sess_start() makes session variables vanish.

[ajoo]

Hi all !

 

I have an index file which begins as 

<?php
error_reporting(E_ALL);
define('INCLUDE_CHECK',true);
require_once 'fran_load.php';

session_start();                // works fine with session_start()

//sess_start();                 // was working fine earlier but is now problematic 

header("Content-Security-Policy-Report-Only: default-src 'self' img-src 'self' data: https://www.google.com/ https://ajax.googleapis.com/ https://www.gstatic.com/ http://localhost/xampp/franchisee/; report-uri http://localhost/xampp/franchisee/reports/reportcspviolation.php"); 

// mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqliDriver = new mysqli_driver();
$mysqliDriver->report_mode = MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT;	

$timezone = "Asia/Calcutta";
if(function_exists('date_default_timezone_set')) date_default_timezone_set($timezone);
// set_exception_handler('exception_handler'); 

.
.
.

and an email activation request page.verifymail.php which begins as 

<?php
error_reporting(E_ALL);
session_start();
header("Content-Security-Policy-Report-Only content=default-src 'self' https://www.google.com/recaptcha/  https://ajax.googleapis.com/ajax/libs/jquery/1.3.2/");
define('INCLUDE_CHECK',true);

require_once 'fran_load.php';
/*
	echo "<pre>";
		echo $_SESSION['user_token'];
	echo "</pre>";
	exit();
*/

$message = '';
$terminate = false;
.
.
.

sess_start() is 

function sess_start()
{
        $session_name = 'sec_session_id'; // Set a custom session name
        $secure = false; // Set to true if using https.
        $httponly = true; // This stops javascript being able to access the session id.
        ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
        $cookieParams = session_get_cookie_params(); // Gets current cookies params.
        session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);   //   0, /, ''.
        session_name($session_name); // Sets the session name to the one set above.
        session_start(); // Start the php session
}

Earlier all seemed to work well, but suddenly there is an issue.  On submitting the form with 

action = "verifymail.php"

which sends from the index.php to verifymail.php, i find that the $_SESSION variable is blank, thereby not maintaining the session on that page.  

 

I am setting some session variables in the form before it is submitted.

 

I commented out sess_start() on index.php  and simply used session_start() and all seems to work fine. I would like to use sess_start, since I am setting the cookie timeout and other values therein, if I can.

 

Please can someone suggest why this is happening and how it can be overcome to use sess_start().

 

Thanks all. 

 

 

[mac_gyver]

and an email activation request page.verifymail.php which begins as 

 

 

did verifymail.php ever have a sess_start(); call in it?

 

all your files must be doing the same thing for the session to match up. it's likely that this was initially working because you already had an existing session, using session_start(), that matched up between the files. when you added sess_start() to just the index.php page, that created a new session with a second name, alongside the existing session, and so your verifymail.php had session data. once you finally closed your browser and started over, index,php was using the sess_start() settings, verifymail.php was using the session_start() settings, and there was no matching session data for verifymail.php to use.

 

most of the code you have shown at the top of index.php is common logic that ALL your pages should use. why don't you have them in a file and require it into each page (Don't Repeat Yourself - DRY) or better yet, if you are at the point of wanting to set up custom session settings, why aren't you using a single file, index.php, to implement your entire site? having a single index.php file site would eliminate the need to even pass data in session variables and would eliminate all the repetitive code and html you are trying to write, test, and maintain.

Edited December 19, 2016 by mac_gyver

[Jacques1]

Scripts shouldn't mess with the PHP configuration at all. When you have custom settings, create a .user.ini file for your application (or whatever your webserver accepts).

 

Overriding settings at runtime is not only notorious for creating incompatibilities like the ones you have. It also makes it very difficult to pinpoint the actual configuration; I can't just look at the .ini settings, because anything might be overridden somewhere deep inside the code.

[ajoo]

Hi mac_gyver and Guru Jacques and thanks for your replies !

 

@ Mac_gyver

 

 

did verifymail.php ever have a sess_start(); call in it?

 

That itself nailed it.

 

For reasons unknown to me,  i was using session_start in verifymail.php. I changed that to sess_start() and things are back to normal. The idea of putting the same initializing code into a file by itself is great. I'll use it. While I have heard of single page websites, I don't know how to implement one. I'll keep in mind to check it soon. A link to a nice tutorial on that would be great !

 

 

@Guru Jacques !

I am not really sure about the custom ini settings thingy you mention. I'll look up some user.ini examples to understand that a bit further. I think this was just a bit of an oversight. I don't think my code is making changes to any ini settings, so hopefully none would be overwritten. I would be glad if you can elaborate this a bit more and possibly with a small example. 

 

Confused deputy would suit me better !     

 

Thanks loads to you both !

Edited December 21, 2016 by ajoo

[Jacques1]

I don't think my code is making changes to any ini settings

 

The session behavior is normally determined by the PHP configuration, but you're changing those settings at runtime. You're overriding the default session name, cookie parameters etc. The fourth line of your function even says ini_set(...).

 

When each script has its own runtime configuration, there's a big risk of incompatible behavior, which is exactly what happened. You may hope that you've fixed it now, but how can you be sure? You'd have to scan your entire project for uses of session_start() vs. sess_start(). Maybe there's even a third variant.

 

A much cleaner solution is to not override the settings on a per-script basis. If you want different parameters, create an application-specific ini file and use that to define your session behavior.

[ajoo]

Thanks Guru Jacques, 

 

That really makes it so much clearer !!  hmm , yes I will have to scan the project for these, at least once, and find them,  

 

I will do that and revert in case I run into some issue regarding these.

 

Thanks loads and a Merry Christmas to you and all on the forum !

[ajoo]

HI all ! 

 

Ok so before the new year here are some real noob questions maybe after reading the replies of Mac_gyver and Guru Jacques. 

 

1. Instead of making changes to the ini variables like 

error_reporting(E_ALL); 

in the index file or changing the variables - that will be used to set some of the ini properties - 

$secure = false; // Set to true if using https.
$httponly = true;
 

would it not have been better for me to make two ini files for dev. and prod. and switch between the two , since now I will have to remove, at least, all of 

error_reporting(E_ALL); 

for the production environment?

 

2. Is there a better way to manage these if not in the ini files ? Like for e.g, Would it be recommended to use some defines to evaluate code for production and development and place these ini variables inside of those blocks for their selective execution.  Something like.

define('PROD', 1);

if(PROD === 1) error_reporting('E_ALL'); 

3. Coming back to the custom php.ini files,  I just create a php.ini in a text editor and define these variables in there and they would come into effect ? like this :

 

custom php.ini

error_reporting : on
display_errors: off

session.name: sec_sess_id
httponly: on
secure: off

4. And where should I place this php.ini file which would be local to the project? in the root - or outside the root? 

 

Thanks loads  & a Happy new year to all !!

[Jacques1]

It's definitely better to use .ini files than clutter your code with runtime settings. The error_reporting() call doesn't even work for all errors, because they may happen before the script is run (syntax issues, internal PHP problems etc.).

 

The manual explains where exactly .ini files must be placed. Global settings can be done in the system-wide php.ini (which may already exist; check phpinfo() for the path). Application-specific settings should be done in the webserver configuration for the virtual host or in the top-level directory of the application (e. g. a .htaccess file for Apache).

[ajoo]

Thanks for clarifying those nagging doubts, Guru Jacques.  Happy New year !