KillGorack Posted May 19, 2019 Share Posted May 19, 2019 (edited) I have issues with a user being logged in and staying logged in, When logging in I create these $_SESSION variables Array ( [usr_login] => username [usr_fname] => first [usr_lname] => last [usr_email] => email [ses_usrid] => 1 [loggdin] => Yes [loginremember] => ) And after login it looks great till I refresh the page or go anywhere else on the site. All variables above are gone. Consequently, this works with no issues on the prod server, just not on my machine. Code I've been playing with since it started, specifically the setting of the cookie. (this code runs before anything else) // ================================================================= // Sesssion start // ================================================================= session_set_cookie_params( 0, "/; SameSite=Strict", ".killgorack.com", true, true ); session_start(); // ================================================================= // Security stuff // ================================================================= header("strict-transport-security: max-age=31536000"); header('X-Frame-Options: sameorigin'); header("X-XSS-Protection: 1; mode=block"); header('X-Content-Type-Options: nosniff'); header("Content-Security-Policy: default-src BLA BLA BLA "); header("Feature-Policy: vibrate 'none'"); header("Referrer-Policy: no-referrer"); header("Access-Control-Allow-Origin: https://www.MYWEBSITE.com/"); header("Expect-CT: max-age=86400, enforce"); header_remove("X-Powered-By"); // ================================================================= Any ideas? Edited May 19, 2019 by KillGorack Quote Link to comment https://forums.phpfreaks.com/topic/308729-session-start-security/ Share on other sites More sharing options...
gw1500se Posted May 19, 2019 Share Posted May 19, 2019 session start has to go first. Quote Link to comment https://forums.phpfreaks.com/topic/308729-session-start-security/#findComment-1566900 Share on other sites More sharing options...
KillGorack Posted May 19, 2019 Author Share Posted May 19, 2019 (edited) Yea thanks, also it's a really dumb mistake.. I don't change the URLS of the website from dev to prod.. I think these are the issue. Always 30 seconds after I post.. Edited May 19, 2019 by KillGorack Quote Link to comment https://forums.phpfreaks.com/topic/308729-session-start-security/#findComment-1566901 Share on other sites More sharing options...
KillGorack Posted May 19, 2019 Author Share Posted May 19, 2019 (edited) Also I'm getting an error when I change the order as you've suggested. Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in C:\xampp\htdocs\portal-x\inc\ses.php on line 12 I'll fiddle with it, once I've changed the urls it seems to be working. I'll have to add this file to gitignore, and keep a local file different than production once I have it working. Edited May 19, 2019 by KillGorack Quote Link to comment https://forums.phpfreaks.com/topic/308729-session-start-security/#findComment-1566902 Share on other sites More sharing options...
KillGorack Posted May 19, 2019 Author Share Posted May 19, 2019 Still not driven to conclusion; I have TWO scenarios. #1 session_set_cookie_params( 300, "/; SameSite=Strict", ".killgorack.com", true, true ); session_start(); Through www.immuniweb.com it seems the stuff is set correctly on production(php 7.3.5) server. I get no errors on the production(php 7.3.5) server I stay logged in after initial form post for login on production(php 7.3.5) server I DO NOT stay logged in after initial form post for login on development(php 7.3.3) server (localhost) #2 session_start(); session_set_cookie_params( 300, "/; SameSite=Strict", ".killgorack.com", true, true ); Through www.immuniweb.com it seems the stuff is NOT setup correctly on production(php 7.3.5) server I get errors on the production(php 7.3.5) server I stay logged in after initial form post for login on production(php 7.3.5) server I stay logged in after initial form post for login on development(php 7.3.3) server (localhost) Quote Link to comment https://forums.phpfreaks.com/topic/308729-session-start-security/#findComment-1566905 Share on other sites More sharing options...
ginerjm Posted May 19, 2019 Share Posted May 19, 2019 (edited) From the manual at: https://www.php.net/manual/en/function.session-set-cookie-params.php Set cookie parameters defined in the php.ini file. The effect of this function only lasts for the duration of the script. Thus, you need to call session_set_cookie_params() for every request and before session_start() is called. If you really want these settings to be retained you have to place them into your ini file. Although - I don't see the use in a 5 minute cookie duration. Or add this code to a little module that you can then include in every script that you want to use these settings. Edited May 19, 2019 by ginerjm Quote Link to comment https://forums.phpfreaks.com/topic/308729-session-start-security/#findComment-1566907 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.