Sessions Problem?

[Cobra23]

Hi,

I have sessions and cookies for my website with PHP 7.2 version. But now and again, it logs me out quickly. Sometimes after 10 minutes inactivity, other times it doesn't, or even sometimes on clicking a link on the site. I can't tell if it is the browsers settings which I changed, but made no difference. Can anybody see a problem with my sessions, if that is set up wrong and if it is the reason as to why I am getting logged out of my site a lot without logging out?

htaccess

Header always edit Set-Cookie (.*) "$1; SameSite=Strict"

php.ini

session.name = __MySession
session.save_path = /path-to-sessions
session.hash_function = sha512
session.gc_maxlifetime = 3600
session.gc_probability = 1
; session.gc_divisor = 100
session.cookie_lifetime = 0
session.use_only_cookies = 1
session.use_trans_sid = 0
session.cookie_secure = 1
session.use_strict_mode = 1
session.cookie_httponly = 1
session.use_cookies = 1
session.referer_check = http://www.my-domain.com/
session.cache_limiter = nocache

sessions function

<?php
function mySiteSession() {
    $session_name = '__MySession';
	$cookie_domain = "www.my-domain.com";
	if (strpos($_SERVER['REQUEST_URI'], 'secured-area')) {
		$cookie_path = "/secured-area/";
		$saved_path_location = '/path-to-sessions';
		ini_set('session.save_path', $saved_path_location);
	} else {
		if (strpos($_SERVER['REQUEST_URI'], 'contact-us-now') && !strpos($_SERVER['REQUEST_URI'], 'secured-area')) {
			$cookie_path = "/contact-us-now/";
			$saved_path_location = '/path-to-sessions';
			ini_set('session.save_path', $saved_path_location);
			$max_life_time_seconds = 3600;
			$_SESSION['created'] = time();
			$session_life_time_seconds = time() - $_SESSION['created'];
			if ($session_life_time_seconds > $max_life_time_seconds) {
				session_destroy();
				session_unset();
			}
		} else {
			$cookie_path = "/secured-area/";
			$saved_path_location = '/path-to-sessions';
			ini_set('session.save_path', $saved_path_location);
		}
	}
	$cookie_secure = false; // website is not live and no https yet
    $cookie_httponly = true;
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"], $cookie_path, $cookie_domain, $cookie_secure, $cookie_httponly);
	session_name($session_name);
	secureSession();
	session_write_close();
	$cleanSession = @secureSession();
	if (!$cleanSession) {
		session_regenerate_id(true);
		secureSession();
	}
	session_regenerate_id(true);
}
function secureSession() {
	if (isset($_COOKIE[session_name()]) && preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $_COOKIE[session_name()])) {
        session_start();
    } else if (isset($_COOKIE[session_name()])) {
        unset($_COOKIE[session_name()]);
        session_start();
    } else {
        session_start();
    }
}
?>

Web Page Layout

<?php
ob_start(); // some pages have this but not all
mySiteSession();
// my sites code and html
ob_flush(); // some pages have this but not all
?>

I hope that this is enough information, as I am not sure how to get to the bottom of this.

Edited February 10, 2019 by Cobra23

[ginerjm]

Before you have us embark on this complex "sessions" code exercise, is there some special need for such an effort to takeover PHP's excellent management of sessions already?

[Cobra23]

What do you mean exactly?

Edited February 10, 2019 by Cobra23

[ginerjm]

What do you find wrong with the standard PHP session handling that you are doing all of this code?  That's what I mean. 

[Cobra23]

I just want mine to be very secure and private as possible without the use of cookies like PHPSESSID or keeping sessions in the original assigned folder. But having some problems keeping users logged in. That's why i'm asking the question for some advice and help on this.

[ginerjm]

Well for most of us the standard PHP controls are sufficient.  If you have some kind of sensitive usage going in your domain then you will have to master this yourself.  Good luck I guess...

[kicken]

You're still using cookies, so what's wrong with just using the default setup?  If you really don't want them to be named PHPSESID then just change the session.name value.

Change your session.save_path to a secure folder dedicated to your application.

There's nothing you need to do beyond that.  Just use sessions in the normal fashion by calling session_start() and manipulating the $_SESSION variable.

 

[Cobra23]

Gas! I think I may have sorted it with the php.ini of

session.cache_limiter = private

I'm not sure of it's restrictions or vulnerabilities, so i'll have to find out on that.

and activated:

session.gc_divisor = 100

 

[Cobra23]

Sorry kicken, I didn't see your comment.

I was just silly with the session.cache_limiter set to as private. That just saves a cache of the whole page without getting any new updates from the database when logged in. Although, the cache would stop kicking me out of safari, it's not what I need as I need updated content that changes any time.

My problem is with safari browser and not really with the sessions as the session file is still active in my tests. So I think the cookies are deleted on the client side with safari even though browser settings are set to not delete them. This happens mostly on some links (sometimes) and repeatedly clicking its link. I did have this problem on Google Chrome but sorted that with jQuery "on" events via the click to not allow a second click until page is loaded. This may be caused by bootstrap 3.

I tried adding cookie expiry to 3600 instead of 0 in php.ini which added the expiry date but had no affect on sorting the problem.

Also, safari doesn't detect the SameSite settings in htaccess while the other browsers do. It might have to be a case of going to php 7.3 for this to work.

SameSite=Strict

Edited February 13, 2019 by Cobra23

[Cobra23]

I pin pointed the problem ? It was due to the creation of css files with php which in turn had another session in the css that confused the system. It was the only way I could generate them with the exact results. By disabling that, no more kicking out. Onto creating one a new way now. Cheers for helping