session_id() & cookie not going to 2nd script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
krot
Forum Newbie
Posts: 15
Joined: Sun Nov 23, 2014 9:26 am

session_id() & cookie not going to 2nd script

Post by krot »

For some reason the session_id and cookie are not carried through from the test-from script to the test-to script.
Note: I need to use session cookies as opposed to persistent cookies. The whole site is SSL. This happens in firefox, chrome and IE10. In firefox, firebug shows there is no cookie present.
And the session folder shows two session_ids instead of only one (I believe).
Can anyone see what I'm doing wrong here?

Here is the data in the php.ini file:

session.use_cookies = 1
session.cookie_secure = On
session.use_only_cookies = 1
session.name = "name"
session.auto_start = 0
session.cookie_path = /
session.cookie_domain = .example.com
session.cookie_httponly = true

Here's the test-from script that calls test-to.php below it:

Code: Select all

    <?php
    ob_start();

    session_name();
    $session_name = session_name();
    session_start();
    session_id();

    if (ini_get("session.use_cookies"))
    {
        $params = session_get_cookie_params();
        setcookie($session_name, session_id(), 0, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
        $_SESSION['id'] = session_id();
        $url = "https:/www.example.com/test-to.php";
        ob_end_clean();
        header("Location: $url");
        mysqli_close($dbc);
        exit();
    }

    ob_end_flush();
    ?>
And the test-to.php script:

Code: Select all

    <?php
    ob_start();

    session_name();
    $session_name = session_name();
    session_start();
    session_id();

    if(isset($_SESSION['id']))
    {
        echo "_session[id] = ".$_SESSION['id']."<br>";
    }
    else
    {
        echo "_session[id] not set<br>";
    }

    if(!isset($_COOKIE[$session_name]))
    {
        echo "_cookie[session_name] not set<br>";
    }
    else
    {
        echo "_session[id] = ".$_SESSION['id']."<br>";
        echo "cookie is set<br>";
        echo "cookie = ".$_COOKIE[$session_name]."<br>";
        echo "session_name() = ".session_name()."<br>";
        echo "old session_id = ".$_SESSION['id']."<br>";
    }

    ob_end_flush();
    ?>
Here's the output from test-to.php:

_session[id] not set
_cookie[session_name] not set

And here are the two session_id()s - there should only be one, I believe:

sess_oadi8hn601nabgck8k13cm1g518qd4ho
sess_pq90ht1untugn8aptft0557u4iele4o1
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: session_id() & cookie not going to 2nd script

Post by requinix »

Have you checked what Set-Cookie headers are returned from the first script?
krot
Forum Newbie
Posts: 15
Joined: Sun Nov 23, 2014 9:26 am

Re: session_id() & cookie not going to 2nd script

Post by krot »

When I add (after session_id();)
echo "test-to: _cookie: ".$_COOKIE[$session_name]."<br><br>";
to test-to.php, it output
Notice: Undefined index: name in test-to: _cookie

Is this what you meant by finding out what set-cookie headers were returned?
What does this output mean is going on?
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: session_id() & cookie not going to 2nd script

Post by requinix »

krot wrote:Is this what you meant by finding out what set-cookie headers were returned?
What does this output mean is going on?
You mentioned Firebug. It can show you network traffic, and within that it will report the response headers from the request to test-from. It will start with a "HTTP/1.1 302 Found" and somewhere within should be one or more Set-Cookie headers.
My question is (a) are there any and (b) if so what are they?
krot
Forum Newbie
Posts: 15
Joined: Sun Nov 23, 2014 9:26 am

Re: session_id() & cookie not going to 2nd script

Post by krot »

GET test-from.php

302 Moved Temporarily
hostname.net
249 B
IP numbers

Headers

Response Headers
view source
Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection Keep-Alive
Content-Type text/html
Date Thu, 19 Mar 2015 21:54:09 GMT
Expires Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive timeout=5, max=256
Location https://www.example/test-to.php
Pragma no-cache
Server Apache
Set-Cookie name=2tnhq0u04r9gshmn4sik9i75e4q26ibj; expires=Thu, 19-Mar-2015 23:54:09 GMT; path=/; domain=.example.com; secure; HttpOnly name=2tnhq0u04r9gshmn4sik9i75e4q26ibj; path=/; domain=.example.com; secure; httponly
Transfer-Encoding chunked

Request Headers
view source
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language en-GB,en;q=0.5
Connection keep-alive
Host hostname.net
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0


GET test-to.php

200 OK
hostname.net
63 B
IP numbers

Headers

Response Headers
view source
Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection Keep-Alive
Content-Type text/html
Date Thu, 19 Mar 2015 21:54:09 GMT
Expires Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive timeout=5, max=255
Pragma no-cache
Server Apache
Set-Cookie name=8ek2h8nr1676368j9gdrtfrh3qoun322; expires=Thu, 19-Mar-2015 23:54:09 GMT; path=/; domain=.example.com; secure; HttpOnly
Transfer-Encoding chunked

Request Headers
view source
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language en-GB,en;q=0.5
Connection keep-alive
Host hostname.net
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0


However, under the Cookies tab, the cookie doesn't show.

