.htaccess Lost SESSION after header redirect using mod_rewrite [L, QSA] with started session

Question

PHP version 5.4.41 Apache version 2.2.15 Linux version 2.6.32 CentOS 6.6

I have some code that won't redirect properly. There is a lot of code and configuration, so I'm going to try and keep it as simple as possible. My session is continuously lost after a header redirect. There are no errors and there are no warnings...the redirect proceeds fine. I session_start(); and var_dump[$_SESSION] on the page after the redirect to get NULL. If I session_start and dump right before the redirect, the session dumps fine. I'm guessing it has something to do with the htaccess mod_rewrites dropping the session between pages, but am unsure how to fix it. I keep reading to add [L, QSA] but that is not helping. Sessions work fine for simple pages on the same server that don't use the mod_rewrites.

I think the domain is the same seeing how it goes from: http://localhost:8000/web/someus/login http://localhost:8000/web/someus/home

I chmoded & chowned recursively the whole www folder so that apache had all permissions and owned everything in the site.

The .htaccess file looks like:

RewriteCond %{REQUEST_URI} !=/web/[a-z0-9]{6}/index.php
RewriteCond %{REQUEST_URI} !error [NC]
RewriteCond %{REQUEST_URI} !css [NC]
RewriteCond %{REQUEST_URI} !images [NC]
RewriteCond %{REQUEST_URI} !js [NC]
RewriteRule ^([a-z0-9]{6})/(.*)$ /web/index.php?id=$1&page=$2 [L,QSA]

httpd.conf has a DocumentRoot:

DocumentRoot "/var/www/html"

httpd.conf has an alias set up that looks like:

Alias /web /var/www/html/website/
<Directory "/var/www/html/website/">
    AllowOverride All
    Order allow, deny
    Allow from all
</Directory>

in php.ini output_buffering is turned on.

session.cookie_path = /var/www/html/session
session.use_cookies = 1
session.use_only_cookies = 1

The header redirect looks like with the $url value containing 'home' replacing the login with home in the url:

header("Location: $url",true,302);
exit();

When I curl -i on the home page

I get:

HTTP/1.1 302 Found
Date: Wed, 10 Jun 2015 21:54:38 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.41
Set-Cookie: PHPSESSID=08079c815224b0b129d566dc274e0081; path=/web/someus; domain                                                                                  =127.0.0.1; secure
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ebde43200c30ad6ac18e88b8bfb71371; path=/web/someus; domain                                                                                  =127.0.0.1; secure
Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/web/                                                                                  webdmo; domain=127.0.0.1; secure; httponly
Location: login
Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-WebKit-CSP: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Strict-Transport-Security: max-age=631138519; includeSubDomains
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

When I curl -i on the login page that redirects to the home page

I get:

HTTP/1.1 200 OK
Date: Wed, 10 Jun 2015 21:58:21 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.41
Set-Cookie: PHPSESSID=d79a57eaabb9a41e99f4e0dda202a598; path=/web/someus; domain=127.0.0.1; secure
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-WebKit-CSP: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Strict-Transport-Security: max-age=631138519; includeSubDomains
Content-Length: 2890
Connection: close
Content-Type: text/html; charset=UTF-8

I think it's interesting that the 127.0.0.1 domain is secure in one and not the other--I'm not sure if that has anything to do with it.

Answer 1

You are confusing session.cookie_path which is set to /var/www/html/session with session.save_path.

See the definitions from the links provided above. You probably want session.save_path to be /var/www/html/session and leave cookie path alone.

The session cookie path will tell the browser that those cookies should only be used for certain URL paths on your site.

For example, if I set a cookie with session.cookie_path of /web/someus and then tried to visit /web/somethingelse, the previously set cookie will not be sent because it is not in the path /web/someus.

If you leave the cookie path as the default / then the session cookie will be sent after the redirect.

Answer 2

Figured it out. I think it was a combination of problems. The two responses (using a host localhost & having cookies.path mixed around) were probably a part of it along with bad SSL configuration dropping the session on the redirect. Thanks so much for the help!