Second unexpected session being created

[FlickeringLamp]

Hi,

I'm a newbie learning web development in my spare time. I've built a LAMP server from scratch on an old PC as a learning exercise and I think the basic install and setup of that is fine as I installed PHPBB previously and that runs and is working. I've backed the server up at that point and restored so everything up to there is pretty much out of the box. I'm now coding my own web pages, so I've setup virtual hosting so I can hit them and start learning PHP, MySQL etc using quite an old book (PHP4 days) so yes things have changed. I've got an issue right at the start with sessions. It's a basic user authorisation exercise setting a session value authorising the user, and then when you click on a link, the authorised user session variable is tested to determine whether the user is allowed to view the page. This is not working and I've worked out what is happening.

The main page is starting a new session – session_start();
The session value is set.

When I click on the link, the next page is calling session_start();
... but it's starting a second session, and the authorised user value is not found. I've confirmed this watching sessions in the folder ... /var/lib/php/sessions

I can see the first being created containing the authorised user variable, and then a second empty session being created with just the session id. The session folder group is www-data with rwx permissions. The session file owner and group is www-data with rw permissions ...

-rw------- 1 www-data www-data 13 Nov 29 21:29 sess_bgih8hu82plbrvo0f9naledmdd
-rw------- 1 www-data www-data 0 Nov 29 21:29 sess_vhq4kfcm3sm0avrmif8e2fli9v

I don't think permissions is the issue as I can read and display the $_SESSIONID in each page – which also confirms different sessions are being used. I'm also seeing the following error in the apache error log when the second page is requested ...

[Fri Nov 29 20:58:27.829382 2019] [php7:notice] [pid 1065] [client x.x.x.x:x] PHP Notice: Undefined index: authuser in /var/www/licks/moviesite.php on line 22, referer: http://licksdev.com/moviemain.php

There's hardly any code, it's a very basic exercise, but here you go, this is the main page ...

<?php
session_start();
$_SESSION['authuser']=1;
?>
<HTML>
<HEAD>
<TITLE>Find my favourite movie</TITLE>
</HEAD>
<BODY>
<?php
echo "<a href='http://www.licksdev.com/moviesite.php'>Click ...</a>";
?>
</BODY>
</HTML>

Here is the second page. when I hit this page I get the not authorised error message:

<?php
session_start();
if ($_SESSION['authuser']!=1){
echo "Sorry but you don't have permission to view this page.";
exit();
}
?>
<HTML>
<HEAD>
<TITLE>Movie Details</TITLE>
</HEAD>
<BODY>
<?php
echo "User is authorised";
echo "<br>";
echo $_SESSION['authuser'];
?>
</BODY>
</HTML>

Versions ...

Ubuntu 18.04.
PHP 7.2.24
Apache/2.4.29

I'm guessing this is some basic configuration issue I should know about but I've spent a few days trying to find a solution - thought the session was not persisting at first, then the permissions, played around with session.use_only cookies but it's not that. Can't seem to frame the right question to find anyone talking about a similar issue.

Thanks for any help you can give.

[requinix]

licksdev.com and www.licksdev.com are two different sites.

Set up a redirect so that one of them always goes to the other. So the user (eg, you) won't get confused by the two sites.

[FlickeringLamp]

I knew it would be something stupid.

Thanks.  

Anyway I've learned quite a bit the last few days - plus this, so it's all good.

 

[requinix]

Oh. And don't put the whole URL in your link. It's really unnecessary. All you need is the path portion, as in the stuff after the domain. So just /moviesite.php.

[FlickeringLamp]

OK I'll get into that habit as well. It's fixed now. 
I think I ended up down this blind alley trying to be clever setting up two entries in my client hosts file - one for www.licksdev.com and one for licksdev.com (guessing not needed) - and been hopping back and forth between the two in the browser - but then also server side in the code. Cheers.

Edited November 29, 2019 by FlickeringLamp

[requinix]

You should support both, because people will type the domain name without the "www", but you should enforce only one as the proper (canonical) domain. Which means redirect. So for yourself you'll want both hosts file entries, and Apache should have a configuration for both, but the non-www should redirect to the www one. You also have to make sure you never link to the non-www URL (another reason to not put the domain name in your URLs) because the redirect can mess with how stuff behaves.

[FlickeringLamp]

OK this looks like a bit of work to get my head around from what I've been reading.  
I just tried a quick and dirty <meta http-equiv = "refresh" content = "2; url = http://www.licksdev.com" />
In the index.html file at my Document Root, and now I have a page that constantly refreshes. Read that this is not a recommended approach anymore, looks like I need to enable mod-rewrite and create a htaccess file in my document root and carefully build some re-write rules. This sound like the right approach?
 

 

 

[requinix]

40 minutes ago, FlickeringLamp said:

looks like I need to enable mod-rewrite and create a htaccess file in my document root and carefully build some re-write rules. This sound like the right approach?

Yes.

[FlickeringLamp]

Thanks, got redirects working. Took a while to find out AllowOverrides was switched off for /var/www - enabled that and now all working. Cheers
Like the trick of being able to modify local php directives in the .htaccess file for specific areas of the site.