BizLab Posted May 17, 2010 Share Posted May 17, 2010 Hey, i'm launching a new site today, and i've been up since 2:30am so bear with me here guys. I've searched all over the internet and most of my findings point to the obvious session_start(); being forgotten... i WISH it were that easy SYSTEM: PHP 5.x Mysql (ver unknown) Plesk 8.x Media Temple VPS I have a login script that worked 100% on the local (win, apache) system. Upon successful login, the user is redirected to their homepage using the (header: ..... ) redirect. The session id remains intact after redirect, but any other session variables (assigned during login) are dropped -> and the session id remains active and unchanged (??). here is what i have: - session_start() on every page - The website uses a 301 redirect on all domains, so all point to the www.domain.com version of the site - The session directory is writable (as far as i can tell by the new records showing up after logging in) - The session vars are assigned as follows: $_SESSION['user_id'] = $row['user_id']; // from database query I am using session_write_close() prior to the header call as follows: session_write_close(); // to close the session write process to avoid problems here header('Location: /users/accounts/index.php'); Problem: The session_id is persistent while session variables are not PHP INI SETTINGS session.auto_start Off Off session.bug_compat_42 Off Off session.bug_compat_warn On On session.cache_expire 180 180 session.cache_limiter nocache nocache session.cookie_domain no value no value session.cookie_httponly Off Off session.cookie_lifetime 0 0 session.cookie_path / / session.cookie_secure Off Off session.entropy_file no value no value session.entropy_length 0 0 session.gc_divisor 1000 1000 session.gc_maxlifetime 1440 1440 session.gc_probability 1 1 session.hash_bits_per_character 5 5 session.hash_function 0 0 session.name PHPSESSID PHPSESSID session.referer_check no value no value session.save_handler files files session.save_path /var/lib/php/session /var/lib/php/session session.serialize_handler php php session.use_cookies On On session.use_only_cookies Off Off session.use_trans_sid 0 0 Any ideas to this would be helpful. THANKS! Quote Link to comment Share on other sites More sharing options...
bulrush Posted May 17, 2010 Share Posted May 17, 2010 The session_start() must be on every page BEFORE any html and BEFORE any other php code. Like this: <?php session_start(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Online Entry Main Menu</title> <link rel="stylesheet" type="text/css" href="style.css" /> </head> <body> Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 Yup, i have it there. The session start is not the issue here. I should mention that the site worked 100% on the local machine, no problems or errors at all. Thats why i'm thinking it is server related....?? i don't know... Thanks! Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted May 17, 2010 Share Posted May 17, 2010 Add the following three lines of code immediately after your first opening <?php tag (move the session_start() down if it on the line with the <?php tag so that is is after these lines of code) on both the page where you are setting the session variables and on the page where they are not persisting - ini_set("display_startup_errors", "1"); ini_set("display_errors", "1"); error_reporting(E_ALL); Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 After the error reporting i recieved the following message: Notice: Undefined index: user_id in /var/www/vhosts/domain.com/httpdocs/folder/admin-sessvars.php on line 3 Notice: Undefined index: username in /var/www/vhosts/domain.com/httpdocs/folder/admin-sessvars.php on line 4 Notice: Undefined index: first_name in /var/www/vhosts/domain.com/httpdocs/folder/admin-sessvars.php on line 5 Notice: Undefined index: last_name in /var/www/vhosts/domain.com/httpdocs/folder/admin-sessvars.php on line 6 basically stating that the $_SESSION['var'] 's i had tried to set were indeed, NULL. This is expected at this point. I'm totally clueless now OH yea, Scripts are being run as FastCGI if that makes a difference Quote Link to comment Share on other sites More sharing options...
