I'm using Apache 2.4.41 with PHP 7.4.3.
I've this script that write a session
<?php
// uno.php
session_start();
$_SESSION['chiave'] = 'TEST';
echo session_save_path();
?>
Due
When i click to Due link
<?php
// due.php
session_start();
print_r($_SESSION);
?>
I get that $_SESSION is empty.
Session.save_path is writeable and i see session file.
I see in firefox debug the messagge
Cookie PHPSESSID has been rejected because a non-HTTPS cookie can't be set as secure.
How can i solve this problem?
Thanks
Thanks
You have two options
Be secure
Use HTTPS instead of plain HTTP
Be insecure and tell PHP you don't care.
Keep using HTTP and change the session.cookie_secure option to off (which is its default value but one that must have been changed on your server).
Related
I am not able to get the php session working on http. I tried the same simple test page on another domain on the server which uses https and it worked as expected. Here is the simple code I am using
session_start();
echo session_id();
When I refresh the page I get a new session_id each time.
I've set session.cookie_secure to 0 and 1 but it made no difference. I have no clue why this is not working??? Any ideas?
I'm trying to rename my PHP session cookie from PHPSESSID to __Secure-PHPSESSID as per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Examples.
Since PHP does not offer this mechanism, I am doing it through Apache server configuration:
RequestHeader edit Cookie ^__Secure-PHPSESSID(.*)$ PHPSESSID$1
Header edit Set-Cookie ^PHPSESSID(.*)$ __Secure-PHPSESSID$1
Header edit Set-Cookie ^(.*)(?<!SameSite=Strict)(?<!SameSite=Lax)$ "$1;SameSite=Lax"
This works correctly in Firefox, Edge, and Safari, but not Chrome. On Chrome, I can see that the cookie is set with the correct name and flags but I cannot log in to my site.
Upon login, the output of var_dump($_SESSION['internal']['user_name']) is NULL on Chrome but shows the correct username on Firefox and other browsers. I can also see that the session ID is being regenerated every time I try to log in and the value is set in the __Secure-PHPSESSID cookie.
I tried removing the SameSite flag (line 3 above) and it still does not work.
Any ideas?
PHP does indeed offer this mechanism. You can change it in php.ini. Just set this and restart the site:
session.name = __SECURE-PHPSESSID
To confirm it's right, restart your browser to clear previous session cookies.
As for Chrome not letting you log in, this page may give you some clues (see "Option Secure" and "Prefixes" sections): https://www.mon-code.net/post/108/Secure-cookie-of-you-web-application-with-PHP-or-Symfony
They are not well known, but supported by all browsers except those of
Microsoft. With prefixes, it's possible to force the browser to not
accept a cookie if it's misconfigured. There are two prefixes
"__Secure-" and "__Host-".
__Secure- forces the developer to add the secure flag to his cookie, otherwise it will be ignored by the browser.
setcookie('__Secure-user_id', 10, 0, '/', 'orion.dev', true);
__Host- is more restrictive, cookie must have the secure flag but also path to root and blank domain.
setcookie('__Host-user_id', 10, 0, '/', '', true);
I'm not familiar with Cookie Prefixes but PHP should support it out of the box:
<?php
session_name('__Secure-PHPSESSID');
session_start();
You can actually achieve it using PHP, changing session.name parameter. You can do it:
using session_name() in your PHP script
in .htaccess file
directly into CPanel table that shows PHP options (if you run CPanel)
Examples:
// Example way 1
session_name('Secure-PHPSESSID');
session_start();
// Example way 2
php_value session.name "Secure-PHPSESSID"
Simple answer requested:
If I put
session.cookie_httponly=On
session.cookie_secure=On
in the php.ini file for my website, will that automatically turn all the php cookies to secure and httponly, or will I still need to put in true, true into parameter slots 6 and 7 in the cookie itself?
The answer is yes. Setting this in php.ini is enough (however, I only saw "True" as the setting used instead of "On").
Session Cookie without HttpOnly flag set
https://www.owasp.org/index.php/HttpOnly#Using_PHP_to_set_HttpOnly
You can verify this by setting these values, restarting your webserver and accessing your site with a browser, e.g. Firefox. Then open "site information", and choose "security" tab and click on cookies. There you can see if it's marked as secure.
in my local WAMP server, when I call session_start() the session-id is being set in the cookie as follows and var_dump($_COOKIE) gives the following.
array
'PHPSESSID' => string 'qg8nrlpdtgb391386lhghgv727' (length=26)
so when I call session_start() again, my previous session is resumed.
but when I deployed the same code to my web-server, the PHPSESSID is not being set in the cookie. So as a result, every time I call session_start(), a new session is getting created instead of resume the previous session.
Can anyone please tell me a possible cause of the problem. Do we have to explicitly set the PHPSESSID to the cookie?
Also, In my local(WAMP) I dont have https, but the web-server where I pushed the code is https. Is this a problem?
I am stuck with this for almost 3 days now.
Thanks in advance.
Kanna
Looks like session handling is configured differently on this webserver. You should compare the values set in the php.ini file under the session-section.
Especially:
Is session.use_cookies set to 1?
Does session.save_path point to a valid directory, where the webserver user has write permission
See here for a full list of session-settings:
http://de3.php.net/manual/de/session.configuration.php
I had called session_start() immediately after html < head > tag. This was the problem. When I moved the session_start() method before the html head tag, the problem was solved.
Thanks everyone for your help.
Kanna
I have the following source code
session1.php
<?php
session_start();
echo session_id();
?>
session2.php
<?php
session_start();
echo session_id();
?>
when I access session1.php then access session2.php, I get a different ouput.
Why is this doing it?
The browser is not sending the session cookie back to the server. This can have two reasons.
The browser is configured not to send cookies to the server. You cannot force the browser to send cookies. In this case your only option is to pass the session identifier in the URL, although this is generally not a good idea.
The server is configured not to use cookies for the session identifier (by means of the session.use_cookies configuration option).
Try storing your session cookies in the database rather than on the server. This saved me heaps of time out and other session cookie problems especially if you are on a shared server.
This might help: http://www.raditha.com/php/session.php.
Good Luck
A rare edge case, but I found that having a dot in the session name of php.ini caused this problem!!
session.name = THIS.DOESNTWORK
If you're running under *nix, try setting session.save_path to /tmp. If that doesn't work, look in your browser's cookie cache to see if the cookie is indeed being saved by the browser.