Jump to content

Sessions Problem?


Cobra23

Recommended Posts

Hi,

I have sessions and cookies for my website with PHP 7.2 version. But now and again, it logs me out quickly. Sometimes after 10 minutes inactivity, other times it doesn't, or even sometimes on clicking a link on the site. I can't tell if it is the browsers settings which I changed, but made no difference. Can anybody see a problem with my sessions, if that is set up wrong and if it is the reason as to why I am getting logged out of my site a lot without logging out?

htaccess

Header always edit Set-Cookie (.*) "$1; SameSite=Strict"

php.ini

session.name = __MySession
session.save_path = /path-to-sessions
session.hash_function = sha512
session.gc_maxlifetime = 3600
session.gc_probability = 1
; session.gc_divisor = 100
session.cookie_lifetime = 0
session.use_only_cookies = 1
session.use_trans_sid = 0
session.cookie_secure = 1
session.use_strict_mode = 1
session.cookie_httponly = 1
session.use_cookies = 1
session.referer_check = http://www.my-domain.com/
session.cache_limiter = nocache

sessions function

<?php
function mySiteSession() {
    $session_name = '__MySession';
	$cookie_domain = "www.my-domain.com";
	if (strpos($_SERVER['REQUEST_URI'], 'secured-area')) {
		$cookie_path = "/secured-area/";
		$saved_path_location = '/path-to-sessions';
		ini_set('session.save_path', $saved_path_location);
	} else {
		if (strpos($_SERVER['REQUEST_URI'], 'contact-us-now') && !strpos($_SERVER['REQUEST_URI'], 'secured-area')) {
			$cookie_path = "/contact-us-now/";
			$saved_path_location = '/path-to-sessions';
			ini_set('session.save_path', $saved_path_location);
			$max_life_time_seconds = 3600;
			$_SESSION['created'] = time();
			$session_life_time_seconds = time() - $_SESSION['created'];
			if ($session_life_time_seconds > $max_life_time_seconds) {
				session_destroy();
				session_unset();
			}
		} else {
			$cookie_path = "/secured-area/";
			$saved_path_location = '/path-to-sessions';
			ini_set('session.save_path', $saved_path_location);
		}
	}
	$cookie_secure = false; // website is not live and no https yet
    $cookie_httponly = true;
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"], $cookie_path, $cookie_domain, $cookie_secure, $cookie_httponly);
	session_name($session_name);
	secureSession();
	session_write_close();
	$cleanSession = @secureSession();
	if (!$cleanSession) {
		session_regenerate_id(true);
		secureSession();
	}
	session_regenerate_id(true);
}
function secureSession() {
	if (isset($_COOKIE[session_name()]) && preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $_COOKIE[session_name()])) {
        session_start();
    } else if (isset($_COOKIE[session_name()])) {
        unset($_COOKIE[session_name()]);
        session_start();
    } else {
        session_start();
    }
}
?>

Web Page Layout

<?php
ob_start(); // some pages have this but not all
mySiteSession();
// my sites code and html
ob_flush(); // some pages have this but not all
?>

I hope that this is enough information, as I am not sure how to get to the bottom of this.

Link to comment
Share on other sites

I just want mine to be very secure and private as possible without the use of cookies like PHPSESSID or keeping sessions in the original assigned folder. But having some problems keeping users logged in. That's why i'm asking the question for some advice and help on this.

Link to comment
Share on other sites

You're still using cookies, so what's wrong with just using the default setup?  If you really don't want them to be named PHPSESID then just change the session.name value.

Change your session.save_path to a secure folder dedicated to your application.

There's nothing you need to do beyond that.  Just use sessions in the normal fashion by calling session_start() and manipulating the $_SESSION variable.

 

Link to comment
Share on other sites

Sorry kicken, I didn't see your comment.

I was just silly with the session.cache_limiter set to as private. That just saves a cache of the whole page without getting any new updates from the database when logged in. Although, the cache would stop kicking me out of safari, it's not what I need as I need updated content that changes any time.

My problem is with safari browser and not really with the sessions as the session file is still active in my tests. So I think the cookies are deleted on the client side with safari even though browser settings are set to not delete them. This happens mostly on some links (sometimes) and repeatedly clicking its link. I did have this problem on Google Chrome but sorted that with jQuery "on" events via the click to not allow a second click until page is loaded. This may be caused by bootstrap 3.

I tried adding cookie expiry to 3600 instead of 0 in php.ini which added the expiry date but had no affect on sorting the problem.

Also, safari doesn't detect the SameSite settings in htaccess while the other browsers do. It might have to be a case of going to php 7.3 for this to work.

SameSite=Strict
Link to comment
Share on other sites

I pin pointed the problem ? It was due to the creation of css files with php which in turn had another session in the css that confused the system. It was the only way I could generate them with the exact results. By disabling that, no more kicking out. Onto creating one a new way now. Cheers for helping

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.