I am using session to store some data in my php website, but in some page when I fetched the data in the session is changed some times and some time its same.
I searched lots of and find some answer at
session id value changes
" if you have register globals on, you may be seeing behavior like that if you use the variable $id in your code. As a test, try:
<?php
session_start();
$_SESSION['testing'] = 'Foo';
$testing = 'bar';
die($_SESSION['testing']);
?>
"
help me i searched in my php file but i dont find similar variables like session variables so what is the problem ??
give me some details about php session and if possible suggest good books.
edited :
i have set the php.ini as all of you saying its problem of register_global off and than ckeck by using phpinfo(); function and check the register_global is off.
but after some time i logged in with my id and than at mypage menu.php accessed by me after that its changed session logged id and i logged in another account automatically.
please help me
Disabling Register_Globals by adding the following line in your php.ini file may fix this problem.
register_globals = Off
If you are using a Shared Web Hosting service, follow:
If you have access to /cgi-bin folder then create your custom php.ini file inside it.
And if you dont have access, then create your custom php.ini file in root folder.
And then add above mentioned line in php.ini file.
Adding the following line of code in your .htaccess file also fix your problem.
php_flag register_globals off
You shouldn't be using register globals so it shouldn't be an issue.
Add this line to .htaccess to disable if you have register globals running:
php_flag register_globals off
it can't be done with ini_set() at runtime so you will need to use htaccess or php.ini as in previous answer.
It's unlikely these days that register_globals is your problem. More likely it's to do with a) where the actual session data is being stored; and b) how the "session ID" is being transmitted from one request to the next.
The first thing to look at is session_save_path(), which tells PHP where on disk to store the data that you put into the session variables.
The other part is a little more complicated, but is about how the cookie is set which lets PHP know to load the same session rather than creating a new one. You might need to look at things like the lifetime of this cookie, or the scope (domain / sub-domain / URL path) it applies to. Have a look at session_set_cookie_params(), and in general have a read through that section of the PHP manual to understand how sessions work.
Related
I have tried the following code in my index.php but still no luck
session_save_path('/home/domainName/tmp/sessions');
ini_set('session.gc_probability', 1);
It is still shows session.save_path as no value in phpinfo()
Can anyone pls help me out what else needs to be done in order make session variable work on live server.
You should alter those values in your php.ini file, as when you set them on runtime, the next request the initial values are used again (from php.ini), and thus in the output of phpinfo() it will not show up.
If session_save_path does not work, you could try to work with ini_set:
ini_set('session.save_path',$path);
session_start();
This way you overwrite the config value of PHP just for this application and not in general, like the solution of giorgio. If you want to set it for all applications of the server, I would also suggest like giorgio to alter the "php.ini".
try this
ini_set(session.save_path, '/home/domainName/tmp/sessions');
session_start();
I have a problem sharing the session between two subdomains, and I've read a lot of threads here and other places.
I have www.xx.com and sub.xx.com and I've set
session_name("PHPSESSXX");
session_set_cookie_params(0, '/', '.xx.com');
and the session.save_path is the same on both domains.
I get a cookie called PHPSESSXX on both domains, and it has the same value.
When I log on to www.xx.com I get a session with some details in it, and it stays that way until I go to sub.xx.com. Then the session on sub.xx.com is empty, and if I refresh www.xx.com, the session there is gone as well. So it does something, but it seems to be overwriting the session data each time I visit a different subdomain.
Any ideas anyone? - Can i debug this somehow?
Btw: I'm using ssl on both domains.
cheers
PHP session ids are saved in Cookies. To make a cookie available in all the sub-domains you need to assign it to the root domain. Then all the sub-domains will get the session id from cookie and PHP can find the session using passed session id.
As it turns out, You just need to set the session.cookie_domain to the root domain in php.ini file
session.cookie_domain = ".example.com"
Also check manual for different approaches used to set an ini entry.
Your question is answered here
Sharing SESSION Variables Between Multiple Subdomains
My solution was to set a flag in .htaccess like this:
php_flag "suhosin.session.cryptdocroot" 0
And it now works perfectly ;o)
The problem was that Suhosin was installed on the system, and the ini variable
suhosin.session.cryptdocroot = On
encrypted the session files in such a way, that when a different subdomain tried to change the session, it deleted everything for security reasons.
It didn't work for me to set the variable to Off or [nothing] in the ini-file, though maybe I didn't find the right file.
I also tried setting it in PHP without any luck. Like this:
ini_set('suhosin.session.cryptdocroot', 0)
cheers
I've a file in which i've this code
session_start();
session_register("name");
$name = "test";
When i saw the cookies in chrome,it says this is in root folder.
