I'm using a flash based message class to give the user messages.
In a particular page called Backup, the user can restore a backup and it will do the restore and then the following (the custom functions are rather self explanatory):
ASSession::destroySession();
ASSession::startSession();
$mg = new Messages();
$mg->add('s', $prepend);
redirect("login.php");
The issue as I saw it was that when we destroy the session we have to start a new one so that messages (which uses session variables to store the messages) will be displayed. However, once the user gets to the login page after the redirect the page calls a master 'framework' file that also calls ASSession::startSession(). So I figured I'd first check if we had a session id in the startSession() function, as we should have started the session before the redirect so there is no need to start a new session when we reach login as that would also remove the message before the user gets to view it.
So I made this change:
public static function startSession()
{
if (!session_id()) {
ini_set('session.use_only_cookies', SESSION_USE_ONLY_COOKIES);
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], SESSION_SECURE, SESSION_HTTP_ONLY);
session_start();
//session_regenerate_id(SESSION_REGENERATE_ID);
}
}
To no avail. I ran an entire site-wide find for session_start() to see if it was starting somewhere else without checking if it had already started and that came up negative. So my question is: why is my session restarting after I started it, if the only function that deals with starting the session checks if the session is currently running? Because my messages are not being displayed :(
Side note: I am trying to avoid the dreaded ?success='It worked' and echo $_GET['success'];
Related
I'm currently developing a web application for a client with the webspace hosted on one.com.
I've implemented my own secure login system and everything works. When I log someone in, the variables are available but as soon as I go to a new page via an href all my session variables are lost. I've tried almost everything that is recommended on similar questions but it won't work.
I can not edit my php.ini directly, this is the standard phpinfo:
I can't embed Images yet, this is my phpinfo
Additionally at the beginning of every site I call
ini_set("session.cookie_secure", 0);
Because at the beginning this was (locally) always set to true.
I initiate a secure session on every page with the following code:
$session_name = 'sec_session_id'; // Set a custom session name
$secure = true;
// This stops JavaScript being able to access the session$id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(true); // regenerated the session, delete the old one.
I just dont understand why my Session variables are always lost. I would be happy about every help I can get!
Edit: Some suggestd that the last line:
session_regenerate_id(true);
Propably causes the problem but after removing it it still doesn't work. What else could it be?
I'm pretty sure this line (the bottom line) is the one destroying the session:
session_regenerate_id(true); // regenerated the session, delete the old one
Remove that line and your session should be retrained.
So I've been trying to solve this issue for a very long time now, and I'm at my wit's end.
So within a web application I'm working on, the basic idea is that the user logs in, then a session is created in $_SESSION. I can see the contents of it just fine on the index page through print_r($_SESSION).
On the index is some jQuery UI tabs, and those tabs link to some subdirectories like content/index.php or action/index.php Inside those tabs, trying the aforementioned print statement doesn't return anything at all. It's like it can't see the session at all.
On the index, I have a function called sec_session_start() that's been used, and I think there's a possibility of this being an issue. The code for that is this:
function sec_session_start() {
$session_name = 'sample'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly
);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}
Looking at this, the only thing I can think of is session.use_only_cookies's INI setting being the issue for this. Could that be what's blocking me from accessing the session within the tabs? I inherited this and have no clue why it's not letting me access the session regardless.
EDIT 1:
index.php:
<?php
print_r($_SESSION); //prints everything
?>
action/index.php or content/index.php retrieved through ajax call via tabs:
<?php
print_r($_SESSION); //returns nothing.
?>
EDIT 2:
I figured out the issue. Turns out, the session was stored in a cookie and encrypted. By accessing it via session_name(); then starting a session on each page, I can see the variables.
I've been trying to search online for possible answers to this question, but I really can't figure it out. There are many people with a similar problem, but mine has a unique touch to it that I don't understand, nor have I encountered it anywhere else.
I created a login system that worked fine. However, I wanted to make it more secure, so I used this tutorial: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL. I can still login, but whenever I refresh my page, I automatically log out. After I while I figured out that the session ID changes.
The curious thing is this, when I call var_dump($_SESSION); on the 3rd line of my code (directly after session_start();), the session ID remains the same, and everything works. As soon as I comment this line, the problem returns.
I do regenerate the session ID using the following code:
$session_name = 'robinator123'; // Set a custom session name
$secure = FALSE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(true); // regenerated the session, delete the old one.
When I call the var_dump($_SESSION);, the regeneration fails because the headers have already been sent by the var_dump. However, when I replace var_dump with a normal echo statement the headers also fail, but the session ID still changes. I have no idea what's going on.
A few notes:
I did not forget to call session_start(); at the beginning of my code
the included php code that I use to store session variables is located outside my web root, but the problem isn't solved if I place those back into my root, so I'm guessing that can't be the problem.
