PHP session based login code logging SOME users out when navigating protected pages

The absolute worst types of site issues are those that SOMETIMES occur, or only occur for certain users. I have such a case:

Session-based protected content on my site. Users enter username/password. Code checks for a match and either grants access or shows an error message "try again, forgot password, etc"

This works, like 99.9% of time. Out of thousands of users, I have received tech reports on maybe 15, all reporting this same odd behavior:

• User enters credentials, there is a match and they are sent to their account portal. Portal has dozens of protected pages.
• User navigates from the account home page to another protected page, which also checks for assigned session variables before displaying protected content. If no match, displays login dialog.
• What I am seeing reported (even seen screen recordings from some users) is that they login successfully and click any internal link and are then shown the login screen again. Log back in, success. Click another link, log in screen, etc _ Even odder: for the handful, I have been able to change their password and don't experience the issue on their end. Furthermore, after resetting the password for them, the issue disappears.

To reiterate, this is occuring for a handful of users, most have intended user experience.

Could this literally be related to the content of the password? There's no injection going on, that's not the issue.

I'm lost on these things.

Thanks, Tim

source https://stackoverflow.com/questions/77282767/php-session-based-login-code-logging-some-users-out-when-navigating-protected-pa