I'm encountering a problem with a server that is seemingly disallowing session support which is causing problems with a site I am building there. Session data can be written but only persists on the same page and is not available elsewhere. I've tested identical code on a localhost server and it works correctly. An output of the session details from phpinfo() follows:
The server has a browser based admin tool cPanel 64.12 but there doesn't seem to be a way to access the php.ini file so I can enable proper session functionality.
Does the image above indicate that session functionality is indeed disabled, and is there a way to access the php.ini file through cPanel or another approach that can assist? I assume that the security of the server will mean that this in not possible without an admin getting involved which is difficult on an Easter weekend.
Any advice or opinions would be appreciated.
Many thanks,
Kw
Related
I have a use case where I need to be able to access my site from the local server. Specifically, it's for a HTML-to-PDF export of parts of various pages, but this would be nice for testing parts of the website as well.
The problem is that we have a login splash page, which needs to be dealt with before I can access any parts of the website. It would be really nice if I could just call a command "wkhtml2pdf 'localhost/[myurl]'" and have it PDF some stuff, but it hits this splash page.
Is there some way that I can perma-persist just one single session on the server? Or enable login-less access from localhost? Or could I just add a new Apache entry that accesses our site, whitelists only localhost and somehow circumvents the login?
What's the best solution?
You can pass your session cookie as parameter in wkhtml2pdf to solve your problem.
You can also execute it from a php file like this.
exec("wkhtmltopdf --cookie '{$cookieName}' '{$cookieValue}' http://example.com");
Soliciting feedback on this solution now:
I whitelisted localhost via $_SERVER['REMOTE_ADDR'] in the login scripts to bypass the usual user authentication and get an automatic localhost-user login. The server is running, however, on a university LAN, so the LAN maybe really big, possibly enabling bidirectional TCP spoofing.
Should I be worried about this, or does someone need admin rights on the routers or something? I trust the IT folks, but not others.
I realize that this sounds like a separate question, but I feel that security relates to whether or not this is a good solution.
I am really new to Drupal and playing around with this existing Drupal site.
I did a FTP transfer of all the files to my local computer directory. I currently got it on a Vagrant box and I can access the site via http://192.168.56.101/html.
I can do http://192.168.56.101/html/anything-but-user and it brings me to the proper area on the site. However I can't do localhost/html/user, because it redirects me to the website URL rather than the local URL.
I tried clearing the cache (with Drush). I scanned all files in the system and changed the web url to the local URL [not sure if I need to do any other command], and I can't seem to find anything in the .htaccess files that would lead me to this.
The href="/user I would greatly appreciate any advice or help in figuring out this solution.
--UPDATED
There was a module called "Secure Pages" that was causing the user and registration links to be locked and static to prevent redirects to phishing sites. I had to disable this module using "drush pm-disable securepages" in the terminal.
Some typical items you may want to check:
Check if you get the same problem using another browser. If with another browser it works, then it is pretty sure a cookie problem. To solve that, delete the cookie in the browser where you have the problem.
Make sure "clean urls" is enabled. Refer to "https://drupal.stackexchange.com/questions/165029/clean-url-leads-to-duplicate-url-after-migration-to-another-hosting/165044?s=1%7C3.9647#165044" for more details on that.
Make sure the value of "base_url" is set correctly (in your settings.php).
If module Secure Pages is enabled, then try to (at least temporary) disable that moduel to see if it helps.
Apparently, there was a mod called "SecurePages" that was causing the URLs to be static to prevent someone from changing them and redirecting users to a phishing site.
We have about 100 users accessing our website daily. A majority of them have no issues logging in. However, once a month we get a call or email ticket with complaints that users just see the login page refresh, with no error messages or anything.
All error messages are sent through the PHP Session cookie, and of course everything after logging in is based off of that session. The only reason I could think that the page just refreshes HAS to be because they are blocking that session cookie on their local machine...
