Jump to content

Second unexpected session being created


FlickeringLamp

Recommended Posts

Hi,

I'm a newbie learning web development in my spare time. I've built a LAMP server from scratch on an old PC as a learning exercise and I think the basic install and setup of that is fine as I installed PHPBB previously and that runs and is working. I've backed the server up at that point and restored so everything up to there is pretty much out of the box. I'm now coding my own web pages, so I've setup virtual hosting so I can hit them and start learning PHP, MySQL etc using quite an old book (PHP4 days) so yes things have changed. I've got an issue right at the start with sessions. It's a basic user authorisation exercise setting a session value authorising the user, and then when you click on a link, the authorised user session variable is tested to determine whether the user is allowed to view the page. This is not working and I've worked out what is happening.

The main page is starting a new session – session_start();
The session value is set.

When I click on the link, the next page is calling session_start();
... but it's starting a second session, and the authorised user value is not found. I've confirmed this watching sessions in the folder ... /var/lib/php/sessions

I can see the first being created containing the authorised user variable, and then a second empty session being created with just the session id. The session folder group is www-data with rwx permissions. The session file owner and group is www-data with rw permissions ...

-rw------- 1 www-data www-data 13 Nov 29 21:29 sess_bgih8hu82plbrvo0f9naledmdd
-rw------- 1 www-data www-data 0 Nov 29 21:29 sess_vhq4kfcm3sm0avrmif8e2fli9v

I don't think permissions is the issue as I can read and display the $_SESSIONID in each page – which also confirms different sessions are being used. I'm also seeing the following error in the apache error log when the second page is requested ...

[Fri Nov 29 20:58:27.829382 2019] [php7:notice] [pid 1065] [client x.x.x.x:x] PHP Notice: Undefined index: authuser in /var/www/licks/moviesite.php on line 22, referer: http://licksdev.com/moviemain.php

There's hardly any code, it's a very basic exercise, but here you go, this is the main page ...

<?php
session_start();
$_SESSION['authuser']=1;
?>
<HTML>
<HEAD>
<TITLE>Find my favourite movie</TITLE>
</HEAD>
<BODY>
<?php
echo "<a href='http://www.licksdev.com/moviesite.php'>Click ...</a>";
?>
</BODY>
</HTML>

Here is the second page. when I hit this page I get the not authorised error message:

<?php
session_start();
if ($_SESSION['authuser']!=1){
echo "Sorry but you don't have permission to view this page.";
exit();
}
?>
<HTML>
<HEAD>
<TITLE>Movie Details</TITLE>
</HEAD>
<BODY>
<?php
echo "User is authorised";
echo "<br>";
echo $_SESSION['authuser'];
?>
</BODY>
</HTML>

Versions ...

Ubuntu 18.04.
PHP 7.2.24
Apache/2.4.29

I'm guessing this is some basic configuration issue I should know about but I've spent a few days trying to find a solution - thought the session was not persisting at first, then the permissions, played around with session.use_only cookies but it's not that. Can't seem to frame the right question to find anyone talking about a similar issue.

Thanks for any help you can give.

Link to comment
Share on other sites

OK I'll get into that habit as well. It's fixed now. 
I think I ended up down this blind alley trying to be clever setting up two entries in my client hosts file - one for www.licksdev.com and one for licksdev.com (guessing not needed) - and been hopping back and forth between the two in the browser - but then also server side in the code. Cheers.

Edited by FlickeringLamp
Link to comment
Share on other sites

You should support both, because people will type the domain name without the "www", but you should enforce only one as the proper (canonical) domain. Which means redirect. So for yourself you'll want both hosts file entries, and Apache should have a configuration for both, but the non-www should redirect to the www one. You also have to make sure you never link to the non-www URL (another reason to not put the domain name in your URLs) because the redirect can mess with how stuff behaves.

Link to comment
Share on other sites

OK this looks like a bit of work to get my head around from what I've been reading.  
I just tried a quick and dirty <meta http-equiv = "refresh" content = "2; url = http://www.licksdev.com" />
In the index.html file at my Document Root, and now I have a page that constantly refreshes. Read that this is not a recommended approach anymore, looks like I need to enable mod-rewrite and create a htaccess file in my document root and carefully build some re-write rules. This sound like the right approach?
 

 

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.