In my Ubuntu server, I modified the php.ini file to try and set my session cookies to http only to be more secure. I modified the line in the php.ini file from session.cookie_httponly = to session.cookie_httponly = 1, but still no success. When I view the inspect the page in chrome, my session cookies are still not flagged httponly. Are there any other steps I am missing to set the httpOnly flag on my session cookies? I've also tried adding ini_set("session.cookie_httponly", 1); before starting sessions, but still no success.
Related
I'm using Apache 2.4.41 with PHP 7.4.3.
I've this script that write a session
<?php
// uno.php
session_start();
$_SESSION['chiave'] = 'TEST';
echo session_save_path();
?>
Due
When i click to Due link
<?php
// due.php
session_start();
print_r($_SESSION);
?>
I get that $_SESSION is empty.
Session.save_path is writeable and i see session file.
I see in firefox debug the messagge
Cookie PHPSESSID has been rejected because a non-HTTPS cookie can't be set as secure.
How can i solve this problem?
Thanks
Thanks
You have two options
Be secure
Use HTTPS instead of plain HTTP
Be insecure and tell PHP you don't care.
Keep using HTTP and change the session.cookie_secure option to off (which is its default value but one that must have been changed on your server).
I'm trying to rename my PHP session cookie from PHPSESSID to __Secure-PHPSESSID as per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Examples.
Since PHP does not offer this mechanism, I am doing it through Apache server configuration:
RequestHeader edit Cookie ^__Secure-PHPSESSID(.*)$ PHPSESSID$1
Header edit Set-Cookie ^PHPSESSID(.*)$ __Secure-PHPSESSID$1
Header edit Set-Cookie ^(.*)(?<!SameSite=Strict)(?<!SameSite=Lax)$ "$1;SameSite=Lax"
This works correctly in Firefox, Edge, and Safari, but not Chrome. On Chrome, I can see that the cookie is set with the correct name and flags but I cannot log in to my site.
Upon login, the output of var_dump($_SESSION['internal']['user_name']) is NULL on Chrome but shows the correct username on Firefox and other browsers. I can also see that the session ID is being regenerated every time I try to log in and the value is set in the __Secure-PHPSESSID cookie.
I tried removing the SameSite flag (line 3 above) and it still does not work.
Any ideas?
PHP does indeed offer this mechanism. You can change it in php.ini. Just set this and restart the site:
session.name = __SECURE-PHPSESSID
To confirm it's right, restart your browser to clear previous session cookies.
As for Chrome not letting you log in, this page may give you some clues (see "Option Secure" and "Prefixes" sections): https://www.mon-code.net/post/108/Secure-cookie-of-you-web-application-with-PHP-or-Symfony
They are not well known, but supported by all browsers except those of
Microsoft. With prefixes, it's possible to force the browser to not
accept a cookie if it's misconfigured. There are two prefixes
"__Secure-" and "__Host-".
__Secure- forces the developer to add the secure flag to his cookie, otherwise it will be ignored by the browser.
setcookie('__Secure-user_id', 10, 0, '/', 'orion.dev', true);
__Host- is more restrictive, cookie must have the secure flag but also path to root and blank domain.
setcookie('__Host-user_id', 10, 0, '/', '', true);
I'm not familiar with Cookie Prefixes but PHP should support it out of the box:
<?php
session_name('__Secure-PHPSESSID');
session_start();
You can actually achieve it using PHP, changing session.name parameter. You can do it:
using session_name() in your PHP script
in .htaccess file
directly into CPanel table that shows PHP options (if you run CPanel)
Examples:
// Example way 1
session_name('Secure-PHPSESSID');
session_start();
// Example way 2
php_value session.name "Secure-PHPSESSID"
I've been having problems with sessions for some days now in my production environment
I've already tried to find the solution in tons and tons of answers here in stack overflow, but none seem to work for me
User A logs in
User B logs in. Now when you go back to User A
his session was overwritten by User B. So I have two users 'sharing' the
same session.
Side notes:
I have session_start() on the very top of every page using session variables
I'm using https with a valid certificate
Cache is not the problem, I've already tried to set headers to avoid caching
I'm using PHP 5.4 (I was using 5.6 before and downgraded hoping it would solve my problem) and this is my PHP.ini:
session.save_path = "/tmp"
session.cookie_secure = 1
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.entropy_length = 32
session.cache_limiter = nocache
session.cache_expire = 180
session.hash_function = sha256
And this is the basic structure of my authentication page:
session_start();
... // after connection with the database I retrieve id and name
$_SESSION['id_logado'] = $user_id;
$_SESSION['nome_logado'] = $user_name;
I've already double checked every line of code in every page. There is no variable name $id_logado so it should not interfere with that. Cache is probably not the problem because I have headers to avoid caching just after session_start. I've contacted bluehost to ask for help and of course they have no idea and are blaming myself.
I found a solution.
After further investation I noticed that the /tmp folder had only one session file, with a big size. For some reason sessions were not being saved to new files and were being 'added' to the same one.
Solution: I've created a new folder inside my home drive and granted 777 permissions. Updated my php.ini file to use that folder instead of /tmp and now I have tons of sessions being properly generated.
Simple answer requested:
If I put
session.cookie_httponly=On
session.cookie_secure=On
in the php.ini file for my website, will that automatically turn all the php cookies to secure and httponly, or will I still need to put in true, true into parameter slots 6 and 7 in the cookie itself?
The answer is yes. Setting this in php.ini is enough (however, I only saw "True" as the setting used instead of "On").
Session Cookie without HttpOnly flag set
https://www.owasp.org/index.php/HttpOnly#Using_PHP_to_set_HttpOnly
You can verify this by setting these values, restarting your webserver and accessing your site with a browser, e.g. Firefox. Then open "site information", and choose "security" tab and click on cookies. There you can see if it's marked as secure.
I have an application that has been working with session variables no problem. I start the session before the headers on every page that uses when, it has been fine then it seems all of a sudden I'm getting an undefined index error when I navigate to a page other than the one that sets up the session variables. But only on some browsers. Sometimes sessions are maintained and sometimes they aren't.
It seems that cookies aren't being stored some of the time. I've done checks using different browsers and sometimes cookies are stored and sometimes not.
I did an experiment. I was using firefox to use to app and I was keeping an eye on the tmp folder where the sessions are stored. I cleaned it out. Using firefox I started using the app, using all the pages that sessions were in use and at the end I checked the tmp folder and it had one session file in there.
Did the exact same with internet explorer and there are now 7 different session files.
I'm using PHP 5.3.0 with the WAMP stack. Apache 2.2.11. Session support is enabled in my phpinfo().
I call a var dump on the first page and it prints out the session data. On any subsequent pages the session variable is empty.
<?php var_dump($_SESSION); ?>
array(0){}
Can anyone help me figure out a solution to this?
UPDATE - PHP INI SESSION settings
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain 82.68.26.169 82.68.26.169
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path c:/wamp/tmp c:/wamp/tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies On On
session.use_trans_sid 0 0
UPDATE - Solution
Because my app was using iframes pulling in pages from another domain (which i created) the cookies i was trying to set were being blocked. Setup a P3P header and the problem seems to be solved!
My suggestion from your previous question still stands: please compare session ids.
The solution might be as simple as your browser not accepting session cookies.
You retrieve the session id by calling session_id(). Do that right after session_start() it should give you a constant value if the session is the same. Otherwise for every request a new session is instantiated.
Also check C:\wamp\tmp. A gazillion files in this directory might indicate fresh sessions for each request.
EDIT Since we've confirmed new sessions per request, it's time to find out whether session cookies are accepted. Check the settings of your browser and confirm that a cookie for your domain (I guess it's "localhost") with the name PHPSESSID can be found.
Do you call session_start() on every page that accesses session data?
Edit: And do you receive the same session ID every time?
Also, could there be some error or warning you're missing (e.g. headers already sent) due to settings?
here is the sense in
while( $row = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC))
{
$_SESSION['saveddata'] = $row;
}
it rewrites $_SESSION['saveddata'] value on each iteration. may be you meant something like
$_SESSION['saveddata'][] = $row;
it makes sense for $atid = $_SESSION['saveddata']['autotaskid'];
Review your session settings. You have a full list with:
<?php
phpinfo();
?>
Scroll down to the "Session" table.
Particularly, make sure that the session.save_path directory exists and is writeable.
When a new session ID is created with each request, most likely it is an issue with your session paths (save_path and cookie_path) and chances of this happening are greater if you're hosting different applications on one server (shared hosting) and some of these applications also implement sessions.
This results in conflicts in your /tmp directory.
You could change the config of your ini file, but it's best to configure these parameters during runtime.
session_set_cookie_params(0, "/app", ".domain.com");//set session cookie parameters
session_save_path("/home/../public_html/app/sess");//set directory of this app's session data
session_start();//start session
I hope that helps everyone having this issue. #CodeOn
I solved this problem on my local WAMP by clearing out the \tmp directory of old sessions.