php sessions problem (2 or more applications/domains on 1 server)

[bgrzinic]

Hello,

 

I'm not an php expert. I'm working on some php application and need help regarding php sessions or possibly something else.

 

description application 1:

On the apache server I have 1 php application/domain hosted in vhosts environment. Application has some protected  pages and bulit in authentication logic, asks for username and password, retrives from mysql ans stores data into sessions. Application is hosted as virtual dir, it has its own domain1.com - This application is working fine, everything is ok.

 

 

application2:

On the same aoache/php server, as a vhost is hosted 2nd application, it has it's own domain2.com. It has the same builtin logic, but I expirience some wierd problems with sessions.

Sessions values are lost once I call header("location: some_page.php"); , or if I refresh the same page - so for example once user logs in, if page is refreshed, session value user_id is lost and user is logged out.

 

On every page, i 1st call the same sec_session_start() function, the same i use in Apllication1 which is working fine, but only with altered $session_name = 'sms_sess_sid' variable:

 

function sec_session_start() {
        $session_name = 'sms_sess_sid'; // Set a custom session name
        $secure = false; // Set to true if using https.
        $httponly = true; // This stops javascript being able to access the session id.
 
        ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
        $cookieParams = session_get_cookie_params(); // Gets current cookies params.
        //session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
        session_set_cookie_params(3600, $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
        session_name($session_name); // Sets the session name to the one set above.
        session_start(); // Start the php session
        //session_regenerate_id(true); // regenerated the session, delete the old one.     
        session_regenerate_id(); // regenerated the session, delete the old one.   
    
}

 

On the start of every other page i call sec_session_start() like this:

 

    require_once('functions.php');   
    sec_session_start();

.

 

In vhost.conf of second application i have added the line:

php_value session.cookie_domain ".example-domain2.com"

 

 

Problem: The problem is that in application2, on page refresh, or when navigating between pages, sessions and session_values are lost.

Why is this happening ? Is there something that has to be configured specificly for multi application/domains/vhosts environment. What am I missing here ?

 

Thank You in advanced.

 

 

[mac_gyver]

the symptom of any "refresh, redirect, or navigation" loosing the logged in state most likely means that sessions aren't working at all. the code on your page may indicate a successful login, but that only means the code on that page authenticated the user, not that the session was created.

 

do you have php's error_reporting set to E_ALL and display_errors set to ON or log_errors set to ON so that you would be seeing/logging any session related errors?

 

have you checked in the browser if the session id cookie is being set and does it have the expected settings? have you checked if a session data file that matches the session id cookie is actually being created? have you checked if the data stored in the session data file is what you expect (you may have a logic error or something like php's register_globals combined with a user_id cookie that is causing the session data to be overwritten)?

[bgrzinic]

Thank You on reply.

 

I have set error_reporting to E_ALL and log_errors set to ON,

 here is my php_error.log after restart of apache and navigatin through application:

 

[14-Jul-2013 18:43:18] PHP Warning:  session_destroy() [<a href='function.session-destroy'>function.session-destroy</a>]: Trying to destroy uninitialized session in /var/sms/404.php on line 11
[14-Jul-2013 18:43:18] PHP Warning:  session_destroy() [<a href='function.session-destroy'>function.session-destroy</a>]: Trying to destroy uninitialized session in /var/sms/404.php on line 11
[14-Jul-2013 18:43:18] PHP Warning:  session_destroy() [<a href='function.session-destroy'>function.session-destroy</a>]: Trying to destroy uninitialized session in /var/sms/404.php on line 11
[14-Jul-2013 18:43:18] PHP Warning:  session_destroy() [<a href='function.session-destroy'>function.session-destroy</a>]: Trying to destroy uninitialized session in /var/sms/404.php on line 11
[14-Jul-2013 18:43:20] PHP Warning:  setcookie() expects at least 1 parameter, 0 given in /var/sms/index.php on line 18
[14-Jul-2013 18:43:20] PHP Warning:  session_destroy() [<a href='function.session-destroy'>function.session-destroy</a>]: Trying to destroy uninitialized session in /var/sms/index.php on line 20

