magento 2.4.2-p1 to 2.4.3
Configured Magento to use Redis for session storage
Stores -> Configuration -> Advanced -> System -> Security - Max Session Size in Admin and Max Session Size in Storefront set to 100 and Saved
Navigate to any page from Admin -

Expected result (*)

It should not break/impact any store functionality

Actual result (*)

Page load time is increased to more than 30 sec

[m2-assistant]

Hi @groomershop-mt. Thank you for your report.
To help us process this issue please make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

Please, add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

🕙 You can find the schedule on the Magento Community Calendar page.

📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

🎥 You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[jorgb90]

Confirmed! Exact same issue here after upgrade to Magento 2.4.3! We are also using Redis for sessions.

[groomershop-mt]

From https://devdocs.magento.com/guides/v2.4/release-notes/backward-incompatible-changes/reference.html
We have found that a field/setting e.g. system/security/max_session_size_admin has been added.
It's default value is 256000. After increasing it, the problem is solved.

Now the sesssion record is being saved - it has size over 256000. We have check this record and there is a lot of date with privileges settings - we have quite a lot of extensions installed, so there is more privileges, then in clear Magento setup.

[groomershop-mt]

Our suggestion is to increase the default value for system/security/max_session_size_admin to 512000 (or minimalize the the permissions entries in session record). The same problem occur, when we change session storage to files.

[jorgb90]

Yes thats it. Why not set it as "0" to disable it? What can go wrong?

[ghost]

Hello,

Same issue,

I have edit:

/vendor/magento/module-security/etc/config.xml

....


<max_session_size_admin>512000</max_session_size_admin>
<max_session_size_storefront>512000</max_session_size_storefront>


....

[in-session]

Had this morning also the same problem, the value should be set in any case high or to 0

[ghost]

You can also change this in your /app/etc/env.php for avoid lock issues:

'disable_locking' => '0', to 'disable_locking' => '1' in your redis session settings section

[timpea]

Same problem here, when trying to create an order in the admin, could add the 1st product fine, adding any additional products to the order would cause it to hang. @achatpc fix for session size worked perfectly.

[mrtuvn]

Look i got same behavior but still got admin work. But sometimes loaders seem load longer than usual
Setup redis session and cache frontend as default. All caches enabled in developer mode

preconditions
bin/magento config:set web/secure/offloader_header X-Forwarded-Proto
bin/magento config:set web/secure/use_in_frontend 1
bin/magento config:set web/secure/use_in_adminhtml 1
bin/magento config:set web/seo/use_rewrites 1

'session' => [
        'save' => 'redis',
        'redis' => [
            'host' => 'redis',
            'port' => '6379',
            'password' => '',
            'timeout' => '2.5',
            'persistent_identifier' => '',
            'database' => '2',
            'compression_threshold' => '2048',
            'compression_library' => 'gzip',
            'log_level' => '3',
            'max_concurrency' => '20',
            'break_after_frontend' => '5',
            'break_after_adminhtml' => '30',
            'first_lifetime' => '600',
            'bot_first_lifetime' => '60',
            'bot_lifetime' => '7200',
            'disable_locking' => '0',
            'min_lifetime' => '60',
            'max_lifetime' => '2592000',
            'sentinel_master' => '',
            'sentinel_servers' => '',
            'sentinel_connect_retries' => '5',
            'sentinel_verify_master' => '0'
        ]
    ],
   'cache' => [
        'frontend' => [
            'default' => [
                'id_prefix' => '69d_',
                'backend' => 'Magento\\Framework\\Cache\\Backend\\Redis',
                'backend_options' => [
                    'server' => 'redis',
                    'database' => '0',
                    'port' => '6379',
                    'password' => '',
                    'compress_data' => '1',
                    'compression_lib' => 'gzip',
                    'persistent' => '',
                    'force_standalone' => '0',
                    'connect_retries' => '1',
                    'read_timeout' => '10',
                    'automatic_cleaning_factor' => '0',
                    'compress_tags' => '1',
                    'compress_threshold' => '20480',
                    'preload_keys' => [
                        '69d_EAV_ENTITY_TYPES',
                        '69d_GLOBAL_PLUGIN_LIST',
                        '69d_DB_IS_UP_TO_DATE',
                        '69d_SYSTEM_DEFAULT'
                    ]
                ]
            ],
            'page_cache' => [
                'id_prefix' => '69d_',
                'backend' => 'Magento\\Framework\\Cache\\Backend\\Redis',
                'backend_options' => [
                    'server' => 'redis',
                    'database' => '1',
                    'port' => '6379',
                    'password' => '',
                    'compress_data' => '0',
                    'compression_lib' => ''
                ]
            ]
        ],
        'allow_parallel_generation' => false
    ],

Updated to 2.4.3
then set max_session_size_admin to 1000

Log show
[2021-08-12 16:02:54] main.WARNING: Session size of 87533 exceeded allowed session max size of 1000. [] []

Tempor workaround:
set config to 0

bin/magento config:set system/security/max_session_size_admin 0
bin/magento config:set system/security/max_session_size_storefront 0

Or config session in app/etc/env.php
['session']['redis']['disable_locking'] = '1'

[mrtuvn]

Look likes updates in this commit
c2a591c => Landed to 2.4.3
But not available in 2.4-develop yet

[n2diving-dgx]

Upon upgrading from 2.3.7 to 2.4.3 I was unable to complete an admin login, the MFA would succeed and then loop back to asking for the MFA again. Chased this for hours thinking it was a MFA issue. Simply disabling Two Factor Authentication would allow a successful login and all looked good. The looping on MFA was apparently related to the session limit issue. The default value for 'session limit' was 256000 and needs to be much larger at least for our installation. Increased to 512000, which resolved the issue.

