Session is dropped after redirect?

[greenace92]

I'm not sure why this is happening, I force an https redirect in apache could that be it?

After assigning the $hex var to $_SESSION['user'] and echoing, I see that there is a session, however when redirecting to a new page the session is dropped.

 

I have tested outside of this script/page, and sessions aren't dropped in redirecting, so I must be missing something on this page.

 

I'd appreciate any help.

 

https://www.cunninghamwebdd.com/brian-music/bad-index.html

 

I edited the $user that's missing at the top where I set $user to $_SESSION['user'];

This is for if someone's already logged in, they are redirected to the home page or whatever.

Edited February 28, 2016 by greenace92

[Jacques1]

Your session cookie is created for the domain www.cunninghamwebdd.com, but you're redirecting to cunninghamwebdd.com. Those are, in fact, two different domains. While the subdomain can theoretically create a cookie which is valid for the superdomain as well (but not the other way round), I strongly recommend you pick a single canonical domain (preferrably www.cunninghamwebdd.com) and use that exclusively. Configure your webserver to redirect all other domains to the canonical one. This will save you a lot of trouble now and in the future.

[greenace92]

Wow thanks a lot, I will do that.

 

Let me see if this works, should.

[greenace92]

Your session cookie is created for the domain www.cunninghamwebdd.com, but you're redirecting to cunninghamwebdd.com. Those are, in fact, two different domains. While the subdomain can theoretically create a cookie which is valid for the superdomain as well (but not the other way round), I strongly recommend you pick a single canonical domain (preferrably www.cunninghamwebdd.com) and use that exclusively. Configure your webserver to redirect all other domains to the canonical one. This will save you a lot of trouble now and in the future.

 

Is this a php/apache setting? I'm in the domain without www, but you say the session cookie is created for www. Is that a default thing? I will just use the www one then, it just seems cleaner to not use www.

[greenace92]

I fixed the redirect to use www, this is part of my apache configuration, I don't know why it is still not working.

I did restart/reload the server.

<VirtualHost *:80>
ServerName www.cunninghamwebdd.com
ServerAlias cunninghamwebdd.com http://www.cunninghamwebdd.com
DocumentRoot /var/www/html
Redirect "/" "https://www.cunninghamwebdd.com/"


# CustomLog /directory log file location not enabled
# ErrorLog /directory log not enabled
</VirtualHost>


<VirtualHost *:443>
ServerName https://www.cunninghamwebdd.com
DocumentRoot /var/www/html
# CustomLog
# ErrorLog
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/cunninghamwebdd_com.crt
SSLCertificateKeyFile /etc/ssl/certs/cunninghamwebdd_com.key
SSLCACertificateFile /etc/ssl/certs/cunninghamwebdd_com.ca-bundle.crt
SSLProtocol All -SSLv2 -SSLv3 +TLSv1 +TLSv1.1
</IfModule>
</VirtualHost>


<VirtualHost *:443>
ServerName https://cunninghamwebdd.com
DocumentRoot /var/www/html/
Redirect "/" "https://www.cunninghamwebdd.com/"
# CustomLog
# ErrorLog
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/cunninghamwebdd_com.crt
SSLCertificateKeyFile /etc/ssl/certs/cunninghamwebdd_com.key
SSLCACertificateFile /etc/ssl/certs/cunninghamwebdd_com.ca-bundle.crt
SSLProtocol All -SSLv2 -SSLv3 +TLSv1 +TLSv1.1
</IfModule>
</VirtualHost>

[Jacques1]

You're also terminating the session with session_destroy() and then try to write data to it. This of course makes no sense. Get rid of the statement. I guess what you actually want is session_regenerate_id(true).

[greenace92]

That was it! Thank you for the help as always.