I've been having problems with sessions for some days now in my production environment
I've already tried to find the solution in tons and tons of answers here in stack overflow, but none seem to work for me
User A logs in
User B logs in. Now when you go back to User A
his session was overwritten by User B. So I have two users 'sharing' the
same session.
Side notes:
I have session_start() on the very top of every page using session variables
I'm using https with a valid certificate
Cache is not the problem, I've already tried to set headers to avoid caching
I'm using PHP 5.4 (I was using 5.6 before and downgraded hoping it would solve my problem) and this is my PHP.ini:
session.save_path = "/tmp"
session.cookie_secure = 1
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.entropy_length = 32
session.cache_limiter = nocache
session.cache_expire = 180
session.hash_function = sha256
And this is the basic structure of my authentication page:
session_start();
... // after connection with the database I retrieve id and name
$_SESSION['id_logado'] = $user_id;
$_SESSION['nome_logado'] = $user_name;
I've already double checked every line of code in every page. There is no variable name $id_logado so it should not interfere with that. Cache is probably not the problem because I have headers to avoid caching just after session_start. I've contacted bluehost to ask for help and of course they have no idea and are blaming myself.
I found a solution.
After further investation I noticed that the /tmp folder had only one session file, with a big size. For some reason sessions were not being saved to new files and were being 'added' to the same one.
Solution: I've created a new folder inside my home drive and granted 777 permissions. Updated my php.ini file to use that folder instead of /tmp and now I have tons of sessions being properly generated.
Related
I use to have my website hosted on 1and1 server for years and it was working fine (php 7.4).
Since, i decided to switch to a dedicated server w/Linux ubuntu OS for my webserver (php 8.1.2).
All is working fine after the migration but I have a weird issue:
when I get a redirection from an Ajax/php query I usualy redict (using JS) the client to a desired web page and the session is lost.
I do have the session_start(); and ensure that it do not switch from www.mywebsite.com to mywebsite.com.
I am confused as it is 100% the code that is working on the hosted server.
other clue, I see that the approval of cookies always prompt. so there is clearly a session issue that un_sync the client/server session_id.
Any config to ensure on a new apache server ?
I can see in my "/var/lib/php/sessions" folder a new session every time i trigger the redirection ...
I would appreciate any advise.
here is my SESSION config from php.ini:
Session Support enabled
Registered save handlers files user
Registered serializer handlers php_serialize php php_binary
Directive Local Value Master Value
session.auto_start Off Off
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_samesite no value no value
session.cookie_secure 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 0 0
session.lazy_write On On
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /var/lib/php/sessions /var/lib/php/sessions
session.serialize_handler php php
session.sid_bits_per_character 5 5
session.sid_length 26 26
session.upload_progress.cleanup On On
session.upload_progress.enabled On On
session.upload_progress.freq 1% 1%
session.upload_progress.min_freq 1 1
session.upload_progress.name PHP_SESSION_UPLOAD_PROGRESS PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix upload_progress_ upload_progress_
session.use_cookies 1 1
session.use_only_cookies 1 1
session.use_strict_mode 0 0
session.use_trans_sid 0 0
session_start(); should be declared at the top of the script before any html output, including white spaces.
<?php
session_start();
// code
Do you also use session_name()? https://www.php.net/manual/en/function.session-name.php
Check the cookie name PHPSESSID and see if it's changing.
You could try to store the sessions in Redis for example, maybe it's a cron that is deleting the contents of your /var/lib/php/sessions?
Sometimes the default session path may not be writeable or a custom session handler might be used by the new server you're using.
In this case I usually try override the session storage path and see if the session sticks between requests.
The below code should be placed at the earliest point in the request lifecycle. (before any other code is executed)
<?php
//DEFINE THE CUSTOM SESSION STORAGE PATH
$session_save_path = '/path/to/custom/session/storage';
//MAKE THE FOLDER IF NEEDED
if(!file_exists($session_save_path)) mkdir($session_save_path, 0755, true);
//SET THE SESSION TO USE THE CUSTOM PATH
session_save_path(realpath($session_save_path));
//START THE SESSION IF POSSIBLE
if(!session_id()) session_start();
...
See the PHP documentation https://www.php.net/manual/en/function.session-save-path.php
Another possible problem is that the session cookie isnt being sent with your ajax request.
If that is the case you might want to see this answer:
Why is jQuery's .ajax() method not sending my session cookie?
Ok Guys,
I have find what was wrong, and I feel stupid but need to share the reason in case it happens to anyone.
Before, when using the 1and1 webhosting server, I was using a structure like this:
mysiteweb.com
subDomainWebApp.mysiteweb.com
if i wasnt logged on the webapp, i am redirected to the website with an iframe that opens the webapp login page.
After logging, i open the index in subdomainofwebapp.mysiteweb.com
So cookies are shared between website and subdomain.
But now I moved the subDomainWebApp.mysiteweb.com to a dedicated server with its own domain WebApp.com
so the iframe call in the initial website do not share the cookies with the new WebApp.com domain.
I had to restructure the logging to manage it directly on the new domain.
Sorry for that, but all your hints guided me to that conclusion after i put a close look to the cookie session data.
Thanks guys
What I understand is that session data is lost. If I understood correctly you can try updating your server's write permissions.
it look like;
sudo chmod 1777 -R /home/your_user_path/tmp/
Maybe I'm misunderstanding this, but I expect the following to return the same session id on page refresh;
<?php
session_start();
$ses_id = session_id();
echo $ses_id;
?>
Whenever I refresh the page, the session id updates to a new one. I'm running PHP on Windows 7 IIS. Client is iphone safari browser.
Initially I was trying to trace a problem with an AJAX call and session variables, but in troubleshooting I realised my calling page couldn't even retain it's own session during a page refresh - so I figure if I fix this, then at least I can start troubleshooting the AJAX issue, if it's still there.
What I've done;
PHP ini - confirmed sessions are enabled with the following settings (mostly default except for session.save_path which was "/tmp" and session.cookie_domain which was blank...
session.save_handler = files
session.save_path = "c:\windows\temp"
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain = .<mydomain.com> -- <censored> :)
...
Thanks #Arpit for your oddly vague comment which nonetheless pointed me in the right direction :)
Changed:
iphone -> settings -> safari -> accept cookies -> Never
to
iphone -> settings -> safari -> accept cookies -> From Visited
And now session stays the same.
Not great for my app though; I have to ask users to change their safari settings.
I have some issues concerning the timeout of a php session. I have set the following values during runtime of the application:
session.gc_maxlifetime = 3600
session.cookie_lifetime = 3600
session.save_path = myApplicationPath/tmp
session.use_cookies = 1
session.use_only_cookies = 1
However, my session keeps expiring in about 30 mins. Also, my tmp directory remains empty, so it appears no cookies are actually being set. echoing ini_get("session.save_path") does return the right path though.
Note:
If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data. In this case, use this directive together with session.save_path.
PHP Manual
I'd say that PHP cannot find your save_path or does not have permission to write on that, so it stores session files (not cookies) in the default shared directory (so the site with shortest gc_maxlifetime will remove sessions from all other sites).
I have an application that has been working with session variables no problem. I start the session before the headers on every page that uses when, it has been fine then it seems all of a sudden I'm getting an undefined index error when I navigate to a page other than the one that sets up the session variables. But only on some browsers. Sometimes sessions are maintained and sometimes they aren't.
It seems that cookies aren't being stored some of the time. I've done checks using different browsers and sometimes cookies are stored and sometimes not.
I did an experiment. I was using firefox to use to app and I was keeping an eye on the tmp folder where the sessions are stored. I cleaned it out. Using firefox I started using the app, using all the pages that sessions were in use and at the end I checked the tmp folder and it had one session file in there.
Did the exact same with internet explorer and there are now 7 different session files.
I'm using PHP 5.3.0 with the WAMP stack. Apache 2.2.11. Session support is enabled in my phpinfo().
I call a var dump on the first page and it prints out the session data. On any subsequent pages the session variable is empty.
<?php var_dump($_SESSION); ?>
array(0){}
Can anyone help me figure out a solution to this?
UPDATE - PHP INI SESSION settings
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain 82.68.26.169 82.68.26.169
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path c:/wamp/tmp c:/wamp/tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies On On
session.use_trans_sid 0 0
UPDATE - Solution
Because my app was using iframes pulling in pages from another domain (which i created) the cookies i was trying to set were being blocked. Setup a P3P header and the problem seems to be solved!
My suggestion from your previous question still stands: please compare session ids.
The solution might be as simple as your browser not accepting session cookies.
You retrieve the session id by calling session_id(). Do that right after session_start() it should give you a constant value if the session is the same. Otherwise for every request a new session is instantiated.
Also check C:\wamp\tmp. A gazillion files in this directory might indicate fresh sessions for each request.
EDIT Since we've confirmed new sessions per request, it's time to find out whether session cookies are accepted. Check the settings of your browser and confirm that a cookie for your domain (I guess it's "localhost") with the name PHPSESSID can be found.
Do you call session_start() on every page that accesses session data?
Edit: And do you receive the same session ID every time?
Also, could there be some error or warning you're missing (e.g. headers already sent) due to settings?
here is the sense in
while( $row = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC))
{
$_SESSION['saveddata'] = $row;
}
it rewrites $_SESSION['saveddata'] value on each iteration. may be you meant something like
$_SESSION['saveddata'][] = $row;
it makes sense for $atid = $_SESSION['saveddata']['autotaskid'];
Review your session settings. You have a full list with:
<?php
phpinfo();
?>
Scroll down to the "Session" table.
Particularly, make sure that the session.save_path directory exists and is writeable.
When a new session ID is created with each request, most likely it is an issue with your session paths (save_path and cookie_path) and chances of this happening are greater if you're hosting different applications on one server (shared hosting) and some of these applications also implement sessions.
This results in conflicts in your /tmp directory.
You could change the config of your ini file, but it's best to configure these parameters during runtime.
session_set_cookie_params(0, "/app", ".domain.com");//set session cookie parameters
session_save_path("/home/../public_html/app/sess");//set directory of this app's session data
session_start();//start session
I hope that helps everyone having this issue. #CodeOn
I solved this problem on my local WAMP by clearing out the \tmp directory of old sessions.
The problem is that every so often a page that writes to a Session will cause apache to hang forever for a particular session. Once this error occurs for one user any further modifications to any session of any user will cause the website to hang for this user.
This problem has been my sole focus for days. I have a development VPS running Windows 2003 and default latest version of XAMPP using the standard PHP session handler. The code in question actually runs on two other machines perfectly normally so although my common sense says it’s a web server configuration issue but at this point I am willing to try anything.
On further investigation there are no errors in the Apache, PHP or System event log. Resources are abundant and there is no “AJAX shit storm” or more than a couple writes to a session per page. I have also implemented session_write_close() wherever possible to try and help elevate the problem.
I have checked the session’s directory which is set to “C:\windows\Temp” and found that once a user enters this hanging phase that the corresponding session file is exclusively locked and the only way to resolve this is to stop Apache and wait a few moments for the files to become unlocked and delete them. I am not wondering if deletion is required.
The Sessions themselves only contain 4 bits of information. ShoppingCartID, UserID, UserLevel and Refering URL and are alphanumerical with an occasional slash.
My PHP.INI’s session section is configured like this:
session.save_handler = files
session.save_path = "C:\WINDOWS\Temp"
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 4
I have tried everything I can think of and the whole problem is now a blur to me. Any ideas would be appreciated and thanks for your time reading this :)
It could be your session files getting locked by Windows or some php.ini settings not done properly. Please SEE HERE
Almost want to say its the lock files.
Is it possible your app internally requests a page from the same site again internally? You could be hitting a race condition of sorts where page A fires up, locks the session, and then somehow triggers a request to itself, or page B, which also tries to re-start the session, which is now locked, and the request hangs.
Otherwise, if the hang is caused by the session file being locked, I'd suggest using something like SYSInternal's 'Handle' to get a list of what processes are using the session file in question.