I am starting an old app refactoring, I will rebuild some functionality from spaghetti code to MVC (Symfony). Plan was I will set up new IIS app, using subdomain. Now, old app is running PHP 5.3 which can't be upgraded. New app will be running on PHP 5.6. Only thing I need to carry is authentication. I can have login script either on old or new app.
I tried setting session cookie params but I can't get it working.
Is it possible at all or do I have to use database?
If it is not possible, can that be achieved in Apache?
Edit:
What I'm to do is:
session.cookie_domain = ".dev"
In both php.ini. Then I start the session in one, set a session variable.
session_start();
$_SESSION['test'] = 123;
Then in the second app (php 5.6) I'm trying to read it:
session_start();
var_dump($_SESSION);
But it's empty.
Apparently setting session cookie domains does not work for top level domains (TLD), like .dev
Changed my code to:
ini_set('session.cookie_domain', '.local.dev');
and now I am able to set session variables on .local.dev website and read them in new.local.dev
Both apps are physically in separate folders, operate from two IIS entries and using different PHP versions.
For sharing session between different php versions, they have to physically have the same session.save_path ini setting which defaults to /tmp.
So if you have two PHP versions in different Docker containers, you should set the session.save_path for both versions to something like /tmp/php_session and then share that directory with both Docker containers.
Related
I'm having an issue with a Symfony2 site. I've got the codebase running on a production server, which is absolutely fine but I'm trying to get another developer started on the project and we're running into issues getting the build up and running. The environments are pretty much identical, the developer is using a Vagrant instance, the same provisioning on that instance was used to provision an EC2 instance on AWS.
When a form is submitted the action goes through and stores values to the session using Symfonys session handler before redirecting to another action which makes up step two of the form. I can see in Xdebug that the values are being added to the global $_SESSION variable, however when I reach the next break point in the second action the $_SESSION variable is missing the content that it had on the previous action. I'm not clearing the session anywhere, and as I said it works fine on production.
It's almost as if Symfony isn't storing session data between page loads, does anybody have any ideas?
Things tried
Adding cookie domain to the config
Setting permissions to 777 (just to test)
PHP Versions are one minor iteration apart (5.4.28-1 vs
5.4.27-1)
I had a similar issue after upgrading from PHP 5.4.27 to PHP 5.4.28, and in my case it was related to this bug: https://bugs.php.net/bug.php?id=66171
Quote from the description:
Second problem: When the session.save_path is a directory that
everyone can write into (like on Debian), even if it's not possible to
find the IDs of existing sessions, a local attacker can just create a
new session file with malicious session data, chmod it to 666 and
access any webapp hosted on the system with the session ID he chose.
The webapp then opens the session file and treats it as if it had
created it. My fix: fstat() the session, check the uid that created
the file. If it's neither the result of getuid() nor uid 0, ignore the
existing file.
They now compare the owner of the session files with the user executing the PHP script, and if the uids do not match, the session file will be ignored.
In my case, the apache user had write access to the session files through group rights, but because the uid did not match, PHP would not load the session files.
Have a look at your session files (you can find the save path in your php.ini file), and make sure the owner of the files match the user attempting to access them.
I'm having problems with PHP sessions that only occur on my testing server (everything works fine on my localhost). I'm developing a custom Wordpress theme, based on Roots. My localhost is OS X (PHP 5.4.4) and the testing server is Ubuntu (5.3.10-1ubuntu3.8).
The problems include:
New sessions created each time I refresh the page (which I can see by rendering session_id() in the footer and checking /var/lib/php5/session)
Functions called through an AJAX request unable to access the correct session, even though session_name() and session_start() are called before they try
Other details:
I'm trying to save variables into a named session, so each time I call session_start() I'm currently doing it like this:
session_name('my_session'); //Not sure if this line strictly required
if (!session_id()) {
session_name('my_session');
session_start();
}
The above is first called in a function init_sessions, hooked into Wordpress like this: add_action('init', 'init_sessions');, then also used in the other files that need access to session variables (e.g. those requested via AJAX).
On localhost, I can see the session file created in /Applications/MAMP/tmp/php and also see a session appear under the Cookies tab in Firebug. However on my testing server, although (too many) session files are created in /var/lib/php5/session, I don't see the session appear in Firebug.
Running phpinfo() doesn't show any significant difference between the PHP directives on my localhost and those on my testing server.
The testing server is really two (Rackspace) servers with a load balancer, but I don't think this is an issue as session persistence is set up.
