With disabled cookies in the browser, the sessions on our webserver are not
persistant. That means, if I go forward to the next page, I receive a new
session ID. On every page I reload I become a new session ID.
With enabled cookies everting is fine.
Specifcations of the Webserver:
PHP version 5.3.3
Apache version 2.2.13
Webserver with SUSE Linux
Locally on my XAMPP installation everything works.
Update:
I have following settings on each page:
ini_set('session.use_cookies', '0');
ini_set('session.use_trans_sid', '1');
session_start();
The session ID is present in the URI, but when I check the session ID on the page their is a new ID and with each reload their is an other ID.
Yes, of course. Since HTTP is a stateless protocol, the session is linked to the user by storing the session ID in a cookie. Deleting (or refusing) this cookie will end your session.
If you don't want cookies, you have to transmit the session ID in the URL:
Unless you are using PHP 4.2.0 or later, you need to enable it
manually when building PHP. Under Unix, pass --enable-trans-sid to
configure. If this build option and the run-time option
session.use_trans_sid are enabled, relative URIs will be changed to
contain the session id automatically.
http://es.php.net/manual/en/session.idpassing.php
See also session.use_cookies and session.use_only_cookies.
This method makes it particularly easy to give away your private data just sharing a link so almost nobody uses it nowadays.
Related
I am using SimpleSAMLphp (SSP) to handle authentication for my Yii website (via a remote IdP), and version 1.16.3 has been working fine. However, when I update my composer.json file and pull in version 1.17.2, the local PHP session on my website is no longer destroyed, leaving the user logged in. (The user is successfully logged out of the IdP, however.)
I did some Googling, and reviewed discussions that looked relevant:
The change in how session IDs are generated, to comply with PHP config.
Documentation about a mismatch between PHP session settings for the application and SimpleSAMLphp (as a possible source for session-related errors).
The need to give PHP and SimpleSAMLphp different session cookie names: https://github.com/simplesamlphp/simplesamlphp/issues/365#issuecomment-212351265
I also reviewed some discussions in the SimplSAMLphp mailing list:
https://groups.google.com/d/topic/simplesamlphp/k0AhOO8LLSk/discussion
https://groups.google.com/d/topic/simplesamlphp/x8d53SkhEhE/discussion
In addition, I tracked the logout process using SSP 1.16.3 and 1.17.2 recording each Cookie header in requests, Set-Cookie header in responses, and session files in existence at multiple steps along the way, which showed some distinct differences... but I don't know what to conclude from this information.
When I begin the logout process on my website (which is built using Yii 1.x)...
I start by bringing up a clean docker container of my website, opening a fresh private Firefox window, and opening SAML Tracer. I verify that no session files currently exist on the server (i.e. in the new docker container).
I go through the login process.
1.16.3 and 1.17.2 behave almost identically. At the end of the login process...
For both, my PHP session cookie's session file exists and is 7722 bytes.
1.16.3: My SSP session cookie's session file exists and is 2294 bytes.
1.17.2: My SSP session cookie's session file exists and is 2302 bytes.
I go to /auth/logout/ on my site, and the browser dutifully sends along my current PHP (PHPSESSID) and SSP (SimpleSAML) session cookies.
1.16.3: no Set-Cookie headers are returned.
1.17.2: a Set-Cookie header is returned for the SSP session cookie, but the value is the same as it was before.
I am redirected offsite (to the remote IdP) as part of the logout process.
I am returned to /simplesaml/module.php/saml/sp/saml2-logout.php/default-sp?SAMLRequest=… (and along go current PHP and SSP session cookies).
1.16.3: a Set-Cookie header is returned for the SSP session cookie, but the value is the same as it was before.
1.17.2: two different Set-Cookie headers are returned for the SSP session cookie, neither of which matches the previous value.
I am redirected offsite again, as a further step in the SAML logout process.
I am returned to / (the root of my site), with my (unchanged) PHP session cookie and (most recent) SSP session cookie.
1.16.3:
a Set-Cookie header is returned for the PHP session cookie, giving it a new value.
the session file for the previous PHP session cookie has been deleted from the server.
the session file for the new PHP session cookie is empty.
the session file for the most recent SSP session cookie is 474 bytes.
I am no longer logged in on my website.
1.17.2:
no Set-Cookie headers are returned, for either the PHP or the SSP session cookie.
the session file for the PHP session cookie is 7722 bytes.
the session file for the SSP session cookie is 338 bytes.
I am still logged in on my website (but not on the IdP).
I can (sort of) alleviate the problem by telling Yii during the logout process to return an empty value for the PHP session cookie (PHPSESSID) and set it to expire an hour ago, but since that leaves the session file itself still in place, that approach seems unsatisfactory.
Given that information, does anyone have any ideas or pointers on where I could look next to try to determine what might be causing this?
As things stand, I don't know if this is a result of me using Yii incorrectly, me using SSP incorrectly, or a bug in SSP 1.17.2.
I have not yet managed to distill this down to a minimal, reproducible example, and I apologize for that. The code is open source, though I doubt anyone wants to go digging through it:
This commit of my code is how I tested SSP 1.16.3:
https://github.com/silinternational/developer-portal/tree/2fa781f8bbdf9bb248038e18af64b024eb9a67e1
This commit of my code is how I tested SSP 1.17.2:
https://github.com/silinternational/developer-portal/tree/e581cbe0f309786cc99eab296896c8c7bdb29b99
It turns out that I simply needed to tell SimpleSAML's Session class to do some cleanup, after which the PHP function session_name() resumed returning my application's session name ('PHPSESSID') rather than SimpleSAMLphp's session name ('SimpleSAML'). That allowed my application's logout code to kill the correct session, fixing my ability to log the user out of my application.
Here was the code change that fixed it for me:
$sspSession = \SimpleSAML\Session::getSessionFromRequest();
$sspSession->cleanup();
I need to share PHP sessions between multiple servers. However, I'm not sure how to maintain the session ID created on one server and how to pass it to the next server.
Essentially, a client can upload a file, but which server the file is sent to depends on which server is not overloaded.
For example, session_start() is called on test.com
An AJAX post is sent to serv1.test.com. When I call session_start() on serv1.test.com, I want it to pull the existing session information that was created by session_start() on test.com. However, that doesn't seem to be the way PHP sessions work?
I installed Memcached and followed this guide here:
https://www.digitalocean.com/community/tutorials/how-to-share-php-sessions-on-multiple-memcached-servers-on-ubuntu-14-04
I have one centralized memcache server that test.com and serv1.test.com are configured to use. However, session_start() creates a unique session on each server instead of reusing the same session. If I send the PHPSESSIONID to each server, then I can load the existing session.
How do I accomplish what I'm trying to do? I could send the PHPSESSIONID as a variable in the AJAX POST, but isn't that a security risk? That is something that could be changed by the user...
How do I get serv1.test.com to continue to use the same session set on test.com? How do I pass that session ID to serv1.test.com securely so I can use session_id("existingsessionid_from_test.com") to open the existing session?
The solution was to set the session.cookie_domain to include subdomains.
session.cookie_domain = ".test.com"
Thanks frz3993
Who creates a session and how does cookie and any role in it?
I was asked this question in a company's interview process and didn't know the answer. I would like to to know which side creates Sessions i.e whether the client side or server side and does cookie has any role in it.
Also how the server understands which session is provided to which client and which user of client if multiple users are logged in?
What’s the difference between a cookie and a session in PHP?
PHP sessions improve upon cookies because they allow web applications to store and retrieve more information than cookies. PHP sessions actually use cookies, but they add more functionality and security.
Sessions store data on the server, not on the browser like cookies
The main difference between a session and a cookie is that session data is stored on the server, whereas cookies store data in the visitor’s browser. Sessions use a session identifier to locate a particular user’s session data. This session identifier is normally stored in the user’s web browser in a cookie, but the sensitive data that needs to be more secure — like the user’s ID, name, etc. — will always stay on the server.
Sessions are more secure than cookies
So, why exactly should we use sessions when cookies work just fine? Well, as we already mentioned, sessions are more secure because the relevant information is stored on the server and not sent back and forth between the client and server. The second reason is that some users either turn off cookies or reject them. In that scenario, sessions, while designed to work with a cookie, can actually work without cookies as a workaround, as you can read about here: Can PHP sessions work without cookies?.
Sessions need extra space, unlike cookies
PHP sessions, unlike cookies which are just stored on the user’s browser, need a temporary directory on the server where PHP can store the session data. For servers running Unix this isn’t a problem at all, because the /tmp directory is meant to be used for things like this. But, if your server is running Windows and a version of PHP earlier than 4.3.6, then the server will need to be configured – here is what to do: Create a new folder on your Windows server – you can call it something like C:\temp. You want to be sure that every user can read and write to this folder. Then, you will need to edit your php.ini file, and set the value of session.save_path to point to the folder which you created on the Windows server (in this case, that folder is under C:\temp). And finally, you will need to restart your web server so that the changes in the php.ini file take effect.
