I've just started using PHP and have run into a rather odd issue with using sessions and google chrome.
I start a session and set some variables when a user first logs in, and then access the session variables at different points across my web-app, which is working as expected. The problem is that if someone else visits the web-app from a different computer (on the same network), they are treated as being logged in as the first user.
What's weirder is that this only seems to occur when using chrome. If I sign-in using firefox or IE, then navigate to the app on a separate computer (using any browser) the problem doesn't occur.
Clearing cookies in chrome seems to work, but I would like to know why this is happening to prevent security problems in the future.
Related
I have this script that works well on other servers but the session part fails on a particular host. I have pointed to another server but would really like to figure out what could be the problem. I have observed that :
It takes 5-15 mins for changes on code to reflect(e.g changing
text on index page).The server seems to cache pages especially index
(BTW i cleared my browsers cache e.t.c)
When i logout and login as another user the server still retains
the session of the last user on the index page (the other pages seem
OK)
I can open index.php (without logging any user) and what i
believe is the last logged in users details display
I tried swapping my code for some authentication systems on github (just to be sure) even PHPAuth which uses cookies (not sessions) fails the same way. But the same code works flawlessly on localhost as well as other servers.
So i would like to figure out exactly what goes on on that host. It is a shared hosting package.
Got a reply from the host. Seems the problem was with the hosts session variable path. They fixed it.Thanks
We have about 100 users accessing our website daily. A majority of them have no issues logging in. However, once a month we get a call or email ticket with complaints that users just see the login page refresh, with no error messages or anything.
All error messages are sent through the PHP Session cookie, and of course everything after logging in is based off of that session. The only reason I could think that the page just refreshes HAS to be because they are blocking that session cookie on their local machine...
Now most often the user is on internet explorer, but occationally it even happens with Chrome or Firefox. I've even had a user (on OSX) who tried Safari, Chrome, FF - and it would NEVER let them log in, the page would just basically refresh. I had the user add the website as trusted, and still no luck.
It's the worst because I cannot reproduce it from any network or from any browser/computer, ever.
Does anyone know what could be causing something like this? The site IS forcing SSL (the HTACCESS file redirects to HTTPS). The site IS forcing the session cookie as HTTP-Only and the Secure flag is also set to TRUE (and these 2 are somewhat recent changes).
I'm unsure what other settings on the server or the PHP instance would be causing something like this, or if it's soley a client-side issue (which it appears to be). And if it's client side, I'd like to learn the issue and possible solutions to it.
To preempt everyone, no - I cannot share the website URL for debugging because the client would not appreciate that, unfortunately. Thanks for any help, I'll be happy to answer any question that I can!
Do you have more than one web server behind a load balancer? And are the PHP sessions stored locally on each web server? If so it is the load balancer's job to make sure a user keeps going back to the same server on repeated accesses. If something goes wrong, they could get sent to a server where they do not have a session. It could be some intermittent glitch sending users to the wrong server.
Just guessing, because as others noted, we don't really have enough info.
Does your session cookie have a valid name? I've run into this problem in the past where some browsers don't accept a session cookie if it has an invalid name, but other browsers do accept them;
http://php.net/manual/en/function.session-name.php
I have a website that requires a login. The logins are managed by an authentication token that is assigned to the target device (with a few others), but for some reason, its not working on Windows Phone. I have tested it on iPhone and all desktop browsers and it works on all of them.
I set it to show me the set cookies, and it is showing all the other cookies that have been set, except for the auth token cookie.
I tried changing the cookie name (to see if there was a collision with some redundant code running) but that didn't work (still working on desktop browsers).
I had placed a piece of code to detect the setcookie function call, which told me it was being called correctly. In the same code path of the login and setcookie I did a var_dump of the $_COOKIE then too and it showed that the token had been temporarily sent.
The code does contain the ability to detect a mobile browser, but it is unused (outside of a few small parts of the template engine).
An additional note about the code is that from the start, right up till the end, the output buffer is enabled, and only printed at the end of the code.
What else can I do to try to find the cause of the problem, or what could be causing the problem specifically for Windows Phone.
EDIT
I have just tested it on an iPad, and it is also not working. Very strange as it works on normal iPhones and the Safari browser.
EDIT
I have installed a server (AMPPS) on a computer on my LAN running the site (with the same db) and the login function works correctly.
In addition, during my tests, on the mobile (on the live version), the user is redirected to the users only page, but the cookie is not detected, and the user is returned to the sign in page. Other cookies are, but the auth token is not.
All of the cookies are set in the same way, with an expiry of time() + 3600, and the path set to '/'
I think I have fixed it. The code included some IP validation for the tokens, but for some reason, on those devices, the IP (returned from $_SERVER['REMOTE_ADDR']) is 127.255.255.255, which was incorrect. Not sure why it was doing that instead, but I have amended it so that the IP is not taken into consideration for invalid ips (such as 127.255.255.255) and it is working now.
We have a PHP site that our users as well as clients use. Our login system works fine on all browsers.
Recently we came across a client who was unable to login into the system. We also tested the same on the clients side and failed to find a solution.
When a client logs in a cookie tk_client_admin is created in the browser, this is created correctly on all browsers at our side, but the same fails to create in the clients browser both IE and Chrome. On FF is works both sides.
This issues seems to be happening only on IE and Chrome and for certain clients only, what could be the problem?
Based on the information you provided, it sounds like there is some sort of network wide restriction placed on IE and Chrome. Maybe they're not permitted to created cookies.
Have you tried using the same browsers (IE and Chrome) on their machines to connect to other sites that also require cookies?
I'm having some sessions problems after my ISP moved my site to a new server, supposedly setup the same. The problem appears to be browser-specific as well, which I don't quite understand.
First, my site uses sessions to login, this has been broken since they moved the site.
My ISP has set up a test page. When I hit this page in IE 6 (where it sets some session vars) and then hit the "header redirect" button, sessions seem to work fine. If I try it in Firefox/Opera, I get a new session id on the redirected page. My ISP reports sessions are working for IE as well, though I imagine they're using IE7 or perhaps even 8.
Everything was working fine on my site before my ISP moved it and while they've been very helpful in responding, they're at a loss as to why it's broken. A couple of other of my sites with them were broken along with the move, but they have been resolved by server tweaks...Does anyone have any ideas what's going on?
You're redirecting from "launchcomplex.com" to "www.launchcomplex.com"
If you set session.cookie_domain it should work - see session_set_cookie_params()
Cookie domain, for example 'www.php.net'. To make cookies visible on all subdomains then the domain must be prefixed with a dot like '.php.net'.
When they moved servers, did they move to a clustered configuration? Meaning when I hit your web page, am I always requesting content from the same physical server, or could be be any of a cluster of servers?
If the latter, that is your problem. Sessions are by default file-based, and thus are not scalable to multiple servers.
One solution is to use session_set_save_handler() to write your own session manager. Usually you would use a database to read/write session data using this method.