 

 

 

Here are the lines from file that are listed in php_error.log:

 

index.php:

<?php
    //Start session
    //session_start();
    require_once('functions.php');
    sec_session_start();

    if(isset($_SESSION['SESS_STATUS'])) {$status = $_SESSION['SESS_STATUS'];}
    if(isset($_SESSION['SESS_GRESKA'])) {$greska = $_SESSION['SESS_GRESKA'];}
    if(isset($_SESSION['SESS_GSM_BROJ'])) {$gsm_broj = $_SESSION['SESS_GSM_BROJ'];}
    if(isset($_SESSION['SESS_VRIJEME_SLANJA'])) {$vrijeme_slanja = $_SESSION['SESS_VRIJEME_SLANJA'];}
    if(isset($_SESSION['SESS_PORUKA'])) {$poruka = $_SESSION['SESS_PORUKA'];}
    if(isset($_SESSION['SESS_PORUKA_ZAPRIMLJENA'])) {$zaprimljena = $_SESSION['SESS_PORUKA_ZAPRIMLJENA'];}
    
    //Unset the variables stored in session  
    $_SESSION = array();    
    session_unset();
    session_write_close();
    setcookie();
    setcookie(session_name(),'',0,'/');
    session_destroy();                                        /* line 20 */
    session_regenerate_id(true);    
    require_once('globalne_variable.php');    
    header('Content-type: text/html; charset=utf-8; Content-language:hr;');
    
?>

 

and 404.php

<?php
        //Start session
    //session_start();
    require_once('functions.php');
    sec_session_start();
    
    //Unset the variables stored in session  
    $_SESSION = array();    
    session_unset();    
    session_write_close();
    session_destroy();                                   /* line 11 */
    setcookie(session_name(),'',0,'/');        
    session_regenerate_id(true);    
    require_once('globalne_variable.php');    
    header('Content-type: text/html; charset=utf-8; Content-language: hr;');
    
?>

 

Index.php is also the login page, but I am not sure why is 404. php listed in error log since i haven called that page.

 

Also I have checked in the browser, cookie with domain of application and name "sms_sess_sid" is created - it has settings defined with  session_set_cookie_params in sec_session_start().

 

Do You have any new suggestions, clues ?

 

Thanks on help.

[bgrzinic]

What confused me is that I noticed that on some page -> admin.php if i hit refresh no meter how many times, the session values are preserved, i can echo their values and it doesn't logout user.

On the other hand, on page "profile.php" located in the same folder as admin.php, if i hit refresh I cannot echo session variable and user is logged out.

 

Since those 2 pages are almost the same , I commented php code in profile.php and everything mysteriously worked fine.

 

After deleting php code, the problem was the same.

So, then i commented html and css code (just a few <div> elements) which had left in page, and everything works fine - i can echo session values.

 

1. I didn't know that this can effect php sessions. Can really html and css style affect php and php_sessions ?

Now, i don't want to consume anyone time with nonsenses, I think this shouldn't affect php code, but yet it does.

 

2.Does anyone knows whats is going own, why few simple html/css elements interfere with php and point me on things I'm obviously missing and don't know ?

 

Thanks.

[kicken]

Best guess would be that something in that HTML is requesting a file (an <img> tag perhaps) which does not exist. That causes apache to run your 404.php page which you have setup to destroy the session. A simple 404 error should not be destroying the session, just print a not found message and leave the session alone.

[bgrzinic]

I would say that Your probably right. I have the img tag that points to non existant image. Also on 404 page is copy/pasted code from my index page that destroys session.

Thank You very much for pointing me this out.

 

Thank You guys and cheers.

[mac_gyver]

the errors in post #3 are because there is no session to destroy after you execute a session_write_close().

 

rather than just listing a bunch of session related functions in your code, you actually need to define what you want to accomplish and write just the code that does what you have defined you want to do. many of the statements you put into your code don't have anything to do with clearing session variales.