Jump to content

PHP Session Information Disappearing on Clean URLs


Nematode128

Recommended Posts

I've been using clean URLs and it's been giving my PHP sessions for my user system some trouble. I display the logged in users username on every page via a header.php file that I require on every page. Sometimes when I click a link to navigate to a page with a clean URL, the session information "disappears" and asks the user to login but if I navigate to another page from the clean url that the session "disappeared" on, the logged in users username is displayed at the top of the page like normal. Any idea certain pages cause the session to "disappear"

 

Header.php where the user info is displayed. $_SESSION['username'] is set on the login page

<?
session_start();

if (isset($_SESSION['username'])) {

	echo "Welcome back, " . $_SESSION['username'];
}
?>

 

Edited by Nematode128
Link to comment
Share on other sites

If you refresh working pages, do they eventually think you're logged out?
Can you watch request headers in your browser to make sure the correct session identifier is being sent every time?
Any errors or warnings in your PHP or server error log?

Link to comment
Share on other sites

1 minute ago, requinix said:

If you refresh working pages, do they eventually think you're logged out?
Can you watch request headers in your browser to make sure the correct session identifier is being sent every time?
Any errors or warnings in your PHP or server error log?

Not if I actively refresh but I go idle for x amount of time then they session logs me out. 

How would I make sure the correct session identifier is being sent?

Nothing in the error log

Link to comment
Share on other sites

Also, is it always the same page(s)?
And if you refresh (specifically refresh, not re-browse to) the broken page, does its behavior change? Does it show you as logged in?
The code you posted, I don't imagine it's your real code. What is the real code?

To find the session identifier, use your browser's developer tools to find the session cookie. It should be quite noticeable. Remember the random ID you see, then (with the tools still open) load pages until you end up getting logged out. The tool should also be able to show you the HTTP request sent to retrieve that page. In its request headers should be a Cookie header with the session ID. Check other pages that worked for an example.
Is the Cookie header present and with the correct session ID?

For your error log, are you sure it's logging everything? Do you have it set to log all messages from PHP - warnings and notices and all that, not just errors?

Link to comment
Share on other sites

16 minutes ago, requinix said:

Also, is it always the same page(s)?
And if you refresh (specifically refresh, not re-browse to) the broken page, does its behavior change? Does it show you as logged in?
The code you posted, I don't imagine it's your real code. What is the real code?

To find the session identifier, use your browser's developer tools to find the session cookie. It should be quite noticeable. Remember the random ID you see, then (with the tools still open) load pages until you end up getting logged out. The tool should also be able to show you the HTTP request sent to retrieve that page. In its request headers should be a Cookie header with the session ID. Check other pages that worked for an example.
Is the Cookie header present and with the correct session ID?

For your error log, are you sure it's logging everything? Do you have it set to log all messages from PHP - warnings and notices and all that, not just errors?

Ya it's always the same pages. It doesn't change if I refresh the broken page, still shows as if I were logged out. That is the real code for displaying the session in the header file. It's displayed in a bootstrap nav bar so the only other code around it is html. I noticed on the broken pages the value for "phpsessid" changes, why is that? And yeah I have it logging warnings and notices

Link to comment
Share on other sites

1 hour ago, Nematode128 said:

Ya it's always the same pages. It doesn't change if I refresh the broken page, still shows as if I were logged out.

...

These pages, do they ever work?

 

Quote

That is the real code for displaying the session in the header file. It's displayed in a bootstrap nav bar so the only other code around it is html.

I asked because you have a session_start() immediately followed by an echo that doesn't include any HTML. That should mean there was some HTML being outputted before the code you posted, and if there weren't any warnings from PHP then you must be using some discouraged php.ini settings.

What is the value of the output_buffering setting?

 

Quote

I noticed on the broken pages the value for "phpsessid" changes, why is that?

Variety of possible causes.

What sorts of URL paths do you have for the working and non-working pages. Do all pages under a certain "directory" work while pages under another one do not?
What does your browser say about the session cookie settings? It should include a domain, expiration, and path. The cookie will only be sent for pages with that path prefix.

Link to comment
Share on other sites

1 hour ago, requinix said:

...

These pages, do they ever work?

 

I asked because you have a session_start() immediately followed by an echo that doesn't include any HTML. That should mean there was some HTML being outputted before the code you posted, and if there weren't any warnings from PHP then you must be using some discouraged php.ini settings.

What is the value of the output_buffering setting?

 

Variety of possible causes.

What sorts of URL paths do you have for the working and non-working pages. Do all pages under a certain "directory" work while pages under another one do not?
What does your browser say about the session cookie settings? It should include a domain, expiration, and path. The cookie will only be sent for pages with that path prefix.

