dealing with Tokens in the session PHP online - php

I'm making use of storing random token values into session as well as flash message which prints out messages for one time only upon registration of updating profile,, this is working so far like it should on the localhost - wampserver. However, after deploying the website to the live server the process works correctly as long as the user is not logged in, after I log in I just can't update the profile at all, also after a successful registration the message "you have been registered successfully" is shown every time I go to the the homepage while it should only appear once and only once.. and again on the local server it is working like charm.
So after checking some online resources the answer was it mostly the configuration of php.ini on the server is what causing the problem, so I checked the php.ini on the server and after comparing it to the local one i found these two line missing concerning the Session field:
session.save_path = "c:/wamp/tmp"
session.use_only_cookies = 1
Then I added them to the online version of php.ini and it still doesn't work, of course I've changed the save_path to some random value but the whole storing in session doesn't work at all until i comment the session.save_path line, the other line didn't change anything so I don't know where the problem is.
Thanks in advance.

you're trying to write to a directory php doesn't have write access to. when you comment out the line, it stores it in the default php save path, which it does have write permissions.

I just found this PHP Based session variable not retaining value. Works on localhost, but not on server and it is exactly the cause of the problem, these people using register_globals ON .. that's it.

Related

PHP Session Start Fatal error: Can't use function return value in write | Following Extensive Troubleshooting

Fatal error: Can't use function return value in write on line 3
I've looked extensively for an answer to my specific situation with no progress. Please review what I've already tried and I've included my VPS global php.ini file. No php.ini files exist within the website root.
<?php
session_start();
?>
<!DOCTYPE html>
<html>
I have no idea how that's possible. Please check out what I've already done to try to solve the problem.
Problem originated when I was unable to pass variables to another page using
$_SESSION['$example'] variables with no luck. But I'll worry about that next.
VPS System Specs Currently (Servers/Networks Are Not My Strong Area)
Apache 3 on CentOS 6.8
Default PHP Version | 5
PHP 5 Handler | suPHP
Apache suEXEC | off
Apache Ruid2 | off
Default PHP Version (.php files) | 5
PHP 5 Handler | suPHP
Attempted Solutions
Disabled .htaccess
.htaccess contains
***suPHP_ConfigPath /***
Header append Vary User-Agent
Prior to disabling:
Removed All 301 Rewrite Rules as I've read they interfere with
sessions
Disabled Error Documents
Ensure No Whitespaces Following session_start();
Caching
Turned off all caching through WHM (that I'm aware of)
Tested both Firefox and Chrome before and after clearing history/cookies/cache/etc
Deleted CloudFlare service for this domain
Additional Information
I Don't have a php.ini file since I use a VPS (in case anyone was wondering)
I use php on almost every other page.
Here is an example of the first few lines of another page.
<?php
session_start();
$ip = $_SERVER['REMOTE_ADDR'];
//Version 1.75
The above code is just the first few lines but the page executes fine without issue. It should be noted that this is a redirect page following a PayPal payment to my website. This issue is recent and previously it has worked fine.
It should also be noted that I use session_write_close(): session_unset(); and session_destroy(); on appropriate pages to unset all $_SESSION variables and terminate sessions.
Below is a link to the php.ini file as text if that helps. The domain contained in the link is not the domain with the issue. I'm not attempting to be "shifty" about the domain with the issue, I just don't want people using the service when it's not working properly.
Global PHP INI File As Text Document
Anyone who solves this, I owe you!
-Andrew
Solved Accidentally
I solved the issues, but still don't know what was causing the Fatal Error
Fatal error: Can't use function return value in write on line 3
$_SESSION variables didn't pass between pages.
I solved both the Fatal Error issue and the $_SESSION variables problem by doing one thing. For some, this may be standard procedure, but I am self-taught and this did not occur to me. I was making changes to the PHP advanced configuration in WHM and never did not see any changes as a result.
I was banging my head against the wall for two days trying every solution I read in the forums.
Apache Server Restart
I never restarted my Apache Server during this time, both issues were resolved.
While this solution may seem rudimentary or common practice for some, it's easy to overlook. I read at least 30 different forum posts on Stack Overflow and other sites. Not one suggested an Apache Restart as a method to check.
PHP Configuration
I changed my PHP configuration as listed below and my sessions variables were passing.
session.use_cookies = 1
session.use_only_cookies = 1
session.use_trans_sid = 0
Thank you for everyone who took the time to look at this.
Sincerely, Andrew

Can't log in to mediawiki: canceled as a precaution against session hijacking?