These values show up in the session folder:
sess_2tnhq0u04r9gshmn4sik9i75e4q26ibj
sess_8ek2h8nr1676368j9gdrtfrh3qoun322
krot
Forum Newbie
Posts: 15
Joined: Sun Nov 23, 2014 9:26 am

Re: session_id() & cookie not going to 2nd script

Post by krot »

It seems that a new session is being generated in the test-to script instead of the test-from one being used that set the cookie. Or am I misunderstanding something?
If the code is correct (and I'm not 100% sure that it is), could there be a php.ini value that is wrong, or a server session issue?
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: session_id() & cookie not going to 2nd script

Post by requinix »

That's right: test-from is attempting to set the cookies but test-to isn't receiving them. You also said that Firebug says there aren't any cookies set, suggesting that the browser is rejecting the cookies.

Are you sure the cookie parameters (copied from the session parameters) are correct? Does the Domain value agree with the domain name as seen by the browser? For example, if the cookie domain is ".example.com" then the browser must think it's visiting an example.com or *.example.com domain for the cookie to be accepted.
Also, how does the cookie expiration compare with your local time? Could it be the current time or in the past? Then the cookies would be forgotten immediately.
krot
Forum Newbie
Posts: 15
Joined: Sun Nov 23, 2014 9:26 am

Re: session_id() & cookie not going to 2nd script

Post by krot »

I changed the cookie from a session cookie to a persistent cookie, after I changed the php.ini lifetime parameter to 7200 (2 hours).
setcookie(session_name(), session_id(), time()+$params["lifetime"], $params["path"], $params["domain"], $params["secure"], $params["httponly"]);

This showed in test-from and test-to in firebug to be correct for local time (GMT adjusted). The cookie expiry seems not to be the issue.
Nor is the cookie name in error since firebug shows the same name for cookie sent by test-from and the cookie received by test-to.

GET test-from.php
Response Headers
:
Set-Cookie name=k3cda89dtm9nme3r0sal6be5egcsj4i9; expires=Fri, 20-Mar-2015 20:12:25 GMT; path=/; domain=.example.com; secure; HttpOnly name=k3cda89dtm9nme3r0sal6be5egcsj4i9; expires=Fri, 20-Mar-2015 20:12:25 GMT; path=/; domain=.example.com; secure; httponly

GET test-to.php
Response Headers
:
Set-Cookie name=sn7v5r701difp2icch4b01s12333nn5b; expires=Fri, 20-Mar-2015 20:12:25 GMT; path=/; domain=.example.com; secure; HttpOnly

So I checked all parameters in php.ini by outputting them in test-from (with an exit to freeze the output) and they all proved correct. In case it was the domain that needed changed from .example.com, I tried .www.example.com and the root. They all showed up as .example.com in the firebug response header of both test-from and test-to.

So it seems that the session_id is not being accepted by the browser for some reason. Which leads me to wonder if the '302 Moved Temporarily' has something to do with the issue. Something to do with redirection!! After researching 302 I'm still out of my depth on that point.

I'm guessing that there may be a session file management issue rather than a coding issue.

I've been working on this issue for 5 days now, and seem to be no further forward. I need to get this working since the deadline has already passed :|
Any further ideas are very welcome :)
When I do get this working, I'll post the solution for those following this post.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: session_id() & cookie not going to 2nd script

Post by requinix »

krot wrote:In case it was the domain that needed changed from .example.com, I tried .www.example.com and the root. They all showed up as .example.com in the firebug response header of both test-from and test-to.
So you tried to set a cookie with one domain, but the cookie actually received was with the original?

I think some recent versions of PHP include changes to multiple cookies and/or session cookie handling. It's quite possible that your settings are being overridden by PHP's session settings, since you are trying to set a cookie with the same name and value as the session cookie's. However that wouldn't explain why test-from isn't getting the cookie.

1. Can you change the cookie name to something other than session_name()? To make sure there's no possible conflict with the session cookie.
2. Can you put these two scripts up somewhere to see?
krot wrote:So it seems that the session_id is not being accepted by the browser for some reason. Which leads me to wonder if the '302 Moved Temporarily' has something to do with the issue. Something to do with redirection!! After researching 302 I'm still out of my depth on that point.
The only problem I've heard of, which is quite rare (if it still even happens to anyone), is that session data isn't saved when redirecting. It doesn't affect the cookie.
If you want to consider that, the solution is to add a call to session_write_close() before exit;ing.
krot
Forum Newbie
Posts: 15
Joined: Sun Nov 23, 2014 9:26 am

Re: session_id() & cookie not going to 2nd script

Post by krot »

I used the standard and simple examples at http://php.net/manual/en/function.sessi ... .php#93673 and discovered that they failed. This means that it's not my coding that's the issue but something to do with php or php.ini. PHPINFO shows that my shared server uses PHP Version 5.3.3-7.6+hw2. I've sent a ticket to the web host for their view on what's going on. I'll let you know ..
krot
Forum Newbie
Posts: 15
Joined: Sun Nov 23, 2014 9:26 am

Re: session_id() & cookie not going to 2nd script

Post by krot »

Here's the reply from the web host support - and the sessions now work:

"Our Administrators fixed the issue with the connection between the two pages:
/folders/page1.php
/folders/page2.php
They had to change 'session_cookie_domain' in your php.ini file. It needed to be empty."

Thank you very much for your input. Much appreciated :)
Post Reply