With SSL: not saving sessions, cookies not being sent

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
krot
Forum Newbie
Posts: 15
Joined: Sun Nov 23, 2014 9:26 am

With SSL: not saving sessions, cookies not being sent

Post by krot »

Hi. Firstly, I apologize for the length of this post, however I thought it best to provide you the total environment. I've searched far and wide to try to resolve this issue. I hope you can help.

I am using the scripts (below) on a shared debian server at my web host's remote facility.

My purpose is to have a fully SSL site. The web host gave this format of URL for my shared server SSL: https://hostaddress.net/example/ where http://www.example.com is the domain name.

Map:
/web/index.php (script below)
/web/testbed/htdocs/test_page_SA.php (script below)
/web/testbed/htdocs/test_page_SB.php (script below)

The index.php directs to test_page_SA.php successfully in each circumstance that I'll describe, test_page_SA.php directs to test_page_SB.php as written, and test_page_SB.php directs back to test_page_SA.php.
Before every test I delete the sessions at the server, and also delete the cookies, browsing and download history, and cache on the client (firefox).
At each test I try both http://www.example.com and example.com (both lead to index.php).
Whenever $params are set, they are set in index.php, test_page_SA and test_page_SB.

Question: How do I get the session data to be saved on the server and the cookie saved on the client, while using $params secure=true and the SSL URL in htaccess?

I conducted the following tests to try to isolate the issue, but failed to find an answer.

### Test 1 - non-SSL - the base http script that works:
htaccess script is blank; http is used; $params secure = false.
Result:
test_page_SA and test_page_SB run successfully, unchanging cookie observed in Firebug (security = blank), at first giving the session id/cookie and the test1 session variable value, then when the input is saved, the output succeeds at giving the session id and both the test1 and name session variable values with both scripts in turn.

### Test 2 - non-SSL:
htaccess script is blank; http used; $params secure = true.
Result:
test_page_SA fails to send the input to test_page_SB, cookie observed in Firebug (security = secure) and it changes at every save, only the session id/cookie is shown, neither session variables shown. Identical results when input in test_page_SB has data saved.

### Test 3 - non-SSL:
htaccess (below) is tried before using the SSL URL to be sure these lines are not an issue; http used; $params secure = true.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC]
RewriteCond %{SERVER_PORT} 80
Result:
Exactly the same output as Test 2.

### Test 4 - non-SSL:
htaccess (above); http used; $params secure = false.
Result:
Success as in Test 1. So the chunk of htaccess code is not affecting the results.

### Test 5:
htaccess (below, as supplied by the web host); https used; $params secure = false.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://hostaddress.net/example/$1 [R,L]
Result:
test_page_SA fails to send the input to test_page_SB, cookie NOT observed in Firebug and changes at every save, only the session id/cookie is shown as output, neither session variables shown. Identical results when input in test_page_SB has data saved.

### Test 6:
htaccess (above); https used; $params secure = true. I understand that this parameter should be set to true when using https.
Result:
https://hostaddress.net/example/testbed ... age_SA.php shows as the URL in the address bar, as do the URLs in the two menu items hrefs. When a value is input, https://hostaddress.net/example/testbed ... age_SB.php shows in the address bar. As in Test 5, test_page_SA fails to send the input to test_page_SB, cookie NOT observed in Firebug and changes at every save, only the session id/cookie is shown as output, neither session variables shown. Identical results when input in test_page_SB has data saved.

############ Scripts:

Code: Select all

<?php
#### index.php

session_name('PHPSESSION');
$lifetime = 7200;
$path = '/';
$domain = '.example.com';
$secure = false;
$httponly = false;
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
session_start();

$url = "testbed/htdocs/test_page_SA.php";
header("Location: $url");
exit();
?>

<?php
#### test_page_SA.php:

session_name('PHPSESSION');
$lifetime = 7200;
$path = '/';
$domain = '.example.com';
$secure = true;
$httponly = false;
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
session_start();
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
<?php
ob_start();
echo "into test_page_SA.php<br><br>";
?>
</head>
<body>
<div><a href="test_page_SA.php" title="Page SA">Page SA</a></div><br>
<div><a href="test_page_SB.php" title="Page SB">Page SB</a></div><br>
<?php
echo "session_id() = ".session_id()."<br>";
if(!isset($_SESSION['test1']))
{
    $_SESSION['test1'] = "test1";
    echo "not set, so now set SA _session[test1] = ".$_SESSION['test1']."<br>";
}
else
{
    echo "set, so SA _session[test1] = ".$_SESSION['test1']."<br>";
    echo "_session[name] = ".$_SESSION['name']."<br>";
}
if (isset($_POST['submitted_A']))
{
    if(isset($_POST['full_latin_name']))
    {
        $_SESSION['name'] = $_POST['full_latin_name'];
        echo "_session[name] = ".$_SESSION['name']."<br>";
        $url = "test_page_SB.php";
        ob_end_clean();
        header("Location: $url");
        exit();
    }
}
?>
<form method="post" class="" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
    <div>
            <label for="full_latin_name">Full name</label>
        	<input type="text" id="full_latin_name" name="full_latin_name" />
	</div>
            <div>
	            <input type="submit" id="submit" name="submit" value="Save" />
                <input type="hidden" name="submitted_A" value="TRUE" />
            </div>
</form>
</body>
</html>
<?php
ob_end_flush();
?>


<?php
#### test_page_SB.php:

session_name('PHPSESSION');
$lifetime = 7200;
$path = '/';
$domain = '.example.com';
$secure = true;
$httponly = false;
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
session_start();
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
<?php
ob_start();
echo "into test_page_SB.php<br><br>";
?>
</head>
<body>
<div><a href="test_page_SA.php" title="Page SA">Page SA</a></div><br>
<div><a href="test_page_SB.php" title="Page SB">Page SB</a></div><br>
<?php
echo "session_id() = ".session_id()."<br>";

if(isset($_SESSION['test1']))
{
    echo "_session[test1] = ".$_SESSION['test1']."<br>";
    echo "_session[name] = ".$_SESSION['name']."<br>";
}
else
{
    echo "_session[test1] not set<br>";
}

if (isset($_POST['submitted_A']))
{
    if(isset($_POST['full_latin_name']))
    {
        $_SESSION['name'] = $_POST['full_latin_name'];
        echo "SB _session[name] = ".$_SESSION['name']."<br>";

        $url = "test_page_SA.php";
        ob_end_clean();
        header("Location: $url");
        exit();
    }
}
?>
<form method="post" class="" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
    <div>
            <label for="full_latin_name">Full name</label>
        	<input type="text" id="full_latin_name" name="full_latin_name" />
	</div>
            <div>
	            <input type="submit" id="submit" name="submit" value="Save" />
                <input type="hidden" name="submitted_A" value="TRUE" />
            </div>
</form>
</body>
</html>
<?php
ob_end_flush();
?>


########## TEST INPUTS AND RESULTING OUTPUTS ..


#### Test 1 input/output (HTTP):
Start ..

URL is HTTP

into test_page_SA.php (output stating the script id)

Page SA (link)

Page SB (link)

session_id() = 1e3pq3v6ibj18adpigpor19ccg8ae4nl (output from server, and firebug 'cookie', with firebug secure=blank)
not set, so now set SA _session[test1] = test1 (output proving $_session took the value)
Full name [__________] (input box)

[Enter the name Jim ..]

The response is ..

URL is HTTP

into test_page_SB.php

Page SA

Page SB

session_id() = 1e3pq3v6ibj18adpigpor19ccg8ae4nl (output from server, and firebug 'cookie', with firebug secure=blank)
_session[test1] = test1 (proves the session variables are being kept)
_session[name] = Jim (proves the form input is being accepted then assigned to a session variable ok)
Full name [_________]



#### Test 6 input/output (HTTPS):
Start ..

URL is HTTPS

into test_page_SA.php

Page SA

Page SB

session_id() = eeikccp2m9d0uecqa82glvfsa6u0v3lt (output from server; firebug 'cookie' shows nothing)
not set, so now set SA _session[test1] = test1
Full name {_________}

[Enter the name Jim ..]

The response is ..

URL is HTTPS

into test_page_SB.php

Page SA

Page SB

session_id() = plqm2pnv3eqnl6bign0rr63rhl29n6kb (output from server; firebug 'cookie' shows nothing)
_session[test1] not set (The session variables are not being sent from the server)
Full name {__________}

(Notice that the session_id is different for each cycle in Test 6!)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: With SSL: not saving sessions, cookies not being sent

Post by Christopher »

I didn't read your whole post, but if you want to maintain your session across multiple domains, you will need to pass your session ID in the URL when switching domains. You should then carefully validate the session and regenerate the session ID.
(#10850)
krot
Forum Newbie
Posts: 15
Joined: Sun Nov 23, 2014 9:26 am

Re: With SSL: not saving sessions, cookies not being sent

Post by krot »

Christopher, is this true for non-SSL and SSL, or only SSL?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: With SSL: not saving sessions, cookies not being sent

Post by Christopher »

I think both.
(#10850)
krot
Forum Newbie
Posts: 15
Joined: Sun Nov 23, 2014 9:26 am

Re: With SSL: not saving sessions, cookies not being sent

Post by krot »

By trial and error I found the answer:

It seems that when SSL is used (test 6), setcookie is required as follows:

setcookie('sessionname', session_id(), time()+whatever, '/', 'theSSLhostaddress', true, true or false);

Also, the htaccess works in test 6.

The non-SSL script (test 1) did not require setcookie!

Hope this helps.
Post Reply