I'm having an issue with a Symfony2 site. I've got the codebase running on a production server, which is absolutely fine but I'm trying to get another developer started on the project and we're running into issues getting the build up and running. The environments are pretty much identical, the developer is using a Vagrant instance, the same provisioning on that instance was used to provision an EC2 instance on AWS.
When a form is submitted the action goes through and stores values to the session using Symfonys session handler before redirecting to another action which makes up step two of the form. I can see in Xdebug that the values are being added to the global $_SESSION variable, however when I reach the next break point in the second action the $_SESSION variable is missing the content that it had on the previous action. I'm not clearing the session anywhere, and as I said it works fine on production.
It's almost as if Symfony isn't storing session data between page loads, does anybody have any ideas?
Things tried
Adding cookie domain to the config
Setting permissions to 777 (just to test)
PHP Versions are one minor iteration apart (5.4.28-1 vs
5.4.27-1)
I had a similar issue after upgrading from PHP 5.4.27 to PHP 5.4.28, and in my case it was related to this bug: https://bugs.php.net/bug.php?id=66171
Quote from the description:
Second problem: When the session.save_path is a directory that
everyone can write into (like on Debian), even if it's not possible to
find the IDs of existing sessions, a local attacker can just create a
new session file with malicious session data, chmod it to 666 and
access any webapp hosted on the system with the session ID he chose.
The webapp then opens the session file and treats it as if it had
created it. My fix: fstat() the session, check the uid that created
the file. If it's neither the result of getuid() nor uid 0, ignore the
existing file.
They now compare the owner of the session files with the user executing the PHP script, and if the uids do not match, the session file will be ignored.
In my case, the apache user had write access to the session files through group rights, but because the uid did not match, PHP would not load the session files.
Have a look at your session files (you can find the save path in your php.ini file), and make sure the owner of the files match the user attempting to access them.
Related
I'm using session variables in my php application, and I put session_start() at the first line (after the php, of course) of all my pages. But I'm losing data from two pages before.
Example: If I store $_SESSION['var1'], in the next page I will retrieve its value correctly, but if I go one more page ahead, I lose the data.
I use session_start() in all pages and I only reset the session at the index page where my user login-in.
Did someone pass through this and know what can I do? I'm testing using wamp, and in the localhost the problem doesn't happen. It only happens at my company's godaddy server (with cpanel hosting).
Solved.
My index.php was destroying the session data, even if the page doesn't pass trhought it, the session was always erased.
This is just a comment
Its the problem of the server and not the script. Usually to maintain the server load the sessions that are created at your site can expire in a short amount of time. There are ways like editing the php.ini file of the www directory but every hosting server could have different methods.
I've seen this many times, especially when inspecting (older) browsergame scripts, storing they user sessions in e.g. /project/sessions or /project/tmp. Is there any valid reason not to use the default session save path?
From manual:
Warning
If you leave this set to a world-readable directory, such as /tmp (the
default), other users on the server may be able to hijack sessions by
getting the list of files in that directory.
Also usually the default temporary directory get cleaned on reboot and session data may be lost.
Each time when I update my application on AppFog then all logged in users are logging out automatically.
Because of session lost!
How can I solve this problem?
The application has built in PHP on top of Yii Framework 1.1.14
The problem is, that Yii uses CApplication::getId() to generate cookie ID. This method uses basePath to generate that ID.
return $this->_id=sprintf('%x',crc32($this->getBasePath().$this->name));
As you deploy new version, the base path of your application changes, so cookie ID is regenerated and sessions are lost.
The solution would be to specify your own application ID in protected/config/main.php
"id" => md5(php_uname().'somHardGuessableRandomString'),
somHardGuessableRandomString part should be randomly generated.
It may be either due to session or due to authorisation file being overwritten during an update..
refer: http://www.yiiframework.com/doc/api/1.1/CHttpSession#savePath-detail
and http://in2.php.net/manual/en/session.configuration.php#ini.session.save-path
The authorisation temp file is stored in /protected/data/auth.php by default.
You can avoid this by either specifying a different path to those files,
the session file defaults to php session save path, or moving the session management to the DB. Using CDbHttpSession instead of CHttpSession and CDbAuthManager instead of CPhpAuthManager respectively, this article explains session management in yii in more detail.
It is more likely an authorisation issue as the application, directory get overwritten during an update rather than system tmp directories. If you use version control to update your app you can configure it to ignore this file (.gitignore or equivalent).
The AppFof filesystem is not persistent. When you update you are rebuilding the application to essentially a new server so anything stored in the filesystem is lost, including the session files.
Probably the only solution is to save the session details to a database.
I'm having problems with PHP sessions that only occur on my testing server (everything works fine on my localhost). I'm developing a custom Wordpress theme, based on Roots. My localhost is OS X (PHP 5.4.4) and the testing server is Ubuntu (5.3.10-1ubuntu3.8).
The problems include:
New sessions created each time I refresh the page (which I can see by rendering session_id() in the footer and checking /var/lib/php5/session)
Functions called through an AJAX request unable to access the correct session, even though session_name() and session_start() are called before they try
Other details:
I'm trying to save variables into a named session, so each time I call session_start() I'm currently doing it like this:
session_name('my_session'); //Not sure if this line strictly required
if (!session_id()) {
session_name('my_session');
session_start();
}
The above is first called in a function init_sessions, hooked into Wordpress like this: add_action('init', 'init_sessions');, then also used in the other files that need access to session variables (e.g. those requested via AJAX).
On localhost, I can see the session file created in /Applications/MAMP/tmp/php and also see a session appear under the Cookies tab in Firebug. However on my testing server, although (too many) session files are created in /var/lib/php5/session, I don't see the session appear in Firebug.
Running phpinfo() doesn't show any significant difference between the PHP directives on my localhost and those on my testing server.
The testing server is really two (Rackspace) servers with a load balancer, but I don't think this is an issue as session persistence is set up.
The testing server is set up as a subdomain e.g. test.my-domain.com.
I've got PHP error reporting turned on but haven't noticed any.
I've deactivated all other Wordpress plugins.
I'm sure it's more likely to be a problem with my script than Rackspace's set-up, but I'm a bit stumped at the moment. I'm particularly curious about why I can see session files created on the testing server in /var/lib/php5/session, but don't see them appear in Firebug's Cookies tab.
Any ideas very welcome. Thanks!
Ok - think I've identified what's going on (though not resolved it yet). It looks as though the problem is down to Varnish. When a user is logged-in, the session functions perfectly. Thanks to everyone that suggested a fix.
What's the best way to search if a PHP session has been created on the server?
For example, store the name Joe somewhere in a session, and then after Joe closes his browser, can I then lookup (in a php script elsewhere on my computer) if Joe's session still exists on the server (i.e. not yet expired)?
Session data is usually stored in the server's temporary directory (the session.save_path setting).
While it is theoretically possible to search through that directory, go through every session file, open it, and look for whether it's Joe's session, it's not a clean approach, and there are many ways it can break - for example if the server doesn't give you a list of the files in the temporary directory to start with. Or what if a user has multiple simultaneous active sessions?
If you really need this, you should probably create a custom session handler that stores its data in its own directory or database. For that custom handler, you can then implement an interface that allows you to query whether a certain user is logged in, or a specific session exists.
In the server the check the path set to store sessions in php using directive session.save_path
and then try decode the files in there using session_decode() method
More information can be found in below links
Location of session files
Reading Session Data