I've had a look around and seem to have a unique question here (new to this, so be kind on downvotes)
I have a logout function that I use as part of a registration system I'm putting together. The problem is, it fails when using IE and Safari (still shows users as logged in on the home page after clicking appropriate link). Clearly something is going wrong here, but from reviewing the code multiple times it doesn't seem to have anything wrong in it? My question is why is this not working in IE and Safari? Does it have smoething to do with browser support?
This is the applicable code:
**logout.php**
<?php
include_once 'functions.php';
sec_session_start();
// Unset all session values
$_SESSION = array();
// get session parameters
$params = session_get_cookie_params();
// Delete the actual cookie.
setcookie(session_name(), '', time()-42000,
$params["path"],
$params["domain"],
$params["secure"],
$params["httponly"]);
// Destroy session
session_destroy();
header('Location: ../index.php');
Appropriate function in **functions.php**
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session
(ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"],
$cookieParams["domain"], $secure, $httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}
I've included comments to make this a bit easier to follow.
Thanks in advance!
Related
I am working to upgrade my domain in php 7.3 but when I do that one of my quiz.php file not work it says :
Could not initiate a safe session (ini_set).
I mention that in 7.1 it works quite well so I think the problem is to my function.php file in function sec_session. I will show you the code without any change from 7.1.
<?php
include_once 'psl-config.php';
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}
I have a login page, from where i submit my form data and whilst doing so, i create a self made session function, in which i check if (ini_set('session.use_only_cookies', 1)). While the data is passed on, the session gets created and i check if the login data is correct, then i redirect to index.php. In index.php i run the session function again and run into an error, that session.use_only_cookies is not set to 1, but it is. I checked with phpinfo()
Previously worked with XAMPP and it worked there. Recently switched to Docker with php:7.2-fpm-alpine3.7 image
My session function:
protected function sec_session() {
define("SECURE", true);
$session_name = 'sec_session_id'; // vergib einen Sessionnamen
$secure = SECURE;
$httponly = true;
if (!ini_set('session.use_only_cookies', 1)) {
//header("Location: /error.php?err=Could not initiate a safe session (ini_set)");
//The above doesn't work
echo("<script>location.href = '/error.php?err=Could not initiate a safe session (ini_set)';</script>");
//here is where i always land and i'm not sure why?
exit();
}
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
session_name($session_name);
session_start();
session_regenerate_id();
}
The problem here was the $secure variable. It was designed to function only with an https request. The settings worked fine with the php:7.1-apache Docker Image
I made login system which works fine on localhost, but when is on online server it doesnt work. There arent any errors, even if I type in wrong password, no errors. Nothing happens, it is on the same page always. [http://sportcaffe.me/admin/] <- You could try here, and see what it happens..
USERNAME: laky95
PASSWORD: lazar
I found some solution but it is not good... I can set session_start() on top of my code and It will work, but I have some session "prepare" and then start..
Here is my code:
$session_name = 'sec_session_id'; // Set a custom session name
$secure = FALSE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
I've several pages who are called by ajax to print a response,
The pages uses $_SESSION variables, so I have to use session_start().
I noticed that from time to time the pages erase the session data (and user gets disconnected) , i'm using a bit different session_start() :
function sec_session_start() {
$session_name = 'pentago'; // Set a custom session name
$secure = false; // Set to true if using https.
$httponly = false; // This stops javascript being able to access the session id.
ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
$cookieParams = session_get_cookie_params(); // Gets current cookies params.
session_set_cookie_params($cookieParams['lifetime'], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name); // Sets the session name to the one set above.
session_start(); // Start the php session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
Is there something in my custom session_start() that causes the response pages to delete the session ?
Thank you.
I have this function to start a secure session:
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = false; // Set to true if using https.
$httponly = true; // This stops javascript being able to access the session id.
ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
$cookieParams = session_get_cookie_params(); // Gets current cookies params.
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name); // Sets the session name to the one set above.
session_start(); // Start the php session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
How do I set my cookies to expire whenever the user navigates away from my app or closes their browser? Basically, every time a user visits my app, they need to login again.
A lifetime of 0 (which is usually the default for session cookies) does precisely what you described. See http://us3.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime