PHP Session Id Reset on page load

Question

I've looked at everything here and elsewhere, nothing seems to work!

Here's the issue:

On page load, upon calling session_start(), I get assigned a PHP session ID.
Once I refresh the page, I get a new session ID and that makes the $_SESSION variable come empty.

PHP Version is: 5.6.30-0+deb8u1

I did a small script to replicate outside of the application:

<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);

echo '<pre>';
echo 'orig session.cookie_domain = '.ini_get('session.cookie_domain').PHP_EOL;
echo 'orig session.cookie_secure = '.ini_get('session.cookie_secure').PHP_EOL;
ini_set('session.cookie_domain', '.mydomain.com');
ini_set('session.cookie_secure', 'Off');
echo 'new session.cookie_domain = '.ini_get('session.cookie_domain').PHP_EOL;
echo 'new session.cookie_secure = '.ini_get('session.cookie_secure').PHP_EOL;
echo '-------------'.PHP_EOL;
print_r($_COOKIE);
session_start();
print_r($_COOKIE);
setcookie(ini_get('session.name'), session_id(), 0, '/', ini_get('session.cookie_domain'), false, false);
print_r($_COOKIE);
echo '-------------'.PHP_EOL;
echo 'session id: '.session_id().PHP_EOL;
echo '-------------'.PHP_EOL;
$_SESSION[session_id()][] = date('Y-m-d H:i:s');
print_r($_SESSION);
echo '</pre>';
//phpinfo();

output of script is:

orig session.cookie_domain = 
orig session.cookie_secure = 
new session.cookie_domain = .mydomain.com
new session.cookie_secure = Off
-------------
Array
(
    [__cfduid] => ddxxx
    [_ga] => GA1.2.xxxx
    [wp-settings-time-2] => 1500996194
    [_gid] => GA1.3.xxxx
)
Array
(
    [__cfduid] => ddxxx
    [_ga] => GA1.2.xxxx
    [wp-settings-time-2] => 1500996194
    [_gid] => GA1.3.xxxx
)
Array
(
    [__cfduid] => ddxxx
    [_ga] => GA1.2.xxxx
    [wp-settings-time-2] => 1500996194
    [_gid] => GA1.3.xxxx
)
-------------
session id: 7n4mm16s525mpqo99r242p90l3
-------------
Array
(
    [7n4mm16s525mpqo99r242p90l3] => Array
        (
            [0] => 2017-08-07 16:01:18
        )

)

Sounds like your domain isn't set correctly. What's the actual domain you're using compared to the one you've set? — Jonnix, Aug 07 '17 at 20:16
And what URL are you going to in your browser? Do you actually need to set cookie_domain? What's your use-case to not just use the host? — Jonnix, Aug 07 '17 at 20:19
@JonStirling there's a staging environment on a subdomain, that's why. Not setting it does the same thing. — pycvalade, Aug 07 '17 at 20:20
Hmm, unsure then. I can kind of replicate (works fine on specific domains, but not on . prefixes ones) , but not worked out how to resolve so far. — Jonnix, Aug 07 '17 at 20:29
@EatPeanutButter tried putting it on line 4, does the same.. — pycvalade, Aug 07 '17 at 20:36

score 1 · Accepted Answer · answered Aug 09 '17 at 13:54

After a lot of research, it came out to be Varnish cache causing the problem. The problem lies in Varnish caching the page without session cookies set, making it useless after a refresh of the page.

Disabling Varnish on the server solved the problem for me.

Also found out this for those who would prefer to keep Varnish active but get sessions to work: Cache-Control Header Fix

score 0 · Answer 2 · answered Aug 07 '17 at 20:10

0

Do this, to preserve the existing session:

if(session_status() !== PHP_SESSION_ACTIVE) {
    session_start();
}

answered Aug 07 '17 at 20:10

Kai

2,529
1
15
24

still not working.. In the app, I'm also using this without success: if(!session_id()){ session_start(); } – pycvalade Aug 07 '17 at 20:13

score 0 · Answer 3 · answered Jun 16 '18 at 08:51

check is_writable(session_save_path()) in php file:

<?php
if (!is_writable(session_save_path())) {
    echo 'Session path "'.session_save_path().'" is not writable for PHP!';
    // you need set chmod -R 777 [session save path folder]
}

Hope to help you

PHP Session Id Reset on page load

3 Answers3