Jump to content

Session not working with session_set_cookie_params and session_regenerate_id


perky416

Recommended Posts

Hi Guys,

 

I have a simple user login form that creates a session. It works perfectly however I am trying to make the session more secure by using session_set_cookie_params and session_regenerate_id.

 

The code I am using is as follows:

 

session_set_cookie_params(time()+3600,'/','example.com',false,true);
session_start();
session_regenerate_id(true);


if ($_POST['submit']){


//form validation and error handling go here but removed for the purpose of this post


if (empty($error)){
$_SESSION['username'] = $_POST['username'];
echo "<script type='text/javascript'>document.location.href='members.php';</script>";
}
}

 

With the session_set_cookie_params and session_regenerate_id the session is just does not appear to get created.

 

Does anybody have any idea as to why this isnt working?

 

Thanks

 

Link to comment
Share on other sites

Several things:

  • Don't override all parameters, only the ones you're actually interested in. The others should be left alone (i. e. set to the default values).
  • Changing the parameters at runtime is generally a bad idea, especially when you're doing it in individual scripts. This can easily lead to conflicting settings. Instead, set the parameters in the php.ini to make sure they're the same everywhere.
  • A lot of PHP function calls must be checked for errors. You can't just assume that session_start() or session_renegerate_id() always succeeds.
  • Learn basic debugging skills like inspecting the cookies and HTTP messages with the developer tools of your browser. Then you can tell us more than "it doesn't work".
Link to comment
Share on other sites

I tried several things. Initially i had my script set up to redirect me to the home page if a user tries to access the members area without logging in. As soon as i added session_set_cookie_params and session_regenerate_id the script it was continually returning me to the home page. I then removed the redirect and echoed $_SESSION['username'] whiched displayed the value ok but stopped displaying it with session_set_cookie_params and session_regenerate_id. Thinking it may be some conflict with the login form i created a $_SESSION['test'] as soon as the page loads and again this displayed the value ok but with session_set_cookie_params and session_regenerate_id nothing.

Link to comment
Share on other sites

This is the code that echos the $_SESSION['username'] without the session_set_cookie_params and session_regenerate_id, but with these lines added it keeps re-directing me to my home page. Remove the re-direct and it still takes me to the members area but does not echo anything:

session_set_cookie_params(time()+3600,'/','example.com',false,true);
session_start();
session_regenerate_id(true);


include('connect.php');
$error = array();


//validate login form
if ($_POST['submit']){
!$_POST['username'] ? $error['error'] = "<div class='error'>Enter a username & password!</div>" : "";
!$_POST['password'] ? $error['error'] = "<div class='error'>Enter a username & password!</div>" : "";


$sql = "SELECT * FROM users WHERE username = '$_POST[username]'";
$query = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($query);


if ($_POST['username'] && $_POST['password']){
$_POST['username'] != $row['username'] || md5($_POST['password']) != $row['password'] ? $error['error'] = "<div class='error'>Username or password incorrect!</div>" : "";
}


$error = array_filter($error);
if (empty($error)){
$_SESSION['username'] = $_POST['username'];
echo "<script type='text/javascript'>document.location.href='members.php';</script>";
}
}


//if logged in re-direct to members area, otherwise re-riect to home page
if (!isset($_SESSION['username']) && basename($_SERVER["SCRIPT_FILENAME"]) != "index.php"){
echo "<script type='text/javascript'>document.location.href='http://www.example.com';</script>";
}


echo $_SESSION['username'];

Using the following I am getting no errors:

 

In script:

error_reporting(E_ALL);
ini_set('display_errors', 1);

In php.ini:

display_errors = On

 

 

 

Did you read anything of what I just said?

 

Yes I read ALL of it.

Link to comment
Share on other sites

Yes I read ALL of it.

 

Then how am I supposed to interpret the fact that you're coming back with the exact same code after I've just pointed out the mistakes?

 

Actually, forget about session security. You have an entire zoo of vulnerabilities ranging from SQL injections to completely unprotected user passwords. If that application is anywhere on the Internet, now is the time to shut it down, tell your users that their passwords need to be changed immediately, check the server for signs of attacks (or event better: nuke it from orbit) and don't even think about putting it back online until you have a solid understanding of security.

 

Something like this:

$sql = "SELECT * FROM users WHERE username = '$_POST[username]'";

is just unacceptable.

Link to comment
Share on other sites

What mistakes are you referring to? Your post seems more like advice rather than actually pointing out errors in the code?

 

The script is still in development...it is no where near finished yet...the question in point was about session security...this is why i left out the irrelevant code in the first post.

Link to comment
Share on other sites

What mistakes are you referring to?

 

I'm not going to repeat myself. You can either solve the problem or spend the rest of the day trying to debug code that shouldn't be there in the first place. That's up to you.

 

 

 

The script is still in development...it is no where near finished yet...the question in point was about session security...this is why i left out the irrelevant code in the first post.

 

The code is much more important than your tiny session problem. Given the fundamental security problems and the obvious lack of a security concept, you definitely have better things to do than fine-tune the session cookie parameters.

Link to comment
Share on other sites

Don't override all parameters, only the ones you're actually interested in.

 

 

Mistake? What if I am interested in all of them?

 

 

 

Changing the parameters at runtime is generally a bad idea

 

Mistake? Sounds more like advice to me.

 

 

 

A lot of PHP function calls must be checked for errors.

 

Mistake? Nope...more advice.

 

 

 

Learn basic debugging skills

 

Mistake? Again....advice.

 

 

The code is much more important than your tiny session problem. Given the fundamental security problems and the obvious lack of a security concept, you definitely have better things to do than fine-tune the session cookie parameters.

 

Like I said...not finished. How do you know im not going to resolve the security problems? How do you know I didn't throw together the code for test purposes? You know absolutely nothing about what I am doing with my application. All you know is I had an issue with what I was trying to achieve with the sessions. The rest of the code is irrelevant for the sake of this thread.

 

You gave me some "advice" about coding...how about I give you some advice on human decency...when somebody comes asking for help how about you actually help them instead of displaying overwhelming arrogance?

 

Problem solved by the way....thanks for not helping me.

 

Dont worry I wont be back...this clearly isnt the place for people to get help with problems. Its seems like just another forum where the geek with a few thousand posts thinks hes gods gift.

Link to comment
Share on other sites

How do you know im not going to resolve the security problems?

 

Because you don't understand problem solving at even the most fundamental level.

 

Your idea of "problems" and how to solve them is that you encounter a symptom, go to an online forum, get people to make a few changes here and there until the symptom goes away, and that's the "solution". As long as everybody tells you what you want to hear, you're happy, otherwise they're evil, unhelpful nerds.

 

This is amazingly naive for somebody who has spent quite a lot of time writing code, even if we assume that you have literally done nothing during the years you weren't here. Programming is about seeing the bigger picture, prioritizing problems and solving them systematically. When the whole approach is bullshit, the solution is not to shuffle lines around until some symptom goes away. It's to take a different approach, at which point the symptom is simply irrelevant.

 

What you get here is the chance to stop playing around and finally start programming. Writing a simple web application isn't exactly rocket science. Many users before you have done it, and many users after you will do it. But if you cannot or don't want to learn, there's indeed not much we can do for you.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.