All geek questions in one place

PHP Session ID changes per request

I just migrated my application from the local WAMP to a real online server. This caused problems with the session id not being saved when it appears.

  • I checked for unnecessary characters before session_start
  • I can not find the session file saved in my / tmp

These are my session settings:

session.auto_start Off Off session.bug_compat_42 Off Off session.bug_compat_warn On On session.cache_expire 180 180 session.cache_limiter nocache nocache session.cookie_domain no value no value session.cookie_httponly Off Off session.cookie_lifetime 0 0 session.cookie_path / / session.cookie_secure Off Off session.entropy_file no value no value session.entropy_length 0 0 session.gc_divisor 1000 1000 session.gc_maxlifetime 1440 1440 session.gc_probability 1 1 session.hash_bits_per_character 5 5 session.hash_function 0 0 session.name PHPSESSID PHPSESSID session.referer_check no value no value session.save_handler files files session.save_path /tmp /tmp session.serialize_handler php php session.use_cookies On On session.use_only_cookies On On session.use_trans_sid 0 0
  • The online server works: PHP version 5.3.9, while WAMP: PHP version 5.3.5.
  • After reviewing the sent headers and the response in each page load, I received the following: set-cookie sends the corresponding session identifier, and the received response sends a new one, as if nothing had been requested.
  • I launch the site at the preview URL (SSL on). I do not know if this has anything, my domain is not registered yet.

  • The error code is as simple as:

    $sId = session_id();

    if ($sId == '') { session_start(); }

+4
source share
7 answers

I just solved and solved the same problem.

It turns out that the PHPSESSID cookie (which records the session) was sent, but it was ignored by the server, so the session was not supported, and the server restarted the session every time the page reloads or changes.

The problem was that in my wp-config.php there was a line:

 @ini_set('session.cookie_secure','On');

This means that if the connection is unsafe, all cookies must be ignored, so the cookie PHPSESSID and the session are restarted.

Check wp-config.php or init.php . The problem with cookies.

+4
source

You need to write session_start (); Before accessing any session variables without it, you cannot access session variables.

Try putting session_start () in the very first line of the file.

+2
source

session_start should be the first in your file, after that you can get the session ID:

 session_start(); $sId = session_id();
+1
source

This can be caused by three characters (BOM ( Mark Order Order ), which are entered by some programs (for example, Dreamweaver, notepad) up to the <?php marker, so the session is not actually initialized.

If you have error_reporting enabled, you will see headers already sent ..

Check the hex editor file to see if your editor inserts any characters.

+1
source

Use only alphanumeric characters as the session identifier. I had this problem when using "." as part of a session id.

+1
source

You must first start a session in order to use the session_ * functions. So, first of all you need to do the following:

 session_start();

then you can request a session id like this

 $id = session_id();

Please note that it is not recommended to save the sessions in a public folder accessible to the public, as visitors can find the folder in which you save the sessions and list all of them. They can then insert session cookies into their browser and manage other user user accounts. If you really need to do this, restrict access to the / tmp folder. For example, put the .htaccess file in this folder using this code

 Deny from all

Or find another way to disable users from viewing your / tmp folder, as this may be a security issue.

If you want to change the session identifier for each request, for security reasons, you can use the session_regenerate_id function

You would do something like this:

 session_start(); session_regenerate_id(); // Do other things you want with sessions.

This way, even if someone steals your session cookie, the session ID will be changed with every request. And that could be your problem. There is a PHP way to restore a new session id for each request, so this may bother you.

Regarding the installation of php.ini directives, you should check if your hosting provider has allowed you to change the .ini directive that you are trying to change. It depends on the server setting if you can change the .ini directive or not. And the behavior of the sessions may differ from hosting to hosting, depending on how they configure the server. Most things can be changed using php functions or using ini_set with this list of php.ini directives

0
source

The question is old, and the initial problem was solved exactly. However, in the end, the previous answers did not help in this situation. So, if someone is facing a similar problem like me, here is another approach:

Sessions are managed using a cookie, commonly called a PHPSESSID . If this cookie is not properly declared and therefore cannot be included in subsequent user requests, another session is launched for each request, which leads to a situation at least similar to yours.

I tried to implement an application that works on some public reverse proxy URLs for multiple applications, for example.

 http://public.example.com/foo/bar/script.php

was delegated to some server behind the reverse proxy provided as

 http://foo.example.com/bar/script.php

For PHP running in the context of foo.example.com with the path prefix /bar rather than /foo/bar , the cookie parameters of the PHPSESSID session can cause problems when passed to the client without corrections. This observation was true in my case, at least.

0
source

Source: https://habr.com/ru/post/1445031/

More articles:


All Articles