Nematode128 Posted June 13, 2020 Share Posted June 13, 2020 (edited) I've been using clean URLs and it's been giving my PHP sessions for my user system some trouble. I display the logged in users username on every page via a header.php file that I require on every page. Sometimes when I click a link to navigate to a page with a clean URL, the session information "disappears" and asks the user to login but if I navigate to another page from the clean url that the session "disappeared" on, the logged in users username is displayed at the top of the page like normal. Any idea certain pages cause the session to "disappear" Header.php where the user info is displayed. $_SESSION['username'] is set on the login page <? session_start(); if (isset($_SESSION['username'])) { echo "Welcome back, " . $_SESSION['username']; } ?> Edited June 13, 2020 by Nematode128 Quote Link to comment Share on other sites More sharing options...
requinix Posted June 13, 2020 Share Posted June 13, 2020 Do your URLs ever change domain name or HTTP/HTTPS? Quote Link to comment Share on other sites More sharing options...
Nematode128 Posted June 13, 2020 Author Share Posted June 13, 2020 9 minutes ago, requinix said: Do your URLs ever change domain name or HTTP/HTTPS? Nope, they don't Quote Link to comment Share on other sites More sharing options...
requinix Posted June 13, 2020 Share Posted June 13, 2020 If you refresh working pages, do they eventually think you're logged out? Can you watch request headers in your browser to make sure the correct session identifier is being sent every time? Any errors or warnings in your PHP or server error log? Quote Link to comment Share on other sites More sharing options...
Nematode128 Posted June 13, 2020 Author Share Posted June 13, 2020 1 minute ago, requinix said: If you refresh working pages, do they eventually think you're logged out? Can you watch request headers in your browser to make sure the correct session identifier is being sent every time? Any errors or warnings in your PHP or server error log? Not if I actively refresh but I go idle for x amount of time then they session logs me out. How would I make sure the correct session identifier is being sent? Nothing in the error log Quote Link to comment Share on other sites More sharing options...
requinix Posted June 14, 2020 Share Posted June 14, 2020 Also, is it always the same page(s)? And if you refresh (specifically refresh, not re-browse to) the broken page, does its behavior change? Does it show you as logged in? The code you posted, I don't imagine it's your real code. What is the real code? To find the session identifier, use your browser's developer tools to find the session cookie. It should be quite noticeable. Remember the random ID you see, then (with the tools still open) load pages until you end up getting logged out. The tool should also be able to show you the HTTP request sent to retrieve that page. In its request headers should be a Cookie header with the session ID. Check other pages that worked for an example. Is the Cookie header present and with the correct session ID? For your error log, are you sure it's logging everything? Do you have it set to log all messages from PHP - warnings and notices and all that, not just errors? Quote Link to comment Share on other sites More sharing options...
Nematode128 Posted June 14, 2020 Author Share Posted June 14, 2020 16 minutes ago, requinix said: Also, is it always the same page(s)? And if you refresh (specifically refresh, not re-browse to) the broken page, does its behavior change? Does it show you as logged in? The code you posted, I don't imagine it's your real code. What is the real code? To find the session identifier, use your browser's developer tools to find the session cookie. It should be quite noticeable. Remember the random ID you see, then (with the tools still open) load pages until you end up getting logged out. The tool should also be able to show you the HTTP request sent to retrieve that page. In its request headers should be a Cookie header with the session ID. Check other pages that worked for an example. Is the Cookie header present and with the correct session ID? For your error log, are you sure it's logging everything? Do you have it set to log all messages from PHP - warnings and notices and all that, not just errors? Ya it's always the same pages. It doesn't change if I refresh the broken page, still shows as if I were logged out. That is the real code for displaying the session in the header file. It's displayed in a bootstrap nav bar so the only other code around it is html. I noticed on the broken pages the value for "phpsessid" changes, why is that? And yeah I have it logging warnings and notices Quote Link to comment Share on other sites More sharing options...
requinix Posted June 14, 2020 Share Posted June 14, 2020 1 hour ago, Nematode128 said: Ya it's always the same pages. It doesn't change if I refresh the broken page, still shows as if I were logged out. ... These pages, do they ever work? Quote That is the real code for displaying the session in the header file. It's displayed in a bootstrap nav bar so the only other code around it is html. I asked because you have a session_start() immediately followed by an echo that doesn't include any HTML. That should mean there was some HTML being outputted before the code you posted, and if there weren't any warnings from PHP then you must be using some discouraged php.ini settings. What is the value of the output_buffering setting? Quote I noticed on the broken pages the value for "phpsessid" changes, why is that? Variety of possible causes. What sorts of URL paths do you have for the working and non-working pages. Do all pages under a certain "directory" work while pages under another one do not? What does your browser say about the session cookie settings? It should include a domain, expiration, and path. The cookie will only be sent for pages with that path prefix. Quote Link to comment Share on other sites More sharing options...