aeroswat Posted May 17, 2010 Share Posted May 17, 2010 After the error reporting i recieved the following message: Notice: Undefined index: user_id in /var/www/vhosts/domain.com/httpdocs/folder/admin-sessvars.php on line 3 Notice: Undefined index: username in /var/www/vhosts/domain.com/httpdocs/folder/admin-sessvars.php on line 4 Notice: Undefined index: first_name in /var/www/vhosts/domain.com/httpdocs/folder/admin-sessvars.php on line 5 Notice: Undefined index: last_name in /var/www/vhosts/domain.com/httpdocs/folder/admin-sessvars.php on line 6 basically stating that the $_SESSION['var'] 's i had tried to set were indeed, NULL. This is expected at this point. I'm totally clueless now OH yea, Scripts are being run as FastCGI if that makes a difference show us the session settings in the php ini configuration file that apply to sessions. That might help Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 The PHP ini file shows the session_save_path as /var/lib/php/session but the error is only showing the line on the script that had an undefined session array index i'm not sure i follow?? Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 I just logged into Putty and checked out the session folder. There are about 50 files in there, so the sessions (at least the id) is being written to the system..... Wait, the session id on the client (browser) side hasn't changed since i began testing. Does anyone know why all these files are here? ALSO, i don't see the session id for the IE8 test i just performed... Quote Link to comment Share on other sites More sharing options...
aeroswat Posted May 17, 2010 Share Posted May 17, 2010 The PHP ini file shows the session_save_path as /var/lib/php/session but the error is only showing the line on the script that had an undefined session array index i'm not sure i follow?? Does the host not have any session cleanup? O_o Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 yea, it is set to 1000 (.01% chance of cleaning files) - i have to go in and change it to the common 100(1%) i don't know why it defaulted to such a high number Quote Link to comment Share on other sites More sharing options...
aeroswat Posted May 17, 2010 Share Posted May 17, 2010 yea, it is set to 1000 (.01% chance of cleaning files) - i have to go in and change it to the common 100(1%) i don't know why it defaulted to such a high number The last 2 things I can think of 1) Are you saving to the default session path or are you setting different path at runtime 2) Is your query returning what you expect it to return? I.e. is your database setup exactly the same. You may want to echo the variables to ensure this is happening as expected Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 The session variables are assigned as is (i don't know what the path is, lol) i assign them as $_SESSION['user_id'] = $row['user_id']; // during a query But i'm not sure how to find out exactly where / what $_SESSION location they are going to. I assumed that they would go to the file set in the sessions php.ini..? thanks for the help Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted May 17, 2010 Share Posted May 17, 2010 Have you tried dumping out the $_SESSION array when each script starts: <?php session_start(); echo '<pre>' . print_r($_SESSION,true) . </pre>; ?> This will tell you whether it's a problem with the $_SESSION array or not. Ken Quote Link to comment Share on other sites More sharing options...
aeroswat Posted May 17, 2010 Share Posted May 17, 2010 The session variables are assigned as is (i don't know what the path is, lol) i assign them as $_SESSION['user_id'] = $row['user_id']; // during a query But i'm not sure how to find out exactly where / what $_SESSION location they are going to. I assumed that they would go to the file set in the sessions php.ini..? thanks for the help Ya they will go to the default save path. Has it recently changed? Could it be that the host has recently screwed up the permissions on the session folder? But that couldn't be the case if its keeping part of the session. Hmm. I'm out of ideas :/ Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 Have you tried dumping out the $_SESSION array when each script starts: <?php session_start(); echo '<pre>' . print_r($_SESSION,true) . </pre>; ?> This will tell you whether it's a problem with the $_SESSION array or not. Ken Ok Ken, after running the array print the result was: Array ( ) [an empty session variable] Here are my own little variables displayed all nice and empty SESSION ID - 6jki3uqch1m6siur41ve06p6q6 || SESSION USER ID - (xxx blank xxx) || COOKIE USER ID - (xxx blank xxx) NOW HERE IS THE "KICKER" I also took out the re-direct and if i stay on the login page after logging in, the user is successfully "active" or logged in, but if i go to their homepage, the variables are empty as displayed above, BUT upon navigating back to the login page, ALL variables are active. The process, login->variables OK navigate (in any manner) to another page-> NO variables are present navigate back to the login page -> all variables are once again OK and active i believe this happens with or without the header redirect Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 The session variables are assigned as is (i don't know what the path is, lol) i assign them as $_SESSION['user_id'] = $row['user_id']; // during a query But i'm not sure how to find out exactly where / what $_SESSION location they are going to. I assumed that they would go to the file set in the sessions php.ini..? thanks for the help Ya they will go to the default save path. Has it recently changed? Could it be that the host has recently screwed up the permissions on the session folder? But that couldn't be the case if its keeping part of the session. Hmm. I'm out of ideas :/ Thats just the thing... Why would the session variables be active on the login page and work perfectly, but not on any other pages? AND if you come back to the login page (after logging in) the variables remain. I'm out of ideas too man, thats why i came here - i hate wasting other developers time with my probs but this one has me stuck Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted May 17, 2010 Share Posted May 17, 2010 Despite you statement that you are redirecting non-www to www addresses, you are clearly switching between URL's that have and don't have the www. on them. Unless you set the session cookie domain setting so that it matches all variations of your domain, it will only match the one where the session was created. Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 Despite you statement that you are redirecting non-www to www addresses, you are clearly switching between URL's that have and don't have the www. on them. Unless you set the session cookie domain setting so that it matches all variations of your domain, it will only match the one where the session was created. is this what you mean -> setcookie('user_id', $row['user_id'], time() + 60 * 60 * 24 * 30, '/', '.domain.com'); i haven't noticed an effect.. i'm gonna keep trying things, but i'm full out of ideas Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted May 17, 2010 Share Posted May 17, 2010 Except you don't use the setcooke() function with the session id cookie. Because you can come back to the login page and the session still exists, this is clearly a problem with the session id matching the URL being requested. I hope you are not switching between http and https ? Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 Except you don't use the setcooke() function with the session id cookie. Because you can come back to the login page and the session still exists, this is clearly a problem with the session id matching the URL being requested. I hope you are not switching between http and https ? Actually, thats exactly what i am doing, lol SSL login and Non-SSL everything else ... how can i work with that? Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 OK, i did another test in a section of the site that is all SSL, and i am still unable to login correctly. I'm having no luck at all today! Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted May 17, 2010 Share Posted May 17, 2010 Browsers do NOT pass the session id cookie back and forth (either direction) between HTTP and HTTPS protocols because it is INSECURE to do so. If you have something important enough that you are starting a session using a HTTPS connection, you must continue using a HTTPS connection to access that same session data. Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 Browsers do NOT pass the session id cookie back and forth (either direction) between HTTP and HTTPS protocols because it is INSECURE to do so. If you have something important enough that you are starting a session using a HTTPS connection, you must continue using a HTTPS connection to access that same session data. The issue remains even when i use a section of the site (admin) that is 100% SSL from login to logout... the browser still did no recognize anything, just as with the https to http I have a walk around right now that i am trying to hack together here that just passes the session id through a get request to allow the data to be passed back out of https. Honestly, the site needs to WORK for now and i can tidy it back up when i don't have visitors coming in for a 1st impression. So i still can't figure out why the SSL to SSL also doesn't work?? Quote Link to comment Share on other sites More sharing options...
jdavidbakr Posted May 17, 2010 Share Posted May 17, 2010 What is the path for the session cookie? Are you getting multiple session cookies in your browser? You're not changing domains, are you? I had something similar to that happen where I set the session in a subdirectory, i.e. http://www.example.com/login/index.php and then redirected to http://www.example.com/ - and the session cookie's path was the /login subdirectory, not allowing access from the root directory. If you're doing something like that you may need to explicitly set the session's path to the root directory (not sure offhand what it was but it was an argument to the session_start() command) [edit] Sorry, didn't see the rest of the conversation, just saw page 1.. Quote Link to comment Share on other sites More sharing options...
BizLab Posted May 17, 2010 Author Share Posted May 17, 2010 What is the path for the session cookie? Are you getting multiple session cookies in your browser? You're not changing domains, are you? I had something similar to that happen where I set the session in a subdirectory, i.e. http://www.example.com/login/index.php and then redirected to http://www.example.com/ - and the session cookie's path was the /login subdirectory, not allowing access from the root directory. If you're doing something like that you may need to explicitly set the session's path to the root directory (not sure offhand what it was but it was an argument to the session_start() command) [edit] Sorry, didn't see the rest of the conversation, just saw page 1.. I will look into that. For now (i've had over 100 web hits today and the site went live at 5am - lol) i just removes the problematic SSL and disabled the links to the sensitive areas of the site. Trying to login in https and redirect to http ruined the flow! i know there are many sites out there that do this though, so lets see if we can make a php solution for this - one NOT involving putting your session ids in GET requests for everyone to mess with - lol I would really like to know how to manipulate SSL login and redirects though, Does anyone know? :'( Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.