I have a Windows server 2008 with apache2. The server has 2 discs and I run an apache instance on both. The first runs as a service the second in the commandline. They both use an exact copy of an identical webroot in their own htdocs folder. Also they both use the same PHP install that is located on the first disc (Program Files (x86)). My application runs over SSL and uses PHP and MySQL.
The webserver that runs as a service runs my application fine and lets me login and has my session data ready at all times. The second server however lets me run my login script, has session data while running the script but loses that session data after a redirect to another page inside the same webroot.
The problem on the second webserver is similar to this question with the exception that I have session_start() on every page.
My login script works like this:
User requests a page
If the user is not authenticated, he is thrown back to the login page
If the user is authenticated, he gets an $_SESSION["auth"] with his profile data
Then when the user is browsing the main page or other pages that need auth, they just check if the $_SESSION["auth"] is set.
Any tips on how to solve this?
EDIT: A small clarification. I do have a session ID on each page. That id does not change when I get redirected. I do NOT have any data in the $_SESSION variable on the page I redirect to.
Look at the permissions of the php session directory where the files for the session are being stored. If php doesn't have the rights to write, create and change files you won't be able to store anything in your $_SESSION var.
I found the solution. The user that runs the webserver did have permission to all paths in the httpd.conf but did not have permission to access all paths in PHP.ini. session.save_path is one of those paths and the server can't access session data if it can't store session data.
The session.save_path was set to C:\Windows\Temp and initially I did not think I had to give permissions to anything but the apache dirs, php dirs and webroot.
Thanks for all your help!
Sessions will break if the user visits a sub-path of your site root and then navigates upwards. This is because the cookie will only be set for that path, not your entire domain. More info here: http://www.php.net/manual/en/function.session-start.php#91298
Related
So I had a website with login page, located in a subdirectory named "login".
I recently changed webhosts, and now my login page does not log me in. The session data is not showing on the main page [I have it set to print_r($_SESSION); and the only data it shows is sessionstart].
But when I click the login page again, it shows I am logged in!
And when I move the login page to the MAIN directory, it logs me in, which leads me to believe the $_SESSION data is per directory somehow...
The PHP version is the same as the old webhost (7.2), and it is the same type of server (Apache on Linux). Not sure how session data could work on one webhost and NOT on another.
UPDATE:
Okay, so it looks like it is being caused by the php.ini file in the main directory. But the only entries in it are upload_max_filesize = 64M and post_max_size = 64M . I tried copying it to the login folder, but it still won't keep session data between the 2 pages. Am I missing something?
Session_start() should be present on all scripts where you need a session, can you show us the code where the problem is located ?
I have a web server running LAMP. I have the website tbg.robotpidgeon.com set up to run the PHP login system that I copied from here (https://www.tutorialrepublic.com/php-tutorial/php-mysql-login-system.php).
Very basic login system using MySQLi.
In my apache2 config file for this web address, I have set up the virtual host and pointed it to where the PHP files are located. However, when you go to the above address it generates an index of the PHP files.
When I try to set up the virtual host to land on the login or welcome page I get a too_many_redirects error. So I am assuming that I have created a loop when I set the virtual host document root to a specific PHP file?
What should I do so that when I go to the above address it goes to the login/register page?
The browser is stopping you from hammering the server with a bunch of
requests. This is most likely due to the header() sending you to a
page which in turn sends you to the same page (or page with the same
header()).
In your session.php you have to destroy the session because it might
be set still but without that the query can find a existing user?
To unset sessions do this:
unset(); for all the session variables
unset($_SESSION['login_user']); for a specific session
I have an SPA that uses AJAX calls to assemble content from multiple PHP files. I can add the following into the main application's config file to be able to redirect users that are not logged in back to the login page as long as they tried going through the portal to look at stuff.
// Verify Login to access this resource
if($_SESSION["loggedIn"] != true) {
echo ('resource denied <script>window.location.href = "https://'.$_SERVER['SERVER_NAME'].'/login.php";</script> ');
exit();
}
The problem comes in that there are tons of views, models, controllers, and third party widgets that can still be accessed directly if you simply tried scanning the site for common file architures.
Is there a way to use something like an htaccess or php.ini file to automatically append this login check to all of the php files in a directory so that I don't have to paste this into each and every page?
Baring that, is there a way to set my chmod settings to only allow indirect access to those files such that php scripts running on the server can use them, but they can not be directly visited? Thanks.
[EDIT]
Moving files outside of my public folder did not work because it broke the AJAX.
I also tried auto_prepend_file in an htaccess file, but this resulted in a 500 error. I am using a VPS that apparently won't let me do an AllowOverride All in my Apache pre_virtualhost_global.conf; otherwise, I think that would have been the right way to do this.
Setting the CHMOD settings of my resource folders to 0750 appear to be allowing the AJAX commands to execute without allowing direct access to the files. If anyone knows of any other security caveats to be aware of when doing this let me know. Thanks.
I am trying to post a feed on Twitter using TwitterOAuth. I have two PHP scripts, redirect.php, and callback.php that work as follows.
redirect.php -> twitter auth -> callback.php
Whatever session key/values stored upon calling redirect.php are lost when callback.php is called for some reason.
The both PHP files reside in the same domain and HTTPS is used all the way through.
session_start() is used in the both scripts right before storing and fetching session data.
What could be the cause of this problem?
It turns out that Apache was not able write session files to a directory(in my case, /var/lib/php/session) specified in the php.ini.
Granting the write permission for this directory to Apache has solved the problem.
I am accessing my website from Linux server. At the time of user login I create session.
But Even I didn't open site and locate in folder /var/lib/php/session
there are contentiously some session file are getting created.
I am unable to find from where these files are getting created.
A session is always created. Your login just assigns the session with an user and the information that he/she/it is authenticated.
Note: Also search engines and robots create sessions on your page.
PHP creates sessions whenever you call session_start()
After to much research I found that session were getting created from cron files.
I removed session_start call from cron files.