7

I'm experiencing some weird problems with SESSION variables on my PHP/Ajax online shopping cart.

When I first view the page, the SESSION is created and works within the page. Then when I navigate to another PHP page within the same directory the SESSION is completely lost. What's weird is that this only happens once. Once the user goes through this process of completely losing their SESSION upon changing page, the SESSION works in full across the entire cart.

I started mailing myself var_exports of both $_SESSION and $_SERVER data on each page view. It seems that when a page is first viewed, the SESSION exists and contains data. However there is no PHPSESSID generated in the $_SERVER['HTTP_COOKIE'] variable. On navigating to another page, the PHPSESSID gets created and the SESSION will start working, but the initial SESSION data of the first page view is lost.

Is there a way to generate a PHPSESSID if one has not yet been generated for the SESSION? Or is this typical behaviour and is irrelevant to my random SESSION loss problem? I'm using PHP 5.2.

Every page in the cart starts the exact same way:

$title="Title";
$keywords="keywords";
$description="description";
@include('../header_cart.php');

And then at the top of header_cart.php there is:

session_start();
if(!isset($_SESSION['active'])){
    $_SESSION['active']=$_SERVER['REMOTE_ADDR'];
}
unsunghero
  • 971
  • 1
  • 10
  • 22
  • All sorts of fun reading [here](http://php.net/manual/en/function.session-id.php). I don't know if you checked that out already. Are you sure your `session_start()` isn't failing on your first call? – afuzzyllama Jan 18 '12 at 15:49
  • Every page in the cart uses the same header file, so I don't think that's it. Maybe using session_regenerate_id() if the PHPSESSID is not set might help. – unsunghero Jan 18 '12 at 16:12
  • But then you might lose your cart info because the session changes? =/ – afuzzyllama Jan 18 '12 at 16:18
  • PHP docs say "session_regenerate_id() will replace the current session id with a new one, and keep the current session information." - I'll give it a try just to see what happens – unsunghero Jan 18 '12 at 16:21
  • Josh, you say php/Ajax app. Are you truly visiting different php pages, or having Ajax pull the content without doing a page load? Also, is passing the session ID through the URL a consideration? – AlexC Jan 21 '12 at 00:59
  • I am truly visiting different php pages, the AJAX is contained within the pages. session_regenerate_id() didn't fix it - it renamed the ID of the session each time it was called, but still the session data from the first page view was not maintained. It's almost as if it's reading from two different sessions. On the first page view, a session is created and works once (am actually able to use session_id() to grab the ID on the first page view). But then on the next page view it creates a whole new session with a different ID. This second ID is used on every page from that point on. – unsunghero Jan 21 '12 at 19:00
  • you should really provide your session code – Luca Filosofi Jan 21 '12 at 22:33
  • Just updated the question to include the session code – unsunghero Jan 23 '12 at 13:08
  • I've come to realize that the problem is that the browser is recognizing mydomain.com and www.mydomain.com as separate domains. Due to this, it is recording two separate sessions. Anyone know of a solution to treating them as one domain without having to redirect www.mydomain.com to mydomain.com or vice versa? – unsunghero Jan 23 '12 at 19:21

3 Answers3

1

Have you checked that there is no output before your call to session_start()? (Not even a white-space character!).

HTTP headers cannot be sent after any output has been flushed so that could be causing the attempt to tell the client the initial session cookie to fail.

Jonathan Williamson
  • 1,189
  • 2
  • 10
  • 17
1

Are you switching between http: and https: ? They are sometimes treated as two separate domains, and a key may not be shared between them.

dar7yl
  • 3,727
  • 25
  • 20
  • The two pages I am switching between are both http://. I switch to https:// when I get to the checkout page, but the session gets lost between the two http:// pages. – unsunghero Jan 23 '12 at 13:10
1

Turns out it was recognizing mydomain.com and www.mydomain.com as separate sessions and was storing 2 cookies with 2 different PHPSESSIDs.

I added this to my .htaccess file to always redirect mydomain.com/shop to www.mydomain.com/shop for both http and https.

RewriteEngine On

#force http://www. to make sure SESSION data is always the same
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{REQUEST_URI} shop
RewriteRule ^(.*)$ http://www.mydomain.com/shop/$1 [R,L]

#force https://www. to make sure SESSION data is always the same
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{REQUEST_URI} shop
RewriteRule ^(.*)$ https://www.mydomain.com/shop/$1 [R,L]
unsunghero
  • 971
  • 1
  • 10
  • 22