Nematode128 Posted June 14, 2020 Author Share Posted June 14, 2020 1 hour ago, requinix said: ... These pages, do they ever work? I asked because you have a session_start() immediately followed by an echo that doesn't include any HTML. That should mean there was some HTML being outputted before the code you posted, and if there weren't any warnings from PHP then you must be using some discouraged php.ini settings. What is the value of the output_buffering setting? Variety of possible causes. What sorts of URL paths do you have for the working and non-working pages. Do all pages under a certain "directory" work while pages under another one do not? What does your browser say about the session cookie settings? It should include a domain, expiration, and path. The cookie will only be sent for pages with that path prefix. No I've tried them with just the regular .php file extension (ex. page.php?act=view) with the same result as it showing the page as if the user wasn't logged in. Output_buffering has no value according to phpinfo(). What would be discouraged .ini settings? I don't remember ever changing anything in a .ini file .. All the pages giving me issues so far are in a /mail directoy(I'm working on a private message feature). As far as the session goes, it starts out with sitename.net as the domain, Session as the Expiration and "/" as the path then when I click a link with a clean url it adds another phpsessid with www.sitename.net as the domain and it's either on that page that creates the second phpsessid that it says the user is logged out or it logs the user out on the next link I click. Quote Link to comment Share on other sites More sharing options...
requinix Posted June 14, 2020 Share Posted June 14, 2020 1 hour ago, Nematode128 said: Output_buffering has no value according to phpinfo(). What would be discouraged .ini settings? I don't remember ever changing anything in a .ini file .. output_buffering is the setting I was talking about. Basically, enabling it lets you pick up some bad habits regarding code and application design. 1 hour ago, Nematode128 said: No I've tried them with just the regular .php file extension (ex. page.php?act=view) with the same result as it showing the page as if the user wasn't logged in. 1 hour ago, Nematode128 said: All the pages giving me issues so far are in a /mail directoy(I'm working on a private message feature). That helps narrow it down. 1 hour ago, Nematode128 said: As far as the session goes, it starts out with sitename.net as the domain, Session as the Expiration and "/" as the path then when I click a link with a clean url it adds another phpsessid with www.sitename.net as the domain and it's either on that page that creates the second phpsessid that it says the user is logged out or it logs the user out on the next link I click. If you have two session cookies then you have two things that are trying to create session cookies. There should only ever be one. Decide whether you want the .sitename.net or www.sitename.net domain for the cookie (it doesn't really matter which, but you might as well go with the .sitename.net one), then investigate what could be causing the other cookie to be set. PHP will not create two unless your URLs are changing domain - and that includes adding or removing a www subdomain - which you said isn't happening, so there's something going on with your setup. Maybe there's different settings, maybe something is manually creating session cookies, it's hard to say. Quote Link to comment Share on other sites More sharing options...
Nematode128 Posted June 14, 2020 Author Share Posted June 14, 2020 9 hours ago, requinix said: output_buffering is the setting I was talking about. Basically, enabling it lets you pick up some bad habits regarding code and application design. That helps narrow it down. If you have two session cookies then you have two things that are trying to create session cookies. There should only ever be one. Decide whether you want the .sitename.net or www.sitename.net domain for the cookie (it doesn't really matter which, but you might as well go with the .sitename.net one), then investigate what could be causing the other cookie to be set. PHP will not create two unless your URLs are changing domain - and that includes adding or removing a www subdomain - which you said isn't happening, so there's something going on with your setup. Maybe there's different settings, maybe something is manually creating session cookies, it's hard to say. Would I benefit from turning output buffering on? And, this might be a stretch, but could it be my links that are causing issues? I ask because I had this and whenever I clicked that link the page would "break" echo "<a href='http://pereia.net/Dev/mail/view/inbox'>Back to Inbox</a>"; I changed it to echo "<a href='javascript:history.back()'>Back to Inbox</a>"; And that works perfectly fine. Quote Link to comment Share on other sites More sharing options...
requinix Posted June 14, 2020 Share Posted June 14, 2020 5 hours ago, Nematode128 said: Would I benefit from turning output buffering on? Don't use it. 5 hours ago, Nematode128 said: And, this might be a stretch, but could it be my links that are causing issues? I ask because I had this and whenever I clicked that link the page would "break" echo "<a href='http://pereia.net/Dev/mail/view/inbox'>Back to Inbox</a>"; I changed it to echo "<a href='javascript:history.back()'>Back to Inbox</a>"; And that works perfectly fine. I'll ask again: every single page you visit, do they all have exactly the same domain name? I mean everything between those two slashes, not just the last two parts of it. So www.pereia.net and pereia.net are not the same thing. Instead of using Javascript and going through the history, use absolute URLs: echo "<a href='/Dev/mail/view/inbox'>Back to Inbox</a>"; In fact all your links should look like that: no http:// or domain name, and the path relative to the root of your website. Quote Link to comment Share on other sites More sharing options...
Nematode128 Posted June 14, 2020 Author Share Posted June 14, 2020 (edited) 1 hour ago, requinix said: Don't use it. I'll ask again: every single page you visit, do they all have exactly the same domain name? I mean everything between those two slashes, not just the last two parts of it. So www.pereia.net and pereia.net are not the same thing. Instead of using Javascript and going through the history, use absolute URLs: echo "<a href='/Dev/mail/view/inbox'>Back to Inbox</a>"; In fact all your links should look like that: no http:// or domain name, and the path relative to the root of your website. "www." was never added into my address bar so I was a little confused when I saw the second sessid have the domain with "www." in front of it. I fixed my links and that seems to have fixed the issue. Thanks for your help. I appreciate it! Edited June 14, 2020 by Nematode128 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.