Now most often the user is on internet explorer, but occationally it even happens with Chrome or Firefox. I've even had a user (on OSX) who tried Safari, Chrome, FF - and it would NEVER let them log in, the page would just basically refresh. I had the user add the website as trusted, and still no luck.
It's the worst because I cannot reproduce it from any network or from any browser/computer, ever.
Does anyone know what could be causing something like this? The site IS forcing SSL (the HTACCESS file redirects to HTTPS). The site IS forcing the session cookie as HTTP-Only and the Secure flag is also set to TRUE (and these 2 are somewhat recent changes).
I'm unsure what other settings on the server or the PHP instance would be causing something like this, or if it's soley a client-side issue (which it appears to be). And if it's client side, I'd like to learn the issue and possible solutions to it.
To preempt everyone, no - I cannot share the website URL for debugging because the client would not appreciate that, unfortunately. Thanks for any help, I'll be happy to answer any question that I can!
Do you have more than one web server behind a load balancer? And are the PHP sessions stored locally on each web server? If so it is the load balancer's job to make sure a user keeps going back to the same server on repeated accesses. If something goes wrong, they could get sent to a server where they do not have a session. It could be some intermittent glitch sending users to the wrong server.
Just guessing, because as others noted, we don't really have enough info.
Does your session cookie have a valid name? I've run into this problem in the past where some browsers don't accept a session cookie if it has an invalid name, but other browsers do accept them;
http://php.net/manual/en/function.session-name.php
I've got a newly set up dev server of a site I built. The dev server sits at a completely different Box and IP.
The dev site is a complete copy of the live site minus updates to paths and databases. The address is dev.mysite.com as opposed to just mysite.com.
The live site has a number of subdomains attached to it that change skins based on the subdomain, but nothing else is changed. When I try to log in to the dev site, it won't set the Session variable for the login. Any thoughts on this would be greatly appreciated.
Before testing the live site you should test and ensure that the dev site works. In your question it sounds a bit the other way round. Anyway, I see two options here:
conflicting cookies
missing server configuration on the dev site
From your question it's hard to say which of those two applies (even not even something else). You should concentrate to get your dev site to work, ignoring your life site. That means, you access the dev site with a complete different browser from a complete different box (if possible) and from a complete different internet connection (if even possible). That should help you to isolate the problem and more easily find out what is going on. Then get sessions to work on the dev site. After it works, you can start to test your live site.
I got a solution for you
— Create a cookie and set it for domain and all subdomain (*)
So you need to insert sessions to database, I suggest you to use Zend Sessions.
Documentation : http://framework.zend.com/manual/en/zend.session.savehandler.dbtable.html
I'm having some sessions problems after my ISP moved my site to a new server, supposedly setup the same. The problem appears to be browser-specific as well, which I don't quite understand.
First, my site uses sessions to login, this has been broken since they moved the site.
My ISP has set up a test page. When I hit this page in IE 6 (where it sets some session vars) and then hit the "header redirect" button, sessions seem to work fine. If I try it in Firefox/Opera, I get a new session id on the redirected page. My ISP reports sessions are working for IE as well, though I imagine they're using IE7 or perhaps even 8.
Everything was working fine on my site before my ISP moved it and while they've been very helpful in responding, they're at a loss as to why it's broken. A couple of other of my sites with them were broken along with the move, but they have been resolved by server tweaks...Does anyone have any ideas what's going on?
You're redirecting from "launchcomplex.com" to "www.launchcomplex.com"
If you set session.cookie_domain it should work - see session_set_cookie_params()
Cookie domain, for example 'www.php.net'. To make cookies visible on all subdomains then the domain must be prefixed with a dot like '.php.net'.
When they moved servers, did they move to a clustered configuration? Meaning when I hit your web page, am I always requesting content from the same physical server, or could be be any of a cluster of servers?
If the latter, that is your problem. Sessions are by default file-based, and thus are not scalable to multiple servers.
One solution is to use session_set_save_handler() to write your own session manager. Usually you would use a database to read/write session data using this method.