The testing server is set up as a subdomain e.g. test.my-domain.com.
I've got PHP error reporting turned on but haven't noticed any.
I've deactivated all other Wordpress plugins.
I'm sure it's more likely to be a problem with my script than Rackspace's set-up, but I'm a bit stumped at the moment. I'm particularly curious about why I can see session files created on the testing server in /var/lib/php5/session, but don't see them appear in Firebug's Cookies tab.
Any ideas very welcome. Thanks!
Ok - think I've identified what's going on (though not resolved it yet). It looks as though the problem is down to Varnish. When a user is logged-in, the session functions perfectly. Thanks to everyone that suggested a fix.
is it possible and how to pass php session variables i have with a php and apache.
I have a main site with log in option for my users that runs from apache server and I want to use nginx as a chat/communication server that automatically gets all session variables i have in apache/php session without to pass php session id (for security reason). Both servers have a same ip and stais on a same domain. Nginx server will be on subdomain. Already have set php session to work on any sub domain but is this is valid also if I use nginx server.
Any example will be helpful.
Thanks in advanced.
Technically, the php sessions are files, which are usually located somewhere in /tmp. So once you've the session cookie, you can just read and unserialize the file's contents — after checking, it goes without saying, that the session is not expired.
If you need a more convenient format, look at php's session options. I'm quite sure you can serialize it as json for more portability, and there are ways to store sessions in SQL or even memcached.
I am in the process of moving away from Apache in favor of nginx due to the lower resource consumption. I have set up an Ubuntu Server box with the LEMP stack installed. After moving all my applications over (3 CakePHP 2.0.5 apps, 1 Wordpress install), everything seems to be working perfectly except for one thing - Cake's cookies suddenly disappear when the browser is closed.
I have created a very simple test PHP page to test if cookies are working at all and they are in fact working, just not in Cake. Wordpress is also not having any troubles remembering me when I close my browser.
Using the Chrome developer tools, I have inspected to see if the cookie is being set at all, and it is as you can see below:
The expiry date is even set a month into the future as well, so I don't understand why they don't live past browser close. As soon as I fire my browser up and navigate to my app, the cookie is now gone:
One thing I did notice is that with my app running on Apache, the CAKEPHP cookie you see above above has the same value before and after close. However on the nginx server, that cookie has a different value everytime I close and re-open my browser.
I thought this might have to do with sessions, so I checked my session settings in core.php and it's set to let PHP do the session handling:
Configure::write('Session', array(
'defaults' => 'php'
));
I've checked my /tmp directory and session files are being created. I tried changing the session handler to cake so that Cake would store sessions in its app/tmp/sessions directory, and while the sessions would successfully get created in this directory my cookies are still lost on browser close.
Has anybody experienced this behavior between nginx and Cake before, or have any ideas as to why this might be happening?
The problem is related to encrypted cookies and the Suhosin patch. Apparently Suhosin ignores any mt_srand() and srand() calls you make and initializes the randomizer itself [see here]. Because Cake relies on these functions, it was interfering with my encrypted cookies. To fix it, I added these two lines to my php.ini file and rebooted the server (note that simply restarting nginx didn't work):
suhosin.srand.ignore = Off
suhosin.mt_srand.ignore = Off
I'm split as to whether this is an SO question or a SF question, so I'm starting here.
We have a legacy application running under PHP 4 (don't ask), and some other code we need to run under PHP 5.
Session data that is set on the PHP 4 side doesn't seem to be visible/present when running code on the PHP 5/cgi side.
I'm doing a session_start, adding some session data under PHP 4, and then doing a var_dump of the session from PHP 5 and $_SESSION is null.
Has anyone got this working?
Environment:
Apache 2.2.x
PHP 4.4.9 (mod_php)
PHP 5.1.3 (cgi)
Centos 5.6
First, have you verified that the session.save_path is the same for both versions of PHP? You can get/set it with session_save_path().
Second, are you sure both PHP instances are using the same session ID, or is each version generating its own session ID? You can get/set it with session_id(). If they aren't, verify that the session.name is the same, or else they might be trying to load the session ID from different cookies. (Can be get/set with session_name().)
Even if both of the above match, I don't know whether or not they can even share a session like that. If not, you can define a custom session handler for both of them to use. That's how applications that are load-balanced usually work -- they have a custom session handler that saves session info wherever/however they want (usually in a database instead of files), and all servers can access that shared location. See session_set_save_handler().