PHP Session no longer working in javascript file

[fastsol]

I've got a weird one here.  Last night everything was working fine that I know of.  This morning my hosted dedicated server will no longer hold session data in a javascript file.  Meaning I have a couple javascript files that are .php extensions and inside them it has session_start() at the very top and then it sets the content type accordingly to a js file.  I have a couple things in there that output js code based on session data from php.  Up until last night this method has been working for a couple of years without any issue.  Get up this morning and none of it works.

 

I've gone over the whm changelog but the last update was 5 days ago, not last night.  I've checked any settings I could think of in the whm but nothing has fixed the issue.  Server is running php 5.6.  I run 7.1 on my local machine and all sites are working fine locally.  I've verified that the files on the web host are exactly the same as my local files.  The part that makes me sure it's a server issue is that it's not working for domains that I haven't touched in a while.

 

It's also not working when using jquery ajax requests even when I'm sending to a php file.  So the php file I'm sending to is also not keeping the session data.  Again these are files I have not touched in a while.  I don't understand what could have gone wrong.

[requinix]

Make sure your session ID isn't changing. Otherwise it sounds like the session files are being lost or ignored. Can you figure out where the files are being stored and check them in code to see they're not empty or something?

 

Naturally things don't just break randomly - something happened somewhere.

[fastsol]

I can echo the session_id() from the javascript file and it's the same as the cookie in the developer console, even after refreshing the page a few times.

 

I can echo the session vars right up to the <script> call, so it's not being lost down the page.  Doing a dump on the session in the javascript file returns an empty array.

[kicken]

Are you using standard sessions files or are you using a custom handler like database-based sessions? If custom, are you handling locking properly?

[fastsol]

Nope, just standard file based.

[fastsol]

Here is a basic test code that I can't even make work.

php page:

<?php
/**
 * Created by PhpStorm.
 */

session_start();

$_SESSION['loc_settings'] = 'something';

?>
<!DOCTYPE HTML>
<html lang="en">
<head></head>
	<body>
		<div id="location-root-map">Map goes here</div>
<script src="/site_specific/other_pages/defer-change-vehicle-display.php"></script>
</body>
</html>

Javascript file:

<?php 
error_reporting(E_ALL);
session_start();

header("Content-Type: application/javascript");

?>

<?php
if(isset($_SESSION['loc_settings']))
{
?>
	// Inserts the Google Maps iframe after page load
	$(document).ready(function(){
		$('#location-root-map').html('<iframe width="100%" frameborder="0" style="border:0" src="http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=<?php echo $_SESSION['loc_settings']['site_street'],'+',$_SESSION['loc_settings']['site_city'],'+',$_SESSION['loc_settings']['site_state'],'+',$_SESSION['loc_settings']['site_zip'];?>&aq=0&vpsrc=0&ie=UTF8&hq=&hnear=<?php echo $_SESSION['loc_settings']['site_street'],'+',$_SESSION['loc_settings']['site_city'],'+',$_SESSION['loc_settings']['site_state'],'+',$_SESSION['loc_settings']['site_zip'];?>&output=embed"></iframe>'
		);
	});
<?php
 unset($_SESSION['loc_settings']); 
}
?>

Looking at the output from the js file is empty.  Look at it on my local and it has content.  Display errors is on, even on the server.

[ginerjm]

I"m assuming that you have named your JS file with a php extension.  Can you still load that file at the server since it is being added via a script tag and not a PHP include/require statement?  If it isn't loaded on the server then any php code inside that supposed-js file won't be executed.  No?

[fastsol]

Yes I can load it directly just fine.  Here is a link to the test page http://remotelystarted.com/test

[ginerjm]

What does 'directly' mean?  My question was 'does it load' as it is written currently.

[fastsol]

I just changed the php version on the server to 7.1 like my local has and that made no difference.

[fastsol]

What does 'directly' mean?  My question was 'does it load' as it is written currently.

You can visit the file in the script tag directly in the browser and there is no output in the file.

[ginerjm]

Good luck.  You've lost me.

[fastsol]

I'm getting somewhere I think.  If I move the js file to the root folder it works.  But if I have it at any level above root it won't pick up the session.  What would cause that?

[fastsol]

Also there is no htaccess restricting the viewing in the folder I'm trying to put the js file, or any other type of restriction that I know of since I can execute other php code in the file, just not session data.

Edited September 25, 2017 by fastsol

[requinix]

What are the session cookie settings according to the browser? Path, domain, HTTPS-only, etc.

[fastsol]

path = /

domain = the correct domain. no www. my htaccess redirects everything to non www

http_only = no

 

I was able to resolve the issue for the moment by moving a couple files to the root, at least the site works now.  This is not ideal and doesn't answer why this happened though.  So I still would like any suggestions.  I can't find anything wrong with any setting or anything.  It worked last night and then didn't this morning.  I totally understand that something had to have happened, I just can't find it.

[fastsol]

I don't think this has anything to do with it, but there are some new lines in my htaccess that CPanel added during an update, but even if I comment out the lines it still doesn't work.

###########################
RewriteCond %{HTTP_HOST} ^www.mydomain.com$ [NC]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)$ http://mydomain.com/$1 [R=301,L]
###########################

###########################
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f 
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^location/(.*)$ ./location-details.php?loc=$1
###########################

RewriteCond %{QUERY_STRING} ^product_id=(.*)$
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . %{REQUEST_URI}?product-id=%1 [R=301,L]

RewriteBase /
RewriteCond %{HTTP:Cookie} devicePixelRatio [NC]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule \.(?:jpe?g|gif|png|bmp)$ /retinaimages.php [NC,L] 
RewriteCond %{REQUEST_FILENAME} !-s 
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)\.[\d]+\.(css|js)$ $1.$2 [L]

It's these 2 lines in each rewrite rule

RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$

[requinix]

Though you've said stuff that suggests it might not be, this could be caused by two session cookies: one in the root, one in a subdirectory. If you put the Javascript file back where it was (not in the root) with

alert("=session_id()?>");

and have the source .php output its session_id(), do the two values match?

[fastsol]

Though you've said stuff that suggests it might not be, this could be caused by two session cookies: one in the root, one in a subdirectory. If you put the Javascript file back where it was (not in the root) with

alert("<?=session_id()?>");

and have the source .php output its session_id(), do the two values match?

 

Yes the id was the same no matter what I did.  That was one of my thoughts too, but led me nowhere.

[mac_gyver]

add a session_write_close(); after the line where you are setting the session variable, to see if that solves the problem. you in fact should be finished assigning or changing any session data before you get to the start of your html document and can write/close the session file (the $_SESSION variables will still exist with their current value in them.)

 

you are likely getting a session file locking problem, where the main code has created the session data file but hasn't actually written the data to the file when the javascript code starts its session. the session id's match, but there's no data in the file for the javascript session to read.

 

so, why would something cause a change in the operation of your scripts? perhaps the network speed where your server is located changed or the time it takes to finish running the rest of the code in your main file suddenly started taking longer (database queries perhaps or doing include/requires of remote files) so that it is taking longer for the main file to end and write and close the session data file.