PHP session ID reset in IE - php

I have a page with just this code:
<?php
session_start();
echo session_id();
?>
running on localhost. In IE my session id gets reset with every page load (i.e. the session is reset, all old session info is lost). In any other browser it works just fine and my session id doesn't change on refresh.
This happens in browsers mode IE7, IE8 and IE9 (actual browser = IE9). I've got IE privacy (cookies) settings on 'Accept all cookies'. Yet in developer tools 'cache->view cookie info' nothing is shown. Clearing all session cookies doesn't help either, nor does clearing browser cache. Though, in the PHP session storage dir a new session file is created at each refresh.
php session config:
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path D:\webserver\environment\temp\sessions D:\webserver\environment\temp\sessions
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies On On
session.use_trans_sid 0 0
So the weird thing is this happens only on IE, no other browsers and IE seems to be configured correctly...
Thanks for any tips!

Pressing "refresh" will generally send the same request as before - even if you've cleared the cache.
Close down IE completely. Go to control panel, open "Internet Options" from there and delete the cookies. Clear cache too, if you want to be sure. Then open IE and have another go.

Related

Can a POST request cause session getting destroyed, and if so how can it be prevented?

It looks like sessions are getting destroyed when POST request is sent to an application that I am working on.
The issue has been driving me insane - initially thinking there were issues with my business logic, then debugging the actually old Yii framework that the app makes use of.
It turns out the issue happens even in vanilla PHP.
I have simplified things for testing purposes and here is the code. A script I call manually:
<?php
session_start();
$_SESSION['test'] = '123';
From an HTML file:
<form action="http://localhost/checker.php" method="post" target="_blank">
<input type="text" name="PaRes" value="IDENTIFIED">
<input type="submit" value="TEST POST">
</form>
Finally, the checker file:
<?php
session_start();
var_dump($_SESSION);
The reason why the POST request is done from a local HTML file using an absolute URL is that this needs to simulate the requirement in the real app's business logic (i.e. an external website making a post request to the app).
If I call the checker.php file manually with a GET method, the value of $_SESSION contains the set value and is displayed even after several minutes after it's been set.
If I call the checker.php file with a POST method, the value of $_SESSION is empty after 1-2 minutes from when the session was set.
Any ideas on what the issue might be?
PHP is 7.3.23 running on macOS. Below are ini settings for the session section:
session.auto_start Off
session.cache_expire 180
session.cache_limiter nocache
session.cookie_domain no value
session.cookie_httponly no value
session.cookie_lifetime 0
session.cookie_path /
session.cookie_samesite no value
session.cookie_secure 0
session.gc_divisor 1000
session.gc_maxlifetime 1440
session.gc_probability 1
session.lazy_write On
session.name PHPSESSID
session.referer_check no value
session.save_handler files
session.save_path no value
session.serialize_handler php
session.sid_bits_per_character 5
session.sid_length 26
session.upload_progress.cleanup On
session.upload_progress.enabled On
session.upload_progress.freq 1%
session.upload_progress.min_freq 1
session.upload_progress.name PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix upload_progress_
session.use_cookies 1
session.use_only_cookies 1
session.use_strict_mode 0
session.use_trans_sid 0
UPDATE:
It looks like this is only happening in Google Chrome. The session doesn't get destroyed when testing in Firefox.
I have Chrome 87.0, cleared all browsing data, no extensions installed.

Cookies do not work in PHP but do work Javascript

I need to see the cart of products, and I need to do a first load by PHP and the rest of queries (updates by deleting a product or similar) by jQuery post.
Ok, there's the problem.
[I get variables by JSON on the same php file "any.php"]
The first PHP load doesn't work , when I do the first isset($_COOKIE) on PHP (by curl) and returns NULL, but.. if I call the method .post("any.php") on jQuery PHP, it returns the cart with products.
For add the products I use PHP function
setcookie($cookieName, $createcart, $cookieExpire);
Cookie Params:
session_set_cookie_params(
time()+3600,
'/',
'.test.com',
0,
0
);
setCookie (createcart is the json value):
setcookie($cookieName, $createcart, $cookieExpire);
PHPINFO
session
Session Support enabled
Registered save handlers files user
Registered serializer handlers php php_binary wddx
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 Off Off
session.bug_compat_warn Off Off
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain .test.com.pe no value
session.cookie_httponly Off Off
session.cookie_lifetime 1379499657 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /var/lib/php/session /var/lib/php/session
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies On On
session.use_trans_sid 0 0
From: http://php.net/manual/en/function.setcookie.php
Common Pitfalls:
Cookies will not become visible until the next loading of a page that
the cookie should be visible for. To test if a cookie was successfully
set, check for the cookie on a next loading page before the cookie
expires. Expire time is set via the expire parameter. A nice way to
debug the existence of cookies is by simply calling
print_r($_COOKIE);.
See also: How can I set a cookie and then redirect in PHP?
Maybe the problem is the path of the cookie. You need write it for work correcly in the whole pages.
path
The path on the server in which the cookie will be available on. If set to '/', the cookie will be available within the entire domain. If set to '/foo/', the cookie will only be available within the /foo/ directory and all sub-directories such as /foo/bar/ of domain. The default value is the current directory that the cookie is being set in.
from http://www.php.net/manual/en/function.setcookie.php