I'm using a private mediawiki hosted on AWS EC2 instance for years
I thought something gone wrong with some extension, specifically stopping in the middle of math rendering, so I tried to reload the page with Google Chrome browser's cache were all erased.
Right after that, I can't log in seeing this message "There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Go back to the previous page, reload that page and then try again."
I tried,
1. restart apache server
2. tried MediaWiki sessions and cookies not working on multi-server behind CloudFlare
3. tried Mediawiki, can't login after password change
4. tried "go in your LocalSettings.php and at the end add the following code of line :session_save_path("tmp");Create a folder "tmp" in your wiki installation directory. give rights 777 (permissions)" as in https://www.mediawiki.org/wiki/Topic:Pjby0sdeg3e60rfy
5. checked the server's hard disk storage, but it has free space of way more than 3.5gb.
How do I fix this and is there any way of disabling this really helpful "PRECAUTION" feature?
Adding $wgSessionCacheType = CACHE_DB; to LocalSettings.php solves the problem. No need to change $wgMainCacheType.
This works, without the "precaution against session hijacking" error:
$wgMainCacheType = CACHE_ACCEL;
$wgSessionCacheType = CACHE_DB;
Turned out to be something went wrong with cache settings in LocalSettings.php. Resolved after removing (almost all) customized cache settings.
MediaWiki authentication and session handling has been rewritten for 1.27; see announcement (the last section). Session hijacking warnings mean the CSRF token you are submitting was not found in the session, which in turn usually means the session storage is configured wrong.
Twice now, we started getting this error after the server ran out of space. Turns out, both times it was because the objectcache table had been corrupted.
To fix it, just run the SQL statement (e.g. at a MySQL prompt):
REPAIR TABLE objectcache;

PHP session_start(); has started hanging the server

I have a DMZ set up with a web server and an application server, both running Ubuntu under gnome (v11.04 on the web server and v11.10 on the application server). session_start() has started hanging on the application server. The code is located on the application server and it does not hang when I access my web site and access the page with the session_start() call on it. It seems that every session_start() has started hanging on the application server although I have no problems with the associated pages when I access them from other computers or across the web. Also I have only just started having this problem on the application server without having made any changes to my php code. Could it be that some buffer has filled up and needs to be cleared?
I tried editing /etc/php5/apache2/php.ini and setting
session.save_path = "/tmp"
/tmp exists.
But I still have the problem. I can stop it hanging by preceding session_start() with session_end() but then it does not execute the remaining PHP or html code in the file.
/var/log/apache2/error.log included the following message:
PHP Notice: A session had already been started - ignoring session_start() in
/var/www/DraculaPgm.php on line 101, referer:
http://MyWebSite.com/ApplicationServer/Dracula.php
Any assistance with this would be greatly appreciated,
Peter.
Update 29-Dec-2012
Thank you to everyone who replied to this question. Unfortunately, I tried all of the suggestions and 'session_start()' still hangs. However, if I leave it for a few minutes, it breaks with the following error message.
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /ApplicationServer/Dracula.php.
Reason: Error reading from remote server
Apache/2.2.17 (Ubuntu) Server at MyWebSite.com Port 80
I have squid installed on the web server. Could this be a problem?
Thanks,
Peter
This sounds like a configuration issue. Make sure that PHP is reporting all errors, i.e., error_reporting(E_ALL) and either display or log all errors. (You might even want to enable display_startup_errors in your php.ini) - reporting all errors may shed light on what's going on. (if you need help you can post any errors that you get from this as an edit) You may want to look at the following as well for troubleshooting the issues with sessions:
When using /dev/random as session entropy file
When page is calling itself with the same session
Alternatively if none of those show anything you may want to read over the bug report at https://bugs.php.net/bug.php?id=28856&edit=1 depending on what version of PHP you are running.
I changed 'session_start()' to the following block.
if(!isset($_SESSION))
{
session_destroy();
session_start();
}
I now do not have the problem. I am hesitant to say that it fixed the problem since it did not seem to fix it right away.
Thank you to everyone for your help,
Peter.
Try changing the permission of the /tmp folder by doing chmod 777 /tmp and check if its working.If its working then change the permission mode to make it more secure
Try checking out this Question I call session_start() the script hangs and nothing happens
And this http://www.projectpier.org/node/1934
"It seems that the session file is opened exclusively. On some
occasions (Windows) I have found that the file lock is not released
properly for whatever reason, therefore causing session_start() to
hang infinitely on any future script executions. My way round this
problem was to use session_set_save_handler() and make sure the write
function used fopen($file, 'w') instead of fopen($file, 'x')"
You can find many others having the same problem and their workarounds if you go through http://php.net/manual/en/function.session-start.php
if(!isset($_SESSION))
{
session_start();
}
Use this at the top of your PHP file!
And for your info: session_destroy() is used to end session.
Before anything else - try another browser!
I just encountered this session_start problem. I checked my tmp folder and everything and I was about to call my hosting-provider until I thought I should try another browser first because it might have to do with session cookies.
I work with chrome, so I tested in IE and found that it was indeed the case: It worked in another browser!
I closed IE ;) - went back to chrome, looked for the cookie (PHP_SESS_ID), deleted it and everything works again!
Well, the good part is - Just like you guys I got to brush up my knowledge of -jay- sessions! ;)

php session variable value is null when hosted to server

i having a strange issue in sessions.. this is working in WAMP server in my local machine.. my problem is wen hosted to a server in US it's not working..
im doing like this:
session_start();
$_SESSION['test'] = 'testing login..';
in another page i'm doing:
session_start();
echo('my session value is : '.$_SESSION['test']);
but i'm getting only
my session value is :
my session value is not setting..
i checked the session.save_path in cPanel of the server it says /tmp.
pls help..
thanks in advance.
Maybe your script dies because session_start fails with "headers already sent" ? This could happen, for example, if your test machine and production server don't encode new lines the same way...
The errors are probably not displayed on your production server, try something like that :
ini_set('display_errors', 1);
session_start();
and see if you get something useful.
The php opening tag must be written at first line of a php file. This method help me to solve this problem.
Check the permissions on your session.save_path. This location will need to be writable by the Apache/httpd user.
Also check to see if you session.save_path contains any sess_ prefixed files.
thanks for all the help.
my issue was security permission in /tmp folder. once it rectified it's working.
mean time dont use only numeric for SESSION ids, (Eg. $_SESSION['12345']) because in linux hosting its not taking the numeric only index and skipping that. (so use $_SESSION['ACS12345'])..
Take a look at the way you created the file.
If you used auto language detection features, or something similar to create your file, then try creating a new PHP file. Copy your code and try again.
if you're using siteground as your hosting you will need to enable the auto session. follow this steps
Navigate to Dev
click on php manager
click on php variables
Load more until you find session.auto_start
Turn it to yes and you're good to go

Multiple mysqli connection problems

I am having some strange issues with mysqli connections.
I was working on a page with mysqli, and it has been working fine all day. I then made a copy of this page, and stripped it down to debug a problem, and tested it as a different file. It worked fine connection wise. Upon trying to request the original file I was working on, I get the error:
Access denied for user 'user'#'localhost' (using password: YES)
I don't understand why. I have closed the connections after I have finished using them each time, although I don't see why that would be an issue. Interestingly, an older version of the file works fine, despite containing the exact same connection details and code.
What is going on?
Turn the question around. Rather than saying the two versions (the one that works and the one that doesn't) are identical in the aspects that matter, focus on the ways in which they are different and try to isolate which difference(s) also matter.
Make an additional copy of the working version. Verify that it works. Try making it into a copy of the non-working version by applying as many of the changes as you can, one by one, to this test copy, until you have something that is as close as possible to the broken version but that still works. Compare these two, and that should show you where the problem is.
Weird. If you are testing files from the same machine they should be working (if they have same code).
Check again username & password, i.e. spaces or strange chars.
Just for the sake of it, run a diff between the working copy and older version of the file. Check for any issues like: moved brackets, variable name changes, etc. Maybe the part of the code that defines the username and password never gets run!
If you need a free program for that, check WinDiff
If you put:
error_reporting(E_ALL);
as the first line in your code do you get any errors on either page? There may be something strange like the program can't open an include file anymore.
You said copying File A to File B means File A doesn't work. What happens if you copy File A to File B, delete File A then copy File B to File A?
Ensure that your IP is added to the MySQL allowed connections list, also ensure your password is correct. Try providing a full hostname rather than localhost if possible.
Post your code if un-successful.

Categories