Jump to content
KillGorack

Session start & security

Recommended Posts

Posted (edited)

I have issues with a user being logged in and staying logged in, When logging in I create these $_SESSION variables

Array
(
    [usr_login] => username
    [usr_fname] => first
    [usr_lname] => last
    [usr_email] => email
    [ses_usrid] => 1
    [loggdin] => Yes
    [loginremember] => 
)

And after login it looks great till I refresh the page or go anywhere else on the site. All variables above are gone.

Consequently, this works with no issues on the prod server, just not on my machine.

Code I've been playing with since it started, specifically the setting of the cookie. (this code runs before anything else)

	// =================================================================
	// Sesssion start
	// =================================================================
			session_set_cookie_params(
			    0,
			    "/; SameSite=Strict",
			    ".killgorack.com",
			    true,
			    true
			);
			session_start();
	// =================================================================
	// Security stuff
	// =================================================================
			header("strict-transport-security: max-age=31536000");
			header('X-Frame-Options: sameorigin');
			header("X-XSS-Protection: 1; mode=block");
			header('X-Content-Type-Options: nosniff');
			header("Content-Security-Policy: default-src BLA BLA BLA ");
			header("Feature-Policy: vibrate 'none'");
			header("Referrer-Policy: no-referrer");
			header("Access-Control-Allow-Origin: https://www.MYWEBSITE.com/");
			header("Expect-CT: max-age=86400, enforce");
			header_remove("X-Powered-By");
	// =================================================================

Any ideas?

Edited by KillGorack

Share this post


Link to post
Share on other sites
Posted (edited)

Yea thanks, also it's a really dumb mistake.. I don't change the URLS of the website from dev to prod..

I think these are the issue. Always 30 seconds after I post..

Edited by KillGorack

Share this post


Link to post
Share on other sites
Posted (edited)

Also I'm getting an error when I change the order as you've suggested.

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in C:\xampp\htdocs\portal-x\inc\ses.php on line 12

I'll fiddle with it, once I've changed the urls it seems to be working.

I'll have to add this file to gitignore, and keep a local file different than production once I have it working.

Edited by KillGorack

Share this post


Link to post
Share on other sites

Still not driven to conclusion;

I have TWO scenarios.

#1

  session_set_cookie_params(
    300,
    "/; SameSite=Strict",
    ".killgorack.com",
    true,
    true
  );
  session_start();
  • Through www.immuniweb.com it seems the stuff is set correctly on production(php 7.3.5) server.
  • I get no errors on the production(php 7.3.5) server
  • I stay logged in after initial form post for login on production(php 7.3.5) server
  • I DO NOT stay logged in after initial form post for login on development(php 7.3.3) server (localhost)

#2

  session_start();
  session_set_cookie_params(
    300,
    "/; SameSite=Strict",
    ".killgorack.com",
    true,
    true
  );
  • Through www.immuniweb.com it seems the stuff is NOT setup correctly on production(php 7.3.5) server
  • I get errors on the production(php 7.3.5) server
  • I stay logged in after initial form post for login on production(php 7.3.5) server
  • I stay logged in after initial form post for login on development(php 7.3.3) server (localhost)

Share this post


Link to post
Share on other sites
Posted (edited)

 

From the manual at:  https://www.php.net/manual/en/function.session-set-cookie-params.php

 

Set cookie parameters defined in the php.ini file. The effect of this function only lasts for the 
duration of the script. Thus, you need to call session_set_cookie_params() for every request and 
before session_start() is called.

If you really want these settings to be retained you have to place them into your ini file.  Although - I don't see the use in a 5 minute cookie duration.  Or add this code to a little module that you can then include in every script that you want to use these settings.

Edited by ginerjm

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.