No I've tried them with just the regular .php file extension (ex. page.php?act=view) with the same result as it showing the page as if the user wasn't logged in.

Output_buffering has no value according to phpinfo(). What would be discouraged .ini settings? I don't remember ever changing anything in a .ini file .. All the pages giving me issues so far are in a /mail directoy(I'm working on a private message feature). As far as the session goes,  it starts out with sitename.net as the domain, Session as the Expiration and "/" as the path then when I click a link with a clean url it adds another phpsessid with www.sitename.net as the domain  and it's either on that page that creates the second phpsessid that it says the user is logged out or it logs the user out on the next link I click. 

Link to comment
Share on other sites

1 hour ago, Nematode128 said:

Output_buffering has no value according to phpinfo(). What would be discouraged .ini settings? I don't remember ever changing anything in a .ini file ..

output_buffering is the setting I was talking about. Basically, enabling it lets you pick up some bad habits regarding code and application design.

 

1 hour ago, Nematode128 said:

No I've tried them with just the regular .php file extension (ex. page.php?act=view) with the same result as it showing the page as if the user wasn't logged in.

1 hour ago, Nematode128 said:

All the pages giving me issues so far are in a /mail directoy(I'm working on a private message feature).

That helps narrow it down.

 

1 hour ago, Nematode128 said:

As far as the session goes,  it starts out with sitename.net as the domain, Session as the Expiration and "/" as the path then when I click a link with a clean url it adds another phpsessid with www.sitename.net as the domain  and it's either on that page that creates the second phpsessid that it says the user is logged out or it logs the user out on the next link I click. 

If you have two session cookies then you have two things that are trying to create session cookies. There should only ever be one.

Decide whether you want the .sitename.net or www.sitename.net domain for the cookie (it doesn't really matter which, but you might as well go with the .sitename.net one), then investigate what could be causing the other cookie to be set. PHP will not create two unless your URLs are changing domain - and that includes adding or removing a www subdomain - which you said isn't happening, so there's something going on with your setup. Maybe there's different settings, maybe something is manually creating session cookies, it's hard to say.

Link to comment
Share on other sites

9 hours ago, requinix said:

output_buffering is the setting I was talking about. Basically, enabling it lets you pick up some bad habits regarding code and application design.

 

That helps narrow it down.

 

If you have two session cookies then you have two things that are trying to create session cookies. There should only ever be one.

Decide whether you want the .sitename.net or www.sitename.net domain for the cookie (it doesn't really matter which, but you might as well go with the .sitename.net one), then investigate what could be causing the other cookie to be set. PHP will not create two unless your URLs are changing domain - and that includes adding or removing a www subdomain - which you said isn't happening, so there's something going on with your setup. Maybe there's different settings, maybe something is manually creating session cookies, it's hard to say.

Would I benefit from turning output buffering on?

And, this might be a stretch, but could it be my links that are causing issues? I ask because I had this and whenever I clicked that link the page would "break"

echo "<a href='http://pereia.net/Dev/mail/view/inbox'>Back to Inbox</a>";

I changed it to 

echo "<a href='javascript:history.back()'>Back to Inbox</a>";

And that works perfectly fine. 

Link to comment
Share on other sites

5 hours ago, Nematode128 said:

Would I benefit from turning output buffering on?

Don't use it.

 

5 hours ago, Nematode128 said:

And, this might be a stretch, but could it be my links that are causing issues? I ask because I had this and whenever I clicked that link the page would "break"


echo "<a href='http://pereia.net/Dev/mail/view/inbox'>Back to Inbox</a>";

I changed it to 


echo "<a href='javascript:history.back()'>Back to Inbox</a>";

And that works perfectly fine. 

I'll ask again: every single page you visit, do they all have exactly the same domain name? I mean everything between those two slashes, not just the last two parts of it. So www.pereia.net and pereia.net are not the same thing.

Instead of using Javascript and going through the history, use absolute URLs:

echo "<a href='/Dev/mail/view/inbox'>Back to Inbox</a>";

In fact all your links should look like that: no http:// or domain name, and the path relative to the root of your website.

Link to comment
Share on other sites

1 hour ago, requinix said:

Don't use it.

 

I'll ask again: every single page you visit, do they all have exactly the same domain name? I mean everything between those two slashes, not just the last two parts of it. So www.pereia.net and pereia.net are not the same thing.

Instead of using Javascript and going through the history, use absolute URLs:


echo "<a href='/Dev/mail/view/inbox'>Back to Inbox</a>";

In fact all your links should look like that: no http:// or domain name, and the path relative to the root of your website.

"www." was never added into my address bar so I was a little confused when I saw the second sessid have the domain with "www."  in front of it. I fixed my links and that seems to have fixed the issue. Thanks for your help. I appreciate it!

Edited by Nematode128
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.