My PHP sessions are expiring randomly and rarely last more than approximately 5 mins (300 secs).
I am experimenting with the PHP & MySQL login script here: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL (sec_session_start function extracted below).
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = false; // Set to true if using https.
$httponly = true; // This stops javascript being able to access the session id.
ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
$cookieParams = session_get_cookie_params(); // Gets current cookies params.
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name); // Sets the session name to the one set above.
session_start(); // Start the php session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
I have done extensive reading into the subject to try and solve the problem and understand that many reasons cause PHP sessions to expire prematurely. If you have any ideas about how I could solve the problem please let me know as the problem's driving me mad!
Please note:
1. In php.ini I have set session.gc_maxlifetime = 3600
2. My host is IPage.
2. I have tried editing session_set_cookie_params to the following, but it doesn't solve the problem:
session_set_cookie_params( time()+1800, "/", $cookieParams["domain"], $secure, $httponly);
Your code has a single, unchanging name for every single session? Have you considered that every time someone starts a new session it will clobber the previous one? There is a reason why session identifiers are unique.
Aside from that, ask your host. They might be doing something ridiculous like clearing /tmp every X minutes.
I have a similar login script, and found the solution when I looked at the cookies I was setting. For some reason this script will set cookies for both example.com and www.example.com when a brand new session is started. Explicitly setting your domain in session_set_cookie_params() will fix this behavior.
function sec_session_start() {
$domain = 'example.com'; // note $domain
$session_name = 'sec_session_id'; // Set a custom session name
$secure = true; // Set to true if using https.
$httponly = true; // This stops javascript being able to access the session id.
ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
$cookieParams = session_get_cookie_params(); // Gets current cookies params.
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $domain, $secure, $httponly); // note $domain
session_name($session_name); // Sets the session name to the one set above.
session_start(); // Start the php session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
it might be same issue as described here:
http://www.php.net/manual/en/function.session-regenerate-id.php#84242
it is browser issue, not php. (Way easier to recreate in Firefox than Chrome)
Setting "session_regenerate_id(false);" helps, but that defeats the purpose of secure login.
Related
I'm currently developing a web application for a client with the webspace hosted on one.com.
I've implemented my own secure login system and everything works. When I log someone in, the variables are available but as soon as I go to a new page via an href all my session variables are lost. I've tried almost everything that is recommended on similar questions but it won't work.
I can not edit my php.ini directly, this is the standard phpinfo:
I can't embed Images yet, this is my phpinfo
Additionally at the beginning of every site I call
ini_set("session.cookie_secure", 0);
Because at the beginning this was (locally) always set to true.
I initiate a secure session on every page with the following code:
$session_name = 'sec_session_id'; // Set a custom session name
$secure = true;
// This stops JavaScript being able to access the session$id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(true); // regenerated the session, delete the old one.
I just dont understand why my Session variables are always lost. I would be happy about every help I can get!
Edit: Some suggestd that the last line:
session_regenerate_id(true);
Propably causes the problem but after removing it it still doesn't work. What else could it be?
I'm pretty sure this line (the bottom line) is the one destroying the session:
session_regenerate_id(true); // regenerated the session, delete the old one
Remove that line and your session should be retrained.
We are using a server that has several services on it. So to make sure the php sessions are not mixed, we want to use a different cookie for each service. We created a function called sec_session_start where we define the cookie (mySession) for this service. We then made a second function called start_my_session to connect to the service cookie.
Each time we try to use start_my_session, it gets the info inside PHPSESSID instead of mySession. How can I fix that.
The following function is called only at one place (when the user logs into the system).
function sec_session_start() {
$secure = false;
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate the safe session (ini_set)");
exit();
}
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name('mySession');
session_start(); // Start the PHP session.
echo session_id(); // USE AT THE MOMENT FOR DEBUGGING ONLY
}
The session id returned by the last instruction is the id corresponding to the mySession cookie. (I checked in the server /tmp folder and inside Chrome's resources debugger.)
The following function is called inside everyother secure page once the user is logged in.
function start_my_session() {
echo session_name('mySession').'<br>'; // DEBUG : display PHPSESSID
echo session_name().'<br>'; // DEBUG : display mySession
session_start(); // Start the mySession
echo session_id(); // DEBUG : display the PHPSESSID session id
}
As mention in comment, the session_id is still pointing to the PHPSESSID instead of the mySession.
Any advice on what we are doing wrong and how we could fix it?
This might not sound very logical and you'll think I'm nuts but:
Before you switch session names with session_name(...) (and yes, that means it's also before the session is started!)... run a session_write_close();
I made login system which works fine on localhost, but when is on online server it doesnt work. There arent any errors, even if I type in wrong password, no errors. Nothing happens, it is on the same page always. [http://sportcaffe.me/admin/] <- You could try here, and see what it happens..
USERNAME: laky95
PASSWORD: lazar
I found some solution but it is not good... I can set session_start() on top of my code and It will work, but I have some session "prepare" and then start..
Here is my code:
$session_name = 'sec_session_id'; // Set a custom session name
$secure = FALSE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
I've several pages who are called by ajax to print a response,
The pages uses $_SESSION variables, so I have to use session_start().
I noticed that from time to time the pages erase the session data (and user gets disconnected) , i'm using a bit different session_start() :
function sec_session_start() {
$session_name = 'pentago'; // Set a custom session name
$secure = false; // Set to true if using https.
$httponly = false; // This stops javascript being able to access the session id.
ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
$cookieParams = session_get_cookie_params(); // Gets current cookies params.
session_set_cookie_params($cookieParams['lifetime'], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name); // Sets the session name to the one set above.
session_start(); // Start the php session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
Is there something in my custom session_start() that causes the response pages to delete the session ?
Thank you.
I have this function to start a secure session:
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = false; // Set to true if using https.
$httponly = true; // This stops javascript being able to access the session id.
ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
$cookieParams = session_get_cookie_params(); // Gets current cookies params.
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name); // Sets the session name to the one set above.
session_start(); // Start the php session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
How do I set my cookies to expire whenever the user navigates away from my app or closes their browser? Basically, every time a user visits my app, they need to login again.
A lifetime of 0 (which is usually the default for session cookies) does precisely what you described. See http://us3.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime