$_SESSION variables not carried over on HTTPS - php

I am developing a site on my localhost, where everything works fine, but now that the site is uploaded to the HTTPS side of our inserted ONLINE /inserted server, the $_SESSION variables don't get carried over from the login.php to the index.php page. Both are located on HTTPS, the process never goes out of HTTPS. As I said, everything worked fine on my localhost.
My localhost's PHP is version 5.3.2 and the HTTPS server is 5.2.6. The only difference in settings I can identify regarding sessions is session.use_only_cookies is On on my localhost and Off on the HTTPS server.
Can anyone please shed some light as to why the session variables are not transferred? PS. I do have session_start(); in both login.php and index.php.
Thanks in advance.

Have you checked that the session cookie is carried over between the HTTP and HTTPS requests? And that the same session token is present on both sides?
If the cookie established via the HTTPS page is marked as "secure only", it will not be transmitted to non-SSL pages, so you'd get a brand new empty session on the non-secure pages, which would give you the symptoms of "missing" session variables. They're not really missing, just in some other session which isn't active now.

There are a few things that can go wrong.
Make sure both login.php and index.php are accessed through https. session.cookie_secure defaults to off, but you never know.
Also make sure they are they both on the same domain. Cookies are set per-domain.
Maybe there is some oddball cookie setting? You can view the current session cookie settings with: session_get_cookie_params()
You can also verify how the cookie is being set in your browser (if at all), for Opera you can right-click in the page, select "edit site preferences", and use the "Cookie" tab. Don't know about other browsers from the top of my head ...
Another possibility is a borked session.save_path, run session_save_path() without any arguments to get the current session_save_path, make sure the user running PHP (typically but not necessarily the same user running the webserver) can write to this directory.

Related

cookies not working in php aws

I'm running into an issue where I can't set a cookie on an AWS EC2 instance running LAMP.
I have two simple pages, cookie.php and show_cookie.php:
cookie.php
<?php
setcookie('test', 'test', time()+36000, '/');
?>
show me the cookies!
show_cookie.php
<?php
print_r($_COOKIE);
?>
go back
When I navigate to cookie.php in Chrome and click on the link, the page echoes an empty array. Also, if I inspect Cookies, there's nothing there.
I'm running PHP 7.0.16 with Apache/2.4.25 (Amazon). This is such strange behavior. Has anyone run into something similar to point me in the right direction?
In all my experience with cookies I've always included $_SERVER['SERVER_NAME'] as a fifth argument. I don't believe you have to define $_Server. I believe it's defined during execution. If not you may have to define it as your domain or IP address.
setcookie("userid",$global['user-id'],time()+3600*2,'/',$_SERVER['SERVER_NAME']);
This is a link to the PHP guide for $_Cookies.
http://php.net/manual/en/function.setcookie.php
This is a link to the PHP guide for $_Server. http://php.net/manual/en/reserved.variables.server.php
Domain:
The (sub)domain that the cookie is available to. Setting this to a
subdomain (such as 'www.example.com') will make the cookie available
to that subdomain and all other sub-domains of it (i.e.
w2.www.example.com). To make the cookie available to the whole domain
(including all subdomains of it), simply set the value to the domain
name ('example.com', in this case).

Session works fine on localhost, but not on webhost server

I have written a login script that works perfectly fine on my test server (localhost), but it does not work when I upload it to my web host's web server.
I have narrowed it down to a problem with session - after successfull login, the session is set successfully, and the user is redirected, but when the page the user is redirected to loads, the session is apparantly gone.
I would prefer to not post the full source (yet), but here's the logic of it:
login.php: shows form, submits to self, check user/pass and set $_SESSION['loggedIn'] = true; then redirects to index.php
index.php: checks for $_SESSSION['loggedIn'] == true (if not set, or false, redirect back to login.php).
So the problem is that $_SESSION['loggedIn'] doesn't even exist when the user is redirected to index.php after successfully logging in and setting the session in login.php.
Does anyone have any clue on what could cause something like this? The web host server does support cookies/session - i made a very simple test, and it works, so i guess there must be something with my code... :( But I really don't understand it, because there's nothing that would delete a cookie (except for the logout.php script).
I've been debugging this for 2 hours, and as usual, I find the problem right after writing a long post about it... :-/
Anyway, the problem was that I included a class.db.php file right before session_start();
I guess, that for some reason, that file output something invisible when executed on the remote server. Maybe it's encoding issue?
Anyway, I just moved session_start() above inclusion of that file, and everything works fine now... :)
you changed the server date after login from client hence session expired, just clear the history from client computers.

PHPSESSID Cookies on Sub-domains are having conflicts with each other

We are having some issues with PHP Session Cookies not allowing us to log into our *SugarCRM** application which is open source PHP application.
The problem is we have the same application installed on 2 sub-domains like below...
Main site
www.domain.com
Dev site
dev.www.domain.com
Now after logging into one, it will not allow you to login to the other!
Please view the image below to see the Cookie problem...
In the image above you can see that there is 2 PHPSESSID Cookies competing for the Session!
If I now delete one of them, it allows me to login as normal without an issue!
Because this is SugarCRM, I am hoping I can resolve this issue without making really any core file modifications to the application. But if I have to, then we will.
So does anyone have any ideas on a good solution?
Right now my idea for a "Nasty Dirty Hack" which I really do NOT want to have to do. It is to make a button on the login form, this button will use JavaScript to clear/delete the PHPSESSID Cookies but again I would really like to find a proper solution.
If anyone has any ideas, please share? Thank you
UPDATE
Thanks for the answers so far. Please do take into acocunt that this is not a simple PHP application that I built where I can easily do code changes. THis is SugarCRM which is a massive large application with thousands of files
Try to setup in .htaccess parameter on subdomain
php_value session.cookie_domain .domain.com
or use in php code, but before "session_start()"
ini_set('session.cookie_domain', '.domain.com' );
Use
session_set_cookie_params
to set the session from the subdomain, on the principal domain.
Try to use function (http://php.net/manual/en/function.session-set-cookie-params.php):
session_set_cookie_params ( $lifetime, $path, $domain, $secure, $httponly)
And set one $domain = '.domain.com'
Or if you setting session cookie manually by setcookie, then setting the same domain too
Its actually not the domain you need to change, but the "session name" (name of the cookie parameter). Both apps seem to be using the default "phpsessid" and need to be made to differ, otherwise the apps will see eachother sessions, see the wrong session, or try to unserialize classes only defined in the other project.
You need to change the cookie parameter its storing the session ID in. It can be controlled from an environment variable (php.ini, .htaccess, etc.): http://us1.php.net/manual/en/session.configuration.php#ini.session.name
This way you can have multiple PHP sessions on the same domain. For example if you had example.com/sugarcrm and example.com/foo You could have sugarCRM store it's session ID in a cookie param called "sugarsession" (instead of the default phpsessid)
It has been a while since I had this issue but I think all you have to do is write each instances session file to a different directory by editing the config.php in each SugarCRM's file system and change the line
'session_dir' => '',
to point at a different directory.

My cookies are only available on PHP pages they are set on, is this normal?

I cannot access cookies from any page other than the page they are set on. I looked at print_r($_COOKIE) on different pages and the only common variable between pages is the $_COOKIE['PHPSESSID'].
I am developing on a local XAMPP testing server. Is there a setting I should change on the PHP.ini or is this normal behavior for cookies? Sorry, I'm a little new to this stuff and I was under the impression cookies were accessible site wide.
I am setting cookies like:
setcookie("user", "Dave Schmave", time()+60*60*24*120);
Any help would be greatly appreciated. Thanks
Try setting the cookie path to the root:
setcookie("user", "Dave Schmave", time()+60*60*24*120, '/');
Also is it on the same domain? Accessing via HTTPS will also affect your cookies.

automatic session expiration

I am facing a strange scenario. basically on my every web page i am doing
session_start();
if(!isset($_SESSION['login']))
header("Location: login.php");
to ensure every user has logged in first. I am working in chrome and what happens is if I login to my web application and open any page it works fine. At the same time if, in another tab, I login to my hosting server, I am logged out of my web application. If I login to my application again, I am logged out of my hosting server!!
What am I doing wrong? is there a problem the way I am checking or setting the session variable?
I am setting the session as follows:
//if authentication successful
session_start();
$_SESSION['login'] = "1";
I have a very similar problem, and I think this happens just because two sessions with the same name, in the same place of the same domain can't coexist.
Maybe a solution should be to use session cookies. You can set a cookie just for a folder and not for the whole domain. This way I think you can manage 2 sessions at the same time, but I'm not sure.
Try this:
session_start();
setcookie(session_name(), session_id(), 0, '/public/');
Where /public/ might be the specific folder where your site is located, or the application path (thanks Paul for pointing out this).
Then you will check if session is set:
$session_cookie =
isset($_COOKIE[ini_get('session.name')]) ?
$_COOKIE[ini_get('session.name')] :
null;
Probably this won't work, since the other session might be "stored" in the root folder of your web application. But if you are able to do the thing above also for your hosting server, you should resolve your problem.
You can also try to set a different name for the session in your web application.
Hope this helps.
I think you'll find the cause is that both hosts have the same network name e.g. test.www.example.com and www.example.com
Just use a different network name for the test machine and it should work or make sure you explicitly use non-overlapping values for session.cookie_domain

Categories