Jump to content

Archived

This topic is now archived and is closed to further replies.

akrytus

Session Data Loss

Recommended Posts

I have a user log in and the page redirected to a secure web page.  If the user clicks off that page or it is refreshed the session variables are lost, and requires the user to log back in.  This is extremely innconvient.  Why am I loosing the session data and how do I prevent it from happening?

Share this post


Link to post
Share on other sites
check the sessions section in your php.ini. what are the settings? also, register globals can mess up sessions. make sure it's turned off. another possible cause is the session path isn't writable.

Share this post


Link to post
Share on other sites
What kind of settings am I looking for in the ini? It works to open of the first redirected page, but after that is when I loose the data!  My server is being hosted by someone esle using cpanel, do I even have the ability to change the ini, becuase I couldnt find it anywhere?

Share this post


Link to post
Share on other sites
create a page with the following code
[code]<?php
echo phpinfo();
?>[/code]

Then visit this page. You should be able to see the configs. Look into "Sessions". There will be session timeouts, store path, etc.

You may not be able to change the ini directly, but most hosts allow you to either change some values using .htaccess, or create your own ini override. you can most likely change the settings at runtime using set_ini too.

Share this post


Link to post
Share on other sites
Are you initializing sessions on each page?  If not, you will lose your data.

Share this post


Link to post
Share on other sites
[quote author=nethnet link=topic=102472.msg406698#msg406698 date=1154374538]
Are you initializing sessions on each page?  If not, you will lose your data.
[/quote]
ah yes. you have to call session_start() on each page.

Share this post


Link to post
Share on other sites
Ok, I have only created 1 secure page, and yes I have session_start first thing on top.  If I click off that page, then come back, I loose the session data, even on a simple refresh I loose it!  


Here is my php.ini file, please review for any problems:

Session Support  enabled  
Registered save handlers  files user sqlite  
Registered serializer handlers  php php_binary  


session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path no value no value
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0

Share this post


Link to post
Share on other sites
do you redirect the user to a different domain? do you have session_start on the page where the sessions are set too? can you also check register_globals in php.ini? does it not work on a specific browser only?

your session config doesn't seem to have problem. the only thing is that the lifetime is 0, meaning that the session will be deleted upon closing the browser, but it shouldn't affect refreshes. also, i konw IE sometimes have issue with the domain. have you tried it on firefox?

Share this post


Link to post
Share on other sites
[quote]do you redirect the user to a different domain?[/quote]
Nope.

[quote]do you have session_start on the page where the sessions are set too?[/quote]
Yep!

[quote]can you also check register_globals in php.ini?[/quote]
register_globals Off Off


[quote]does it not work on a specific browser only?
[/quote][quote]have you tried it on firefox?[/quote]
Havnt tried it on another broswer.  Would you like to try?

www.nocrs.net
login:test
pw: test

Share this post


Link to post
Share on other sites
try setting your domain path to ".nocrs.net". you probably redirects them to nocrs.net but the previous page is www.nocrs.net when the session is set. in this case, the session would only work with www.nocrs.net.

Share this post


Link to post
Share on other sites
also, when i tried https on the index page, it says 403 forbidden...

Share this post


Link to post
Share on other sites
Makes sense, so I have to contact my hosting service and have them change the domain to .nocrs.net instead of www.nocrs.net?

Does that mean that the password is being sent without encryption?

Share this post


Link to post
Share on other sites
But if you start on nocrs.net to begin with then shouldnt the session work for the redirection?  Becuase it doesnt!

Share this post


Link to post
Share on other sites
I tried using your site but none of the pages loaded.  When you click a link to go to a new page, that new page must also have session_start() before the header is sent.  Any page you want sessions to be active on, you need session_start() before the header is sent.  Please double check to make sure you have called this function on all of your pages in question, not just the page that sets the session variables.

Share this post


Link to post
Share on other sites
I have, there only 2 pages in question. 

nocrs.net/index.php - sets the session
nocrs.net/Dealer/dealer.php - php protected page

Both have session_start at the very top before anything else.

If you perform a refresh on the delear.php it will lose the session data.

Here is the data from that page:
[code]
<? session_start();
if(!isset($_SESSION['login'])) {  // Not Logged In  ?>
<meta http-equiv="Refresh" content="0; url=http://nocrs.net/invalid.htm">

<? }
else{  // Continue with the page
?>[/code]

Any other suggestions? 

[quote]I tried using your site but none of the pages loaded.[/quote]
Not sure why?  Havent seen any problems!

Share this post


Link to post
Share on other sites
[quote author=akrytus link=topic=102472.msg406754#msg406754 date=1154378292]
Makes sense, so I have to contact my hosting service and have them change the domain to .nocrs.net instead of www.nocrs.net?

Does that mean that the password is being sent without encryption?
[/quote]
what i meant is use ssession_set_cookie_params before session_start, or change the php.ini settings
[code]session_set_cookie_params (0,'/','.nocrs.net');[/code]

Share this post


Link to post
Share on other sites
in your php.ini file you show

session.save_path no value no value

you need to set the save path or the session does not get created

Share this post


Link to post
Share on other sites
I added the cookie command before the session_start, but this did not help.  I am still loosing the session data.  Any other suggestions?

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.