0

I'm writing a PHP login script after reading a lot about session security online. However, I'm having a problem where the session information is not consistent between pages. There is probably a behavior involved with one of the methods I'm using that I've overlooked, but I'm not exactly a PHP or session expert. The code where I'm having problems is in the session starting function that is called in the head of every page:

//Setup the session
session_name('CPI_SESSION');
session_set_cookie_params(0, '/', $_SERVER['SERVER_NAME'], (isset($_SERVER['HTTPS']) ? $_SERVER['HTTPS'] : true), true); 
//Start the session
session_start();

print_r($_SESSION);
echo '<br/>';
if(!isset($_SESSION['session_init']))
{
     session_regenerate_id(true);
     $_SESSION['session_init'] = true;

     print_r($_SESSION);
}

The method I'm using I read about here. The only thing I modified is for session_regenerate_id to delete the old session, which is a behavior I want. However, I get unexpected results. The echo I get looks like this:

Array ( )
Array ( [session_init] => 1 )

From each print_r respectively. So each time the function is called, for some reason beyond my knowledge the session is empty, which causes it to regenerate the id and clear the already empty session, then it sets session_init. If I refresh the page, session_init should still be saved, but it's not. This causes it to do the same thing over again. Why is this? I've tried commenting out session_name and session_set_cookie_params but it didn't make a difference.

I'm running this locally with an Apache 2.2 server and PHP 5.3.

smoth190
  • 438
  • 7
  • 26
  • Why do you do a `session_regenerate_id()`? As of the PHP doc this "will replace the current session id with a new one". – feeela Jul 26 '12 at 17:03
  • 1
    You forgot the second part of the sentence: `will replace the current session id with a new one, and keep the current session information.` – Nir Alfasi Jul 26 '12 at 17:17
  • I want to get rid of it so anyone who has the session ID will have to get it again (so if a hacker guesses it, or steals it from the client, they'll have to do that again and the client will have to login again). I haven't been able to test it because this won't work... – smoth190 Jul 29 '12 at 22:11

1 Answers1

1

It appears to be an issue with the lifetime of the session. [session_set_cookie_params](http://www.php.net/manual/en/function.session-set-cookie-params.php) takes the number of seconds the session will last as the first argument. In your code it is set to 0. Try changing it to a higher number like so.

<?php
//Setup the session
session_name('CPI_SESSION');
// set session time to 4 hours
session_set_cookie_params(3600*4, '/', $_SERVER['SERVER_NAME'], (isset($_SERVER['HTTPS']) ? true : false), true);      
//Start the session
session_start();

print_r($_SESSION);
echo '<br/>';
if(!isset($_SESSION['session_init']))
{
     session_regenerate_id(true);
     $_SESSION['session_init'] = true;

     print_r($_SESSION);
}
?>
Chris McKnight
  • 8,540
  • 4
  • 29
  • 31
  • Wow, now I feel kinda dumb. Didn't think when I checked the docs to check the params... Unfortunately, changing this doesn't fix it. – smoth190 Jul 29 '12 at 22:11
  • Oh I see you had another incorrect parameter as well. Changed the code. The secure parameter should only be true or false – Chris McKnight Jul 30 '12 at 00:16
  • Oh, I hadn't noticed that. However, the problem was giving the session a name. When I removed the call, it worked (although removing it earlier didn't fix the problem). I don't know why, though. It was probably something I changed earlier, and I'll probably never figure out why. Your answer fixed some would-be problems, though, so that's good enough an answer for me as any. – smoth190 Jul 30 '12 at 00:34
  • Interesting. The exact code above works fine for me but as long as it's working now it doesn't matter. Cheers – Chris McKnight Jul 30 '12 at 04:31