My question here is where does this session get saved on my xampp of local host and where does my session saved in go daddy shared hosting.
If i've session_start(); $_SESSION['id'] ="some value"; ,i can use this some value in all pages,this is what i under stood from reading about session,correct me ,if i'm wrong.
I used this in my shared hosting but when i call the session variable in another page,it is empty,i do not know whether my hosting has session save write permission or what is the reason it could be empty.
There are 2 settings for session saving:
In Shared memory.
In Files.
In case of files you can access the session data, whereas in case of memory you cannot.
to access the session data get the folder path by using this function session_save_path();
Note:- Hosts protect these type of folders so that they cannot be accessed directly
one more thing to check if the session setting is in folder or memory check your phpinfo();
and if files are selected You can explicitly change the path by the same function session_save_path(); Please check: Check Here
The session is saved in the server as a file named for example 1234. This is a textual file. It's saved in a path configurable by php.ini.
Client side a cookie is saved. The content of the cookie is equal to the name of the sessione file 1234. The borwser for each request send the cookie content so the server reads the content of the cookie and checks if a corresponding session exists. For problem using sessions... provides us more code!
To use sessions, you need to do:
session_start();
And then you can do:
$_SESSION['id'] ="some value";
and use it:
$id = $_SESSION['id'];
session_register is a deprecated function, you should not be using it. Anyway, you were using it in the wrong order (the last thing you should do with a value is register it, you were registering a null valued $name variable).
you need to save the new value as
$_SESSION['name'] = "test";
$_SESSION['name'] IS NOT EQUAL TO $name
hence saving value as $name = "test"; will not be saved in $_SESSION['name']
You must call session_start(); on every page to retrieve the saved session in propogation from one page to required page. or set it on/1 in php.ini file(not recommended)
The location of the $_SESSION variable storage is determined by PHP's "session.save-path" configuration. Usually this is "/tmp" on a Linux/Unix system. Use the phpinfo() function to view your particular settings if not 100% sure by creating a file with this content in the DocumentRoot of your domain:
<? phpinfo() ?>
check the below link for more details
session.save_path
The session is stored on the server but the session ID is stored on the users computer as a long random ID. There is no way for the user to edit the session however they may be able to steal a session ID and use it on an unauthorised account.
IT could be possible that you have register_globals set to 1 in the php.ini. It is highly recommended that you turn this off as it could be used maliciously but this would explain why setting $name could also set $_SESSION['name']. It basically allows all variables to be set from that one point.
With Go Daddy 4GH hosting the sessions will save, by default, to the /tmp directory that is at at the same level as your /html directory. You can find the full path to this using these steps.
To Find Your Absolute Hosting Path
1. Log in to your Account Manager.
2. Click Web Hosting.
3. Next to the hosting account you want to use, click Launch.
In the Server section, your hosting account's Absolute Hosting Path displays.
If this is not where you want to save your sessions you can change this in your php.ini file or using session_save_path() function in your script.
For information on this for your XAMPP stack you can check here.
How can i start a session in PHP which will be global to all my pages. I don't have access to the php.ini file. So session.auto_start = 0 in my php.ini will not be a solution for me.
Thanks.
$_SESSION is a global.
Start it off by calling session_start() before any output.
session_start();
Place this at the top of your pages and it will start a session. You can access it and set its variables with $_SESSION['somevalue']. Also you can name the session using session_name("some name");
If you want all pages to automagically have a session_start(), without actually writing the code, you're pretty much stuck with ini-settings. It is very well possible that although you cannot alter php.ini in a shared environment (proper hosters do offer a custom ini IMO), that you can just add the php_flag session.autostart = 1 to an .htaccess file in the root.
Nothing bad in starting a session with session_start() - everyone doing that.
Don't you have some config file already, which being included into every script on the site? If yes - why not to put session_start there? If not - you have to think of having one.
I have a problem where i am losing the PHP session between 2 pages.
The session_start() is included in a file called session-inc.php into every page requiring a session to be set. This works for all pages on the site except one particular page, member-profile.php. When this page is visited a new session with a different id (same session name) is set and used instead.
A few more details:
Session name is set manually
All pages are on the same server under the same domain name
If i put an additional session_start() above the include('session-inc.php') in the member-profile.php file, the session is carried over correctly
I have tried setting the session_cookie_domain and session.session_name in the .htaccess, this worked for this domain but it stopped the session being passed over to out payment domain
We are running apache 2.2.6 with php 5.2.5
Putting the session_start() above the include('session-inc.php') in the member-profile.php file is the quick and dirty fix for this problem, but i am wondering if anybody know why this would be happening.
Cheers
Will
According to PHP documentation, session_start must be called before any output is sent back to the browser-- could this page have a rogue CR/LF, Unicode byte-order mark or similar that is causing output before you include('session-inc.php')?
While migrating a legacy site from PHP4 to PHP5 I noticed a php.ini configuration setting that causes php to auto-start the session upon every request. It's an alternative to placing session_start() onto every page...
There are multiple ways to enable this setting:
Put the following line into php.ini:
session.auto_start = on
or put this into your apache virtual-site config or .htaccess file:
<IfModule mod_php5.c>
php_flag session.auto_start on
</IfModule>
and it should make $_SESSION changes available across all pages
I have just encountered this problem. Interestingly, browsing via http://127.0.0.1 instead of http://localhost helped me.
I just spent all day diagnosing this issue in my Ionic3 - to - PHP project. TL; DR - make sure your client is actually sending session credentials.
In the interest of helping anyone who makes this mistake, I will share how I found the problem.
I used these tools to diagnose the session on both the client and server:
1) Add a test file with phpinfo() to the server to review PHP session options.
2) Review the PHP code to make sure that no output, intentional or un-intentional occurs before the session_start() line. Check the status bar of Visual Studio Code to make sure the Byte Order Mark (BOM) is absent from the PHP files.
3) Review server PHP logs (in /var/log/nginx/error.log for me). Add error_log() lines to the php file to dump the session_id() or $_SESSION array.
4) Use tcpdump -An 'port 80 or port 443' to view the actual HTTP requests and replies. (That's where I discovered the missing cookies).
For an Ionic3 data provider the correct syntax for the client is:
var obsHttp = this.http.post(url, body,
{ headers: new HttpHeaders({
'Content-Type':'application/x-www-form-urlencoded'
}),withCredentials: true }).timeout(this.timeoutTime);
Notice the withCrentials:true
One needs to call subscribe on the obsHttp() observable to send the request.
Found the issue
There was a byte order mark at the beginning of the main includes file of the second domain. as stated by ken, cant have any output before a session start, it was not setting the session correctly.
SOLUTION:
session.auto_start = on
in file: php.ini
It solved the issue of re-generating session id on page reload (page refresh / change pages).
The issue appeared after the update of CPanel (and included Multi PHP), even the php version remained the same.
The PHP.ini file didn't had that variable at all.
Went in Cpanel -> MultiPHP INI Editor -> Editor Mode (not Basic, in basic you do not have this setting) and added the line. Press Save.
TIPS / WHEN TO USE THIS SOLUTION:
To determine if that is the problem, put a line at the very beginning and at the very end of your index.php file to check the session id. Use function:
session_id();
Navigate through pages / reload the page. If the session_id value changes the problem is not in your code and this solution should solve your problem (the session is lost outside of your code).
I also tried to verify the availability of saving session on the web server (session.save_path) but, even if it was a lead, it was not the case.
I imagine this is a "feature" of Cpanel with MULTIPHP UPDATE that will happen quite often.
I had this problem, and the cause was that PHP was ignoring all cookies after the first 100. (I asked this question to try to find out why, but so far nobody has figured it out). The browser was sending the PHPSESSID*, but since it was the 110th cookie, PHP was ignoring it.
To figure out if this problem is what's affecting you, use your browser's dev tools to look at the cookies that the browser is sending with the request, and compare that list to the $_COOKIE array in PHP. They should be the same. But if the browser is sending a PHPSESSID*, and there's no PHPSESSID* in $_COOKIE, then that would explain why sessions aren't working.
I solved the problem by not having my site use so many cookies, which is good practice anyway.
*PHPSESSID is the default session name. Your site may use a different name.
To solve the session_id change after each request, you change the parameter session.auto_start and session.cookie_httponly into the php configuration file.
to find the used php configuration file
php -i | grep "php.ini"
then you open it, and try to find the parameter session.auto_start . you set
session.auto_start = 1
session.cookie_httponly = 0
finally you restart your httpd/apache service.
Found the issue
In my case it was due to Varnish Settings please check your varnish settings. PHPSESSID you can exclude the cookie from the Varnish Settings.
I'm not an expert, but found a solution after careful investigation of domain name in the cookies info of two webpages opened on Firefox. (Right click on the page, select inspection and the storage). checked domain names and found that one with www.example.com and the other without www (example.com). changed all the page links to same format and the problem solved for my case.
Found the problem was a byte order mark (BOM) being ouputted at the start of the file. Got rid of it and it sorted out the session problem.