My problem is that multiple session cookies are generated for the same user and browser/tab.
I have a init.php file, which is the only file responsible for starting sessions, the first few lines of said file looks like this:
<?php
session_start();
...
...?>
This file is located at /include/init.php, which itself is in a subdirectory.
i then have a another php file located at /include/phpjson/memberInfo.php.
This file, like all the other files, includes the init.php file. But as soon as this file is executed, another session cookie shows up in the tmp directory.
The problem isn't just that another session cookie is created, but also that my main pages located at root now seems to be using a different session than the ones located in any subdirectory.
after searching stackoverflow and other sites on google, i found that some people recommended using the session_set_cookie_params function to set the path for the session cookies. However, since all the session cookies were already in the same folder, this didn't have any effect.
I understand that whichever file including the init.php will run the containing code from the file itself, not from where init.php is originally located. Which explains why all the files in root seem to be sharing the same session.
The simple solution here is to have every php script in the root directory, but this doesn't seem like the right thing to do.
If there are any questions regarding this issue please ask in the comments. I will try to respond to them as soon as possible.
Thanks in advance :)
Regards
Daniel Holst
Related
This is kind of strange.
I'm working with sessions. I have session_start(); at the beginning of all my first php blocks on each page.
When I echo out a session variable on index.php in webroot (/var/html/www) it gives nothing. If I move index.php to /var/html/www/home or some other non-webroot directory it will echo the variable, no problem.
Is there something special I don't know about sessions?
It might be caused by session file that is being used by php is not accessible or running out of disk space. Check your php.ini to find out the session file location and make sure your php can access that file & folder and you have enough disk space.
i have 3 basis directories in public_html directory. For example these are:
Directory_A represents http://site.com
Directory_B represents http://subsite-b.site.com
Directory_C represents http://subsite-c.site.com
i have another directory in public_html named Sessions where i want to save the sessions cookies when logged users visit across the directories (site and sub-sites)
the attached picture demonstrated my directory structure clearly in cPanel.
i face no problem to pass session between the folders and sub-folders in Directory_A. the problem appears when visitors switch from Directory_A to Directory_B or Directory_C (visit from http://site.com to http://subsite-b.site.com or http://subsite-c.site.com) sessions are not passed at all although i set the variable session_set_cookie_paramsin every page of the above stated sub-sites like,
$mysession = session_name("mysession");
session_set_cookie_params(0, '/', '.site.com');
session_start();
notable thing is that presently the variable session.save_path has the following configuration on my PHP server.
session.save_path /tmp /tmp
now, as the sessions aren't passed at all from one directory to another directory in public_html, i changed the configuration of session.save_path by pointing the path to public_html/Sessionslike,
session.save_path /public_html/Sessions /public_html/Sessions
the above change in configuration returns following similar warning in every page of http://site.com , http://subsite-b.site.com and http://subsite-c.site.com when visitors visit these sites.
Warning: session_start() [function.session-start]: open(/public_html/session/sess_0d38g21b3153bb4343g8d687442e76ed, O_RDWR) failed: No such file or directory (2) in /home/user/public_html/Directory_B/index.php on line 4
on line 4 as stated in the above warning i've got the code session_start();
what's going wrong here? is it happening because of improper server configuration? what should i do to pass the sessions properly from one directory to another directory?
any idea or knowledge about this issue shall be well appreciated.
its happening because the old sessions that existed in /tmp you didn't copy them over. It can also mean you didn't set the permission on the directory/files to be able to read by the webserver
You need to use a custom session handler to store the sessions in a database instead of using a directory in the filesystem (e.g. /tmp).
Here's some example code: GitHub, and here's some more info on using a custom session handler in PHP.
When you save the session in a database, you can access them from any site, as long as you can connect to the database. It is simpler than it sounds.
session_set_cookie_params(0, '/', '.site.com');
session_start();
to
session_set_cookie_params(0, '/', '.site.com');
session_save_path('/home/user/public_html/Sessions');
session_start();
PHP sessions work as expected in root directory, and one directory deep. Directories that exist 2 deep end up with a new session id, and all session varaibles are lost.
I include a file config.inc.php (absolute path) into all pages which calls session_start() and initializes the SESSION variables. I found a PHP directive setting that seems to mention subdirectories, but it looks like it is referring to subdirectories of temporarily stored session files.
I've double checked using the HTTPFox firefox plugin, as soon as I visit any page 2 levels deep, the session is gone, and and a new session ID is issued. Very Strange...
Ah, it looks like I was writing my URLS to those particular directories using localhost instead of 127.0.0.1... The different domain caused the browser to think it was a different website, I guess. Changing this solved my problem.
I have a script named INDEX.php that runs from root directory //htdocs because that script needs to use $SESSION variables and other things in sub folder.
Now If I try to debug using eclipse, it asks me new work space, even if i put new work space under htdocs. still the settings inside script are lost.
How to resolve this? How to set dev env in eclipse so that it treats as if code is run from htdocs?
This is a poorly asked question. What do you mean "script needs to use $SESSION variables and other things in sub folder"? If you're referring to $_SESSION, it has nothing to do with folders.
If you're saying that values within $_SESSION are not staying there from one execution to the next, then you need to make sure that cookies are enabled, and that whatever browser/environment you are using to view the page supports cookies.
The cookie holds the ID that identifies the session that allows PHP to find the session data. You can also pass the ID from one URL to another, but that probably won't work in your case.
So I have a fairly noobish question, I have been reading up a lot around the subject, but can't quite find the answer I want, so bear with me...
I have a fairly simple website that I have been designing, consisting of the following:
1) HTML and PHP files that I want the user to be able to access directly by typing in the url in the browser.
2) HTML files that are only to be viewed inside an iframe in 1) (don't ask me why I used iframes)
3)PHP files that are called on by 1), e.g. when form data is submitted. I want 2) and 3) to be accessible to 1), but not directly accessible to the user by typing in the url.
4) images and includes, etc.
5) maybe this is a different issue altogether, but I also have a MySQL database.
I understand that I can control access to files by putting them in private/public folders in the website directory? My question is how should my directory structure be and where should I put 1), 2), 3), etc.?
Thanks a lot for your help.
Your directory structure does not matter. Any URL that is accessible to some users is accessible to all users. You only have control over the content of that URL.
If you really need to limit access to the content loaded by 1) you have to use PHP to serve the content. That PHP script can check some parameters or login credentials or something that makes sure the URL has been loaded by 1).
However, it's hard to give you a clear answer since you don't describe the concrete problem you're having. For example, it makes much difference how secure the method needs to be. For example, it's rather simple to check if a URL is loaded inside a frame using JavaScript but that check is not hard to circumvent.
Your httpdocs directory is your Apache DocumentRoot (found in /etc/httpd/conf/httpd.conf) or your vhost DocumentRoot (if you've got vhosts defined), so assuming Linux:
1,2,4 should go into /var/www/vhosts/sitename.com/httpdocs/ - these are directly accessible through the browser.
3 should go into /var/www/vhosts/sitename.com/library/. When the user submits data it should hit a handler page (the user must be able to "see" this page) and that page includes the necessary files from this library directory. As long as your server is configured to run PHP for all *.php scripts this is probably unnecessary, as there is little advantage to be gained from hiding PHP scripts. If you don't want them invoked directly and you'd like to leave them in a publicly accessible area, try:
public script:
define('INVOKED_BY_SCRIPT', true);
...
include "../library/hiddenScript.php";
"hidden" script:
if (!defined('INVOKED_BY_SCRIPT') || true !== INVOKED_BY_SCRIPT) {
echo "Cannot invoke directly";
exit;
}
Your MySQL database should be in /var/lib/mysql, or wherever it's been installed by default. Be sure to run the MySQL security script mysql_secure_installation to remove default passwords and test databases.
Everything except the includes should be in your public_html directory.
For 3, it is not possible to have a PHP script that can be referenced by a form, but it not accessible by the user typing in the address into the address bar. The best you could do is to check the post variables to see whether anything has been posted. You could check the HTTP_REFERER variable, but I would not recommend this since it cannot be relied on.
You can't make HTML only to be viewed inside an iframe
There are NO files called by 1). It's users browser that calls your files.
So, just leave your directory structure as is, it's okay.
What you're probably looking for is a way to "hide" your executable files outside of the document root, which you can do with a directory structure something like this:
public_html <-- (document root)
index.php <-- (publicly accessed index file)
images
htmlstuff
private_index.php <-- (application's "real" index file)
application
tmp
Then, for public_html/index.php, you'd just have:
<?php
require_once('../private_index.php');