Page 1 of 2
Can sessions be erased by a XHTML/CSS template?
Posted: Tue Sep 08, 2009 3:15 pm
by bluest_cube
I'm a web designer and I coded a web page layout using just XHTML/CSS for an application developed by a PHP programmer. He states that once the app. is wrapped in the templates the sessions are being erased. Can HTML and CSS break sessions and if so what causes it? There is no javascript in the templates.
Thanks
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Tue Sep 08, 2009 3:21 pm
by Eran
Simply put, no. Ask the programmer if he starts the session before any output is sent to the browser (ie, before outputting anything from the template).
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 3:19 pm
by bluest_cube
Response from developer:
PHP auto-starts a session each time a page is called. The session value *IS* working on the server side - I can see the session files in /tmp. The session is transmitted to the browser in the form of a cookie.. each time a page transaction happens, the cookie is requested FIRST, then once the session ID is matched, the actual code runs.
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 3:24 pm
by Eran
That's kind of a vague response that means nothing. Session values are only accessible server side. Why is he converting sessions into cookies? in any case this has nothing to do with HTML and CSS.
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 3:41 pm
by Eric!
If the session is working on the server, then the session is working. So this doesn't make much sense to me. I think what pytrin is asking is important to know. Is his session_start() call made before your templates start writing stuff to the browser? If you post the code up to the part where you start your sessions we can help more.
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 4:09 pm
by bluest_cube
I asked the developer for the code and this is his response:
There is no code to start sessions. If you look at php.ini (in /usr/local/lib/) you'll see that PHP is set to automatically start a session before any of my code runs. That transaction happens outside of my application completely.
Thanks
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 4:17 pm
by Eric!
Well that's not really true. His php application triggers the php session_start when the page is served. He has set session.auto_start to 1 in the php.ini file.
If this is true and there aren't multiple php.ini files in different directories where session.auto_start is 0, then sessions should be working fine, especially if he says the server is storing the data. Your template can't break it unless you're manipulating the session data or session_id in PHP. HTML/CSS alone can't break it.
There are some problems when pages are redirecting to other locations, session data can be lost, and some browsers loose data between locations during redirects. Are you doing anything like that in your html?
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 4:19 pm
by Eran
session data is not related to redirects. HTML and CSS markup cannot by themselves affect session data in any way, shape or form
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 4:29 pm
by Eric!
Well sometimes browers will drop the session during HTML redirects (if used as cookies). I've seen that with older IE versions on occasion. And sometimes you have to set it to ALLOW ALL COOKIES, then clear out the cache, restart IE and try it again....
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 4:34 pm
by Eran
cookies are used to hold the session id only. and I don't think the OP is talking about compatibility with very old IE versions.. (IE6 handles redirects just fine)
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 4:45 pm
by Eric!
Just trying to be complete in my answers. That was the only possibilty I could come up with because with auto_start they probably aren't passing the SID via URL during redirects. Maybe his brower is blocking all cookies?
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 4:48 pm
by Eran
The OP said his developer claims sessions are being erased once the PHP code is integrated with the HTML templates. There is no reason for that to happen, regardless of browser. The problem lies in the PHP code or server environment. HTML and CSS can not affect sessions or cookies (only Javascript can do something client-side, and that is with cookies only).
Do you have SSL secured pages in your site?
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 5:07 pm
by Eric!
But later he says the session data is there on the server. So is the session file really
erased or was the session data lost? I find it more unlikely that the actual session file was erased than the data getting lost.
It could be possible the garbage collector ('session.gc_maxlifetime') is too short? or maybe the session_set_cookie_params($cookie_timeout, $cookie_path); is screwed up?

There has been some weird session problems. Someone posted a really weird session problem on firefox that we weren't able to solve where the data was being lost during part of a php script and only with one server combination.
viewtopic.php?f=1&t=102305
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 5:21 pm
by Eran
A lot of php settings could be affecting this, including gc_maxlifetime, gc_divisor and gc_probability. The latter two especially, in specific combination can cause the sessions to be recycled on each refresh. None of this, however, can be affected by HTML or CSS (which is the subject of the post).
Re: Can sessions be erased by a XHTML/CSS template?
Posted: Wed Sep 09, 2009 5:32 pm
by bluest_cube
The application is not using SSL. This issue is happening on all browsers.
The strange thing is that the sessions are working as they should before the app is wrapped in the template. But once the app is integrated into the template it doesn't function as it should. Also, this same template is being used for another application that is using sessions/cookies and everything works fine. The developer had suggested I remove the doc type and the meta tags which currently look like this:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="keywords" content="my content/>
<meta name="description" content="my description">
I have to wait for the developer to answer some of these questions and I'll let you know. Thanks for the help.