I actually solved the problem by editing the regeneration piece of code. Removing the regeneration didn't work, but I fixed it by setting the parameters I had forgotten to change (i.e. lifetime, path, and domain), and by removing the parameter "true" from the session_regenerate_id(); command (I literally copy-pasted this code from the tutorial, and failed to notice these things when I was making all the changes).
However, I'm still very curious how var_dump was able to avoid the problem..
I am having problems with a custom start session.For security reasons I decide to look for a method that is safe when starting a session and I came across this tutorial and implemented the method related to start session.
The problem is that whenever I am initiating a new session variable and redirect to another page which is expecting the value from the initialized session, all my session variable that I initialed earlier on get destroyed forcing the user to logout.Below is my function I am using to start sessions:
function sec_session_start(){
$session_name = 'sec_session_id';//set a custom session Name
$secure = false;//true if are using https
$httponly = true; //this stops javascript from accessing session id
ini_set('session.use_only_cookies', 1);//FORCES session to only use cookies
$cookie_params = session_get_cookie_params();//Get current cookie params
session_set_cookie_params($cookie_params['lifetime'],$cookie_params['path'],$cookie_params['domain']
,$secure,$httponly);
session_name($session_name);//set the session name to the one set above
if (!isset($_SESSION)){session_start();}//start the php session
session_regenerate_id();//regenerate new session id and delete the old one THIS IS TO PREVENT SESSION HIJACK
}
I have searched for an answer to my problem with no luck, Please help me on this.
N.B - when I use the default session_start
everything works perfect.
You should start session, not when $_SESSION is not set.
if (!isset($_SESSION)){session_start();}//start the php session
session_regenerate_id();//regenerate new session id and delete the old one THIS IS TO PREVENT SESSION HIJACK
should be
session_start();//Start new or resume existing session
session_regenerate_id();//regenerate new session id and delete the old one THIS IS TO PREVENT SESSION HIJACK
Reference: session_regenerate_id
Try to put session_start() at top of your php code, as first instruction.
I tried to look my problem up on the internet and on stack overflow, but didn't find an answer that solved my problem. So I have a back-end system for a website I'm creating for an opensource project. I have now just finished transferring everything over to my online domain and database. After a lot of other problem solving, it works now, except for the logging out.
In my back-end header I have the following url:
<h1>Logout</h1>
The content of the logout.php page is the following:
<?php
session_regenerate_id();
session_start();
session_unset();
$_SESSION = array();
session_destroy();
header("Location: login.php");
?>
Offline, via MAMP this works without any problem. However online it doesn't destroy my session. I can still access all my session variables, which enables me to stay logged in. As I said before, I tried to look for an answer, but I don't seem to find one that fixes my problem. If anyone has a clue what might be wrong, please tell me. Thanks in advance!
EDIT:
This is how I check on every back-end page, wether or not I'm logged in:
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = false; // Set to true if using https.
$httponly = true; // This stops javascript being able to access the session id.
ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
$cookieParams = session_get_cookie_params(); // Gets current cookies params.
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name); // Sets the session name to the one set above.
session_regenerate_id(true); // regenerated the session, delete the old one.
session_start(); // Start the php session
}
As you see, #paulprogrammer, I do something with cookies. How do I destroy it for sure when I logout?
edit(2):
Ok Thanks paulprogrammer for the pointer. I removed the cookie part from my login check function and turned it onto the following simple function:
function sec_session_start() {
session_start();
}
This doesn't create a cookie and now it does work. I tried to unset the cookie via the stuff the official php manul said # http://php.net/manual/en/function.session-destroy.php but that didn't do it. So that's why I moved to something simpler that works. As not many people besides me are gonna use the back-end and as it seems to work ok, even without cookies, I call it done. This topic can be closed :)
final edit(3):
Ok Thanks to *#paulprogrammer it works now with cookies as well. Now that I know the answer, it only seems logical that you have to do that. Stupid of me. OK so apparently I had to set the name of the session, just like i did in my session. I do this in the beginning, before i start it. The new, updated, code of the log in check function:
<?php
session_name('sec_session_id');
session_start();
setcookie(session_name(), '', 100);
session_unset();
session_destroy();
$_SESSION = array();
header("Location: login.php");
?>
You set the session name in your setup code, but failed to set it in the teardown code. So, during teardown PHP was destroying the default session name, not your custom session name. The custom session name is still available on the request after logout.
Simply use the session_name() function consistently anywhere session operations are being used to ensure the session management is always acting on the correct session token.
In your logout.php:
<?php
session_name('sec_session_id');
session_regenerate_id();
session_start();
session_unset();
$_SESSION = array();
session_destroy();
header("Location: login.php");
?>