Sessions must use the session_start function
A very important thing to remember when using sessions is that each page that will use a session must begin by calling the session_start() function. The session_start() function tells PHP to either start a brand new session or access an existing one.
How session_start in PHP uses cookies
The first time the session_start() function is used, it will try to send a cookie with a name of PHPSESSID and a value of something that looks like a30f8670baa8e10a44c878df89a2044b – which is the session identifier that contains 32 hexadecimal letters. Because cookies must be sent before any data is sent to the browser, this also means that session_start must be called before any data is sent to the Web browser.
link-1
link-2
link-3
link-4
The server creates the session and sets the cookie, which is stored in the client's browser. The cookie contains a session identifier (a string of characters) that allows the user to access a particular session on the server. This session identifier corresponds to the session on file.
I was wondering if any one could teach me how to use sessions in GAE php. I know that the usual method is to use session_start() in every page that wants the session to carry over and then assign variables using $_SESSION['name'].
But PHP on GAE is a bit confusing at times.
https://developers.google.com/appengine/docs/php/?hl=en#Sessions
I have some idea on memcache but dont know how to use it to store session variable. Can any one tell how I can create a session variable so that when I redirect using header the variables will be present too.
Eg.
First.php
session_start();
$_SESSION['name'] = Abilash;
header('location: second.php');
Second.php
session_start();
echo $_SESSION['name']; // should output Abilash.
Now how do I do that in GAE. Whenever I try to redirect using header the redirected page loads but the session variables are not passed through.
You should not need to do anything to get sessions working, as we automatically put them into memcache by default.
Perhaps the session cookie is not being passed by your browser for the second request. I'd turn on developer tools in chrome to make sure you see that the cookie is on the request and I'd also output the result of session_start() to check it's returning true.
You should not need to do anything to get sessions working, as we automatically put them into memcache by default.
was very misleading to me. It may worked back then. Nowadays, each PHP instance has it's own PHP session management by default. If you like centralized PHP session management stored in Google GAE memcache, you have to configure it!
A working possible legacy solution:
https://cloud.google.com/appengine/docs/standard/php-gen2/services/access#session
you need legacy bundled services for PHP
deployable just with the beta SDK: gcloud beta app deploy
I have read dozens of solutions to this and tried almost every one of them, but my sessions times out quickly anyway. I'm using a Debian installation and have set max variable in /usr/lib/php5/maxlifetime to 86400. I've also set session.gc_maxlifetime = 86400 in php.ini. I've made the session cookie valid for one hour and every time I reload the page I update it with another hour. I have tried setting ini_set("session.gc_maxlifetime", "86400"); in my front controller. However nothing helps. If I login to my site and wait about 20 minutes the next time I click a link on the page I will be logged out. The session cookie is still valid and the session file in /var/lib/php5 still exists. I just don't get it. I should also mention that I use Parallels PLESK on the system and it has made a lot of modifications to the standard Debian install, but I don't think that's the problem. Anyone?
It's entirely possible there's more than one .ini being loaded and where the one you made your session changes to is being overridden by one loaded later in the chain. Dump out a phpinfo() where your session validation/login code are and see what the session settings are. Part of the output will also be a list of the .ini files that were loaded.
Is it possible you have something a .htaccess conflicting with everything else? And are you sure you do not set this somewhere else in your code or some custom php.ini?
Everytime I have such problems I finally realise I forgot ONE place.
Does php -i | grep session.cookie_lifetime (at console) or phpinfo() (in script) verify your change to the cookie lifetime parameter?
If you use Firefox, try installing the Web Developer Toolbar and Firebug to inspect the cookies and network activity. This is a very useful combination for me when investigating issues where the hash value of a session cookie changes.
It's also possible that somewhere in your code or libraries you have a call to session_set_cookie_params() that's overloading your expected behavior. You can inspect cookies with either of the extensions above to verify their expiration.
I'm not sure if this will help, but make sure you're using both ob_start() & session_start();
ob_start();
session_start();
That's weird, a solution could be to implement a "Remember Me" feature with cookie. I know sessions can be very fickle, if you log-in on another comp, or the same comp but different browser, the cookie could be destroyed.
Also is the session really getting destroyed? Or is a new session being generated?