I found that session_start() changed the PHPSESSID in the cookie, because without it, the PHPSESSID in the cookie will not change.
But the expected result should be that after refreshing the page, session_start () will not change the PHPSESSID in the cookie and I got the correct result when deploying the same code file to another server.
Another point that confuses me is that in the server in question, the value of PHPSESSID in the set-cookie value of the response header every time the page is refreshed is an unchanged, correct value.
I find that if I set session.auto_start = 1 then the problem is solved.However,I need to call session_save_path() before session_start() so that sessions won't be saved in the tmp directory.I don't know why when I call session_start () manually, the error occurs on this server, but it works fine on other servers.
Related
I'm trying to rename my PHP session cookie from PHPSESSID to __Secure-PHPSESSID as per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Examples.
Since PHP does not offer this mechanism, I am doing it through Apache server configuration:
RequestHeader edit Cookie ^__Secure-PHPSESSID(.*)$ PHPSESSID$1
Header edit Set-Cookie ^PHPSESSID(.*)$ __Secure-PHPSESSID$1
Header edit Set-Cookie ^(.*)(?<!SameSite=Strict)(?<!SameSite=Lax)$ "$1;SameSite=Lax"
This works correctly in Firefox, Edge, and Safari, but not Chrome. On Chrome, I can see that the cookie is set with the correct name and flags but I cannot log in to my site.
Upon login, the output of var_dump($_SESSION['internal']['user_name']) is NULL on Chrome but shows the correct username on Firefox and other browsers. I can also see that the session ID is being regenerated every time I try to log in and the value is set in the __Secure-PHPSESSID cookie.
I tried removing the SameSite flag (line 3 above) and it still does not work.
Any ideas?
PHP does indeed offer this mechanism. You can change it in php.ini. Just set this and restart the site:
session.name = __SECURE-PHPSESSID
To confirm it's right, restart your browser to clear previous session cookies.
As for Chrome not letting you log in, this page may give you some clues (see "Option Secure" and "Prefixes" sections): https://www.mon-code.net/post/108/Secure-cookie-of-you-web-application-with-PHP-or-Symfony
They are not well known, but supported by all browsers except those of
Microsoft. With prefixes, it's possible to force the browser to not
accept a cookie if it's misconfigured. There are two prefixes
"__Secure-" and "__Host-".
__Secure- forces the developer to add the secure flag to his cookie, otherwise it will be ignored by the browser.
setcookie('__Secure-user_id', 10, 0, '/', 'orion.dev', true);
__Host- is more restrictive, cookie must have the secure flag but also path to root and blank domain.
setcookie('__Host-user_id', 10, 0, '/', '', true);
I'm not familiar with Cookie Prefixes but PHP should support it out of the box:
<?php
session_name('__Secure-PHPSESSID');
session_start();
You can actually achieve it using PHP, changing session.name parameter. You can do it:
using session_name() in your PHP script
in .htaccess file
directly into CPanel table that shows PHP options (if you run CPanel)
Examples:
// Example way 1
session_name('Secure-PHPSESSID');
session_start();
// Example way 2
php_value session.name "Secure-PHPSESSID"
I heard my friend say that I don't have to use session_start() to use $_SESSION in PHP? Is that true? If yes, how do I make it work? If I remove session_start() from my code, I can no longer get $_SESSION to work.
Yes it is possible not to have session_start() calls on top of every page necessarily when you want to work with sessions. Thats the job of session autostart. If you set your session to auto start you can avoid those calls, otherwise you must.
session.auto_start boolean
session.auto_start specifies whether the session module starts a session automatically on request startup. Defaults to 0 (disabled).
So if you set session.auto_start to 1 in your php configuration, you wont need to start session manually.
Manual
P.S: It is working fine for your friend and not for you because he/she has enabled session.auto_start and you haven't touched it and by default it is disabled.
in my local WAMP server, when I call session_start() the session-id is being set in the cookie as follows and var_dump($_COOKIE) gives the following.
array
'PHPSESSID' => string 'qg8nrlpdtgb391386lhghgv727' (length=26)
so when I call session_start() again, my previous session is resumed.
but when I deployed the same code to my web-server, the PHPSESSID is not being set in the cookie. So as a result, every time I call session_start(), a new session is getting created instead of resume the previous session.
Can anyone please tell me a possible cause of the problem. Do we have to explicitly set the PHPSESSID to the cookie?
Also, In my local(WAMP) I dont have https, but the web-server where I pushed the code is https. Is this a problem?
I am stuck with this for almost 3 days now.
Thanks in advance.
Kanna
Looks like session handling is configured differently on this webserver. You should compare the values set in the php.ini file under the session-section.
Especially:
Is session.use_cookies set to 1?
Does session.save_path point to a valid directory, where the webserver user has write permission
See here for a full list of session-settings:
http://de3.php.net/manual/de/session.configuration.php
I had called session_start() immediately after html < head > tag. This was the problem. When I moved the session_start() method before the html head tag, the problem was solved.
Thanks everyone for your help.
Kanna
I have an application that has been working with session variables no problem. I start the session before the headers on every page that uses when, it has been fine then it seems all of a sudden I'm getting an undefined index error when I navigate to a page other than the one that sets up the session variables. But only on some browsers. Sometimes sessions are maintained and sometimes they aren't.
It seems that cookies aren't being stored some of the time. I've done checks using different browsers and sometimes cookies are stored and sometimes not.
I did an experiment. I was using firefox to use to app and I was keeping an eye on the tmp folder where the sessions are stored. I cleaned it out. Using firefox I started using the app, using all the pages that sessions were in use and at the end I checked the tmp folder and it had one session file in there.
Did the exact same with internet explorer and there are now 7 different session files.
I'm using PHP 5.3.0 with the WAMP stack. Apache 2.2.11. Session support is enabled in my phpinfo().
I call a var dump on the first page and it prints out the session data. On any subsequent pages the session variable is empty.
<?php var_dump($_SESSION); ?>
array(0){}
Can anyone help me figure out a solution to this?
UPDATE - PHP INI SESSION settings
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain 82.68.26.169 82.68.26.169
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path c:/wamp/tmp c:/wamp/tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies On On
session.use_trans_sid 0 0
UPDATE - Solution
Because my app was using iframes pulling in pages from another domain (which i created) the cookies i was trying to set were being blocked. Setup a P3P header and the problem seems to be solved!
My suggestion from your previous question still stands: please compare session ids.
The solution might be as simple as your browser not accepting session cookies.
You retrieve the session id by calling session_id(). Do that right after session_start() it should give you a constant value if the session is the same. Otherwise for every request a new session is instantiated.
Also check C:\wamp\tmp. A gazillion files in this directory might indicate fresh sessions for each request.
EDIT Since we've confirmed new sessions per request, it's time to find out whether session cookies are accepted. Check the settings of your browser and confirm that a cookie for your domain (I guess it's "localhost") with the name PHPSESSID can be found.
Do you call session_start() on every page that accesses session data?
Edit: And do you receive the same session ID every time?
Also, could there be some error or warning you're missing (e.g. headers already sent) due to settings?
here is the sense in
while( $row = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC))
{
$_SESSION['saveddata'] = $row;
}
it rewrites $_SESSION['saveddata'] value on each iteration. may be you meant something like
$_SESSION['saveddata'][] = $row;
it makes sense for $atid = $_SESSION['saveddata']['autotaskid'];
Review your session settings. You have a full list with:
<?php
phpinfo();
?>
Scroll down to the "Session" table.
Particularly, make sure that the session.save_path directory exists and is writeable.
When a new session ID is created with each request, most likely it is an issue with your session paths (save_path and cookie_path) and chances of this happening are greater if you're hosting different applications on one server (shared hosting) and some of these applications also implement sessions.
This results in conflicts in your /tmp directory.
You could change the config of your ini file, but it's best to configure these parameters during runtime.
session_set_cookie_params(0, "/app", ".domain.com");//set session cookie parameters
session_save_path("/home/../public_html/app/sess");//set directory of this app's session data
session_start();//start session
I hope that helps everyone having this issue. #CodeOn
I solved this problem on my local WAMP by clearing out the \tmp directory of old sessions.
I have been at this for a day now, but nothing seems to be working.
What I want to do: change the expiry time of the session cookie PHPSESSID, when a particular checkbox is checked , how do I do this ?
I have tried:
ini_set()
session_set_cookie_params()
setcookie()
but nothing works . Can someone please please help me here ?
Thanks
To specify the session lifetime, server side, either apply the following command
ini_set('session.gc_maxlifetime', 30*60); // expires in 30 minutes
or set it in your php.ini file.
To set the session cookie lifetime, client side, either let it as it is (0, will die when the browser is closed), or
ini_set('session.cookie_lifetime', 30*60); // 30 minutes
or in the php.ini.
If you choose to use ini_set(), be sure to place the commands before session_start() is called.
Note that the ini_set function sets configuration option(s) during the script execution time only.
Regarding the checkbox and having a dynamic setting of the session lifetime, you could
use APC to store a setting shared by all PHP processes, that will last until the PHP server is down
write a value in a file somewhere that you load at the start of scripts (expensive) and set the value
(each script will have to ini_set() once before session_start())