[marvinhinz]

Having the same issue after upgrading to 2.4.3

[mrtuvn]

Yes problem still exist but curiously if we put value to something does magento will got session size go beyond of that ??

[marvinhinz]

@mrtuvn it seems its the write call is only executed when the size is not exceeded yet or the max size is null.

magento2/lib/internal/Magento/Framework/Session/SaveHandler.php

Line 130 in c2a591c

return $this->callSafely('write', $sessionId, $this->read($sessionId));

If the max size is exceeded, the current session data is retrieved and saved again, this seems to create a loop thats constantly locking the session handler. @michaelyu0123 can you maybe explain the idea / intended behaviour behind this?

[michaelyu0123]

@marvinhinz It is as you said, the original intention was just to set the session content to what is already stored.
@groomershop-mt, could you please provide the steps to reproduce this issue? Thank you.

[marvinhinz]

@michaelyu0123 wouldnt it be sufficent to just discard the "to-be-saved" data and throw an exception when the limit is reached?

[michaelyu0123]

@marvinhinz, that is something that will be looked into. Thanks.

[aaronsilber]

We are experiencing what look to be very similar symptoms to the bug described here, but on Magento 2.3.7-p1. It looks like the changes to SaveHandler.php are also present in this security-only release.

[pmonosolo]

My issue was showing up as a different error:
A technical problem with the server created an error. Try again to continue what you were doing. If the problem persists, try again later.

^^^ this would pop up on every admin page.

The URL that was failing:
http://magento.test/admin/mui/index/render/key/479b831574442521ca469efdc376886fde3c57d23eebbaced4a6a7f65a44bf10/?namespace=notification_area&sorting[field]=created_at&sorting[direction]=asc&isAjax=true

^^^ looks like it was some kind of notification area Ajax update. Notification area where "indexers are invalid" shows up was not there so, no data was coming through.

The response to the error was:

UI component could not be rendered because of system exception
error code: "0"

In exception logs, I was getting:
[2021-08-13 22:48:42] main.CRITICAL: Unable to unserialize value. {"exception":"[object] (InvalidArgumentException(code: 0): Unable to unserialize value. at /var/www/php/vendor/magento/framework/Serialize/Serializer/Serialize.php:35)"} []

Security session setting to 512000 did not work. Only after I set it to 0 it worked.

UPDATE:

Setting 'disable_locking' => '0', to 'disable_locking' => '1' also worked. I just added the maximum allowed size in env.php - 'max_lifetime' => '2592000'

[github-jira-sync-bot]

Unfortunately, not enough information was provided to create a Jira ticket. Please make sure you added the following label(s): Reproduced on 2.4.x, ^Area:.*

Once all required labels are present, please add Issue: Confirmed label again.

[github-jira-sync-bot]

❌ Cannot export the issue. This GitHub issue is already linked to Jira issue(s): https://jira.corp.magento.com/browse/AC-1170

[drew7721]

Hello,

Just want to report that this is also happening in version 2.3.7-p2

It would be nice to mention this in the release notes as currently there is no mention at the moment.

[ihor-sviziev]

@sidolov @sivaschenko why this issue was closed without any comments?

[hostep]

It's probably because of AC-1170 Session size of 276672 exceeded allowed session max size of 256000 which got merged an hour ago.

It would also be very nice if an answer could come to this question I posted yesterday.

[mrtuvn]

Now how we deal with this. Tested in latest code base. Seem admin no longer able to login from my instance
Any miss config ?

[evs-xsarus]

@mrtuvn that seems to be fixable by setting the frontend max session size because of this check: https://github.com/magento/magento2/blob/2.4-develop/lib/internal/Magento/Framework/Session/SaveHandler.php#L133

./bin/magento config:set system/security/max_session_size_admin 1048576
./bin/magento config:set system/security/max_session_size_storefront 1048576

Replace 1048576 with a size you that suits you.

[luancschmitz]

Upon upgrading from 2.3.7 to 2.4.3 I was unable to complete an admin login, the MFA would succeed and then loop back to asking for the MFA again. Chased this for hours thinking it was a MFA issue. Simply disabling Two Factor Authentication would allow a successful login and all looked good. The looping on MFA was apparently related to the session limit issue. The default value for 'session limit' was 256000 and needs to be much larger at least for our installation. Increased to 512000, which resolved the issue.

thanks @n2diving-dgx this solved my problem.