Passing php session variables to multiple pages

I am having problems passing session variables on my website. I can echo my session variables on the advertiser/page2.php but when i go to a 3rd page the sessions are gone.
Can someone please help me fix this issue?
login.php
session_start();
$_SESSION['account_id']= $account_id;
$_SESSION['user_email']= $user_email;
advertiser/page2.php
session_start();
advertiser/page3.php
session_start();
here are the settings on my phpinfo()
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 Off Off
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path no value no value
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0
I have run into this issue several times with PHP and it is frustrating,
What I do not is set the Session ID using session_id([new_session_id]) to the MD5 (http://php.net/manual/en/function.md5.php) hash of a string such as the username combined with some arbitrary string. The username is always tied to the user data.
The session ID is always recalculated (which might be a minimal performance cost) but you can always find the session when you need it, since the result is deterministic.
I am not sure if this is the BEST method, but something around that idea seems to have never failed me when dealing with maintaining sessions in PHP.

php sessions not carrying over from one page to the next

I've used sessions before on shared hosting and they were very simple. I'm now using Amazon and have linux server with the following configuration in php. The catch is session variables don't carry on from one page to the next:
session
Session Support enabled
Registered save handlers files user memcached
Registered serializer handlers php php_binary
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 Off Off
session.bug_compat_warn Off Off
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly On On
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 604800 604800
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /var/lib/php/session /var/lib/php/session
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies On On
session.use_trans_sid 0 0
Sample Page: http://www.datingjapan.co/index.php
Code:
index.php
<?php
session_start();
error_reporting(E_ALL & ~E_NOTICE);
$_SESSION['domain'] = 'www.datinggirls.co';
print_r($_SESSION);
?>
<h1>This is the HTML</h1>
Visit W3Schools
page.php
<?php
session_start();
$_SESSION['page2'] = 'page-two-data';
print_r($_SESSION);
?>
<h1>This is page 2</h2>
Visit Home Page
Any advise... ?
thx
Each time I ping your domain www.datingjapan.co it gives me a different IP.
Is your shared hosting on multiple cloud instances ? Probably.
Then the PHP session files may be stored localy on the first server that displayed the page "index". When you load the second page, you are on another server...
I agree with Peter, look at the amazon FAQ or support about how your session storage is synchronized (or not).
if you are using multiple servers they will each have their own session storage. You should look at post on the amazon support forums about synchronizing the session storage between servers.
Edit:
Here's one such post on SO: How to synchronize sessions using Amazon Web Services (AWS)?

session question with virtual host

everyone! i have a question about sessions hopefully someone can help me with. I have a apache test server set up that uses virtual hosts for http and https. I put the following files in my https and it works:
mytest.php:
// this starts the session
session_start();
// this sets variables in the session
$_SESSION['color']='red';
$_SESSION['size'] ='small';
$_SESSION['shape']='round';
echo "Done";
mytest2.php:
// this starts the session
session_start();
// echo variable from the session, we set this on our other page
echo "Our color value is ".$_SESSION['color'];
echo "Our size value is ".$_SESSION['size'];
echo "Our shape value is ".$_SESSION['shape'];
But it doesn't work when I view the copy in http.
phpinfo() in both are the same:
session
Session Support enabled
Registered save handlers files user sqlite
Registered serializer handlers php php_binary wddx
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure On On
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /tmp /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 1
As it has already been said, it's probably because you're using secure cookies.
Note that, if you're not using secure cookies, you need to be careful in the logic of your application to enforce its security. It's OK to go from HTTPS to HTTP, but then, you should discard the HTTPS session. Otherwise, an attacker could get the cookie from the HTTP connection and use it over the HTTPS connection, pretending to be authenticated as the legitimate user.
The problem is this:
session.cookie_secure On On
If the the cookie is session cookie secure, it'll only be sent via https by the client.
Change that ini setting or call session_set_cookie_params prior to session_start and specify there you don't want a secure cookie, e.g.:
session_set_cookie_params(0, '/', "example.com", false);

Categories