This morning my local php starts behaving strangely: the session ID changes on each request (making sessions unusable).
The code:
<?php
session_start();
The same page is available through "localhost" and "test" which is a /etc/hosts entry for localhost.
Requesting this same file on "localhost": the PHPSESSID cookie stays the same; on "test" it changes on every request.
Absolutely nothing changed in my code (no BOM or buggy code) or in Apache's config. I may have updated PHP (5.4.4), but reverting to the previous version (5.4.1) showed the same behavior. The same code running on a remote server (php 5.3) has been running ok for ages.
It's probably a bug in PHP :( but before reporting, I want to be sure I didn't overlook anything.
Any idea?
Thanks for your amazingly fast answer.
In fact the browser works fine, everything is working fine, even PHP.
I just forgot I added a .htaccess clearing all cookies to upload to a CDN. The only thing I didn't check was the .htaccess.
I feel stupid (and tired).
Thanks again.
Install some software watching HTTP headers like
Live HTTP Headers Firefox addon https://addons.mozilla.org/en-us/firefox/addon/live-http-headers/
WireShark sniffer http://www.wireshark.org/
and check whether
Server sends the cookies as it should
Browser sends them back.
Probably the Cookie header contains settings which make Browser not to send it back, and therefore server generates a new cookie (new session) for every request.
Especially check the path setting of the cookie you send.
Also, it might be some new policy in browser, or a security plugin, or maybe antivirus... try different browser, or bare curl program, and disable web shield of your antivirus if applicable.
Related
Basically Session is not working. Session is getting generated and getting stored in the proper folder of the server, but not getting stored in the browser as the usual PHPSESSID cookie. The phpinfo() shows that the Set-Cookie headers are being sent, but Set-Cookie headers are missing in the response that the browser gets. Please check the below screenshots:
Set-Cookie headers present from the server side:
Set-Cookie headers missing in the response the browser gets:
Another info is, if I use javascript to set cookie then it works and shows up in the browser's developer tool.
Everything regarding session is ok, just that the cookie it tries to set on the browser seems to be not setting.
Answering the cause and fix as it may help someone in future and save many hours:
This error happened in a site previously built by someone else. This error seemed quite unusual and I thought the problem is most probably with Apache. I removed Apache and reinstalled to no effect. Then I installed Nginx to see if the problem is with the Web Server software or the Server itself. And I found that Session is working fine in Nginx. So the problem was definitely with Apache somewhere.
As I checked the files found that in the .htaccess file somewhere down below Cookie was unset!!
Header unset Cookie
Header unset Set-Cookie
Never thought someone would have put that! But anyway, removing the above fixed the problem.
Encountered the same behavior with a service provider of mine. Turned out to be a caching problem on their side (varnish cache).
Luckily I was able to disable Varnish-Cache via the provided admin-backend. After that, the Set-Cookie headers were present in the client response.
I'm having problems with PHP sessions that only occur on my testing server (everything works fine on my localhost). I'm developing a custom Wordpress theme, based on Roots. My localhost is OS X (PHP 5.4.4) and the testing server is Ubuntu (5.3.10-1ubuntu3.8).
The problems include:
New sessions created each time I refresh the page (which I can see by rendering session_id() in the footer and checking /var/lib/php5/session)
Functions called through an AJAX request unable to access the correct session, even though session_name() and session_start() are called before they try
Other details:
I'm trying to save variables into a named session, so each time I call session_start() I'm currently doing it like this:
session_name('my_session'); //Not sure if this line strictly required
if (!session_id()) {
session_name('my_session');
session_start();
}
The above is first called in a function init_sessions, hooked into Wordpress like this: add_action('init', 'init_sessions');, then also used in the other files that need access to session variables (e.g. those requested via AJAX).
On localhost, I can see the session file created in /Applications/MAMP/tmp/php and also see a session appear under the Cookies tab in Firebug. However on my testing server, although (too many) session files are created in /var/lib/php5/session, I don't see the session appear in Firebug.
Running phpinfo() doesn't show any significant difference between the PHP directives on my localhost and those on my testing server.
The testing server is really two (Rackspace) servers with a load balancer, but I don't think this is an issue as session persistence is set up.
The testing server is set up as a subdomain e.g. test.my-domain.com.
I've got PHP error reporting turned on but haven't noticed any.
I've deactivated all other Wordpress plugins.
I'm sure it's more likely to be a problem with my script than Rackspace's set-up, but I'm a bit stumped at the moment. I'm particularly curious about why I can see session files created on the testing server in /var/lib/php5/session, but don't see them appear in Firebug's Cookies tab.
Any ideas very welcome. Thanks!
Ok - think I've identified what's going on (though not resolved it yet). It looks as though the problem is down to Varnish. When a user is logged-in, the session functions perfectly. Thanks to everyone that suggested a fix.
Somehow, when calling another script (all other scripts than index.php), all my CMS authorisation data gets deleted. The login boolean and username consists. This only appears using Chrome/Chromium.
The chrome developer tools don't show any errors, only 200 OK and 304 Not modified.
This is really annoying since I've changed to Chromium for Firefox being to ressource-heavy.
Any solutions?
Its going to be really hard to debug without any code or anything. When you say session data I assume you are referring to your php session. This has nothing to do with the browser. Are you making sure you aren't changing the domain/subdomain while browsing at all (which will cause you to lose your session). You can check your php.ini session settings but that shouldn't matter if it is working on other browser.
I'm guessing this is occuring because your session isn't getting started properly OR the session data is getting cleared somehow in your code.
Now it appears in Fx too. The problem: The hoster updated to PHP5 and there register_globals was set to On again.
This is a variant of a common php problem that seems to defy solution (and common sense): when a user switches between http and https on my site, php dumps the contents of the session. This would be bad enough, except for the fact that the site works fine when I run it under the domain test.mysite.com. The problem only shows up when I run it under www.mydomain.com, and only on our new server. The code worked just fine on my old machine!
Both servers are running CentOS, with the troublesome one on Rackspace CloudServer.
Any suggestions?
Edit
Just to make something clearer: the session actually gets cleared when going to a secure page. I can't go back to an unsecured page to view the original contents of the session, even though the session id's haven't changed.
Sounds like you've fallen victim to the curse of the dreaded php.ini file. Some cookie parameters are getting set differently.
I would ensure that the php.ini files in development and production are EXACTLY the same, you are running the same version of PHP, ideally the same build.
EDIT: ok, so it's not necessarily a difference in php.ini.
Have a look at the domain you're using for your cookies. If you set a cookie without explicitly setting the domain, it is the current domain only.
If this is www.example.com, users who visit http://example.com/ then are redirected to https://www.example.com/ WILL LOSE THEIR COOKIES.
Why? Because the cookie is being set for the exact domain, and won't be sent by the browser to a different host name.
The same is true if you run the site on multiple names. Be sure that you only run the site on exactly one name. If a user arrives on any other name, redirect them with a permanent redirect to the One True Name, before setting any cookies.
Can you try setting the secure flag to false using this function?
<?php
session_set_cookie_params(0,"/",".mysite.com",false,true);
?>
More info here: http://us2.php.net/manual/en/function.session-get-cookie-params.php
So I have been working on a project for a client on their current web site which has been in existence for quite some time. The version of PHP used is 4.4.7, and I am not in a position to ask them to upgrade. (The system is old and it could break something) This past week I made some changes to my project, everything worked fine cookies set, pages worked. I go to test the site earlier and all of the sudden the cookies no longer work. After 2 hours of troubleshooting I finally just set up a simple test page composed of this:
<?php
setcookie('eventCookie','1', time()+7200,'/','.levijackson.net');
echo $_COOKIE['eventCookie'];
?>
I put this on both their site as well as my own (I changed the .levijackson.net to the appropriate domain)
I did 2 refreshes of the page on both pages and only on mine did it return the cookie. So what could have caused something like this? Is there a certain setting that may have been changed by their admin/host?
I did test and HttpOnly cookies still work, so I am going to switch to them while I troubleshoot.
edit: Almost forgot to mention, it works fine in FF but in Chrome and IE it doesn't work at all. Not sure if this will be useful, but I still think that it is not the browser.
Thanks
Levi
Just a guess-- it could be that their server has auto_prepend_file enabled, and the file that is being auto-prepended outputs something to the client. Once anything is sent to the client, set_cookie() will not work, since cookies have to be set in the page header, which must be sent before anything is sent to the client.
If it's not that, try diff'ing the "PHP Core" section of a phpinfo() dump, looking for any other settings that might somehow affect this.
Edit: Here's something else you can try, if both sites are publicly accessible. Go here: http://web-sniffer.net/. This site will show you the actual HTTP headers which are being returned by the site. Run the test file for both sites, and look to see if there is any difference in the Set-Cookie headers which are returned.