Why aren't my session variables working cross site?

Question

Why aren't my session variables working cross site?

I'm obviously setting them in my code, or else logging in as an admin wouldn't redirect to the admin page.

If anyone has suggestions as to what the issue is, why the $_SESSION vars aren't saving etc I would be grateful.

Using IIS 7 and FastCGI, php.ini is at default values.

Code Example:

<?php session_start();
/* Include database config file. */
include("db_config.php");
/* If POST request do code. */
if ($_SERVER['REQUEST_METHOD']=='POST') 
{
/* Set variables for form fields. */
$username=$_POST["username"];
$password=$_POST["password"];
/* Queries on login. */
$query_params=array($username,$password);
$query="SELECT * FROM users WHERE username=? AND password=?";
$qresults=sqlsrv_query($dbconnect,$query,$query_params);
$permission_q="SELECT permission FROM users WHERE username=? AND password=?";
$permission_qr=sqlsrv_query($dbconnect,$permission_q,$query_params);
$firstname_q="SELECT firstname FROM users WHERE username=? AND password=?";
$firstname_qr=sqlsrv_query($dbconnect,$firstname_q,$query_params);
$lastname_q="SELECT lastname FROM users WHERE username=? AND password=?";
$lastname_qr=sqlsrv_query($dbconnect,$lastname_q,$query_params);
/* If any queries fail then kill script. */
if(sqlsrv_fetch($firstname_qr)===false)
{
die("Firstname couldn't be verified, terminated connection.");
}
$firstname=sqlsrv_get_field($firstname_qr,0);
if(sqlsrv_fetch($lastname_qr)===false)
{
die("Lastname couldn't be verified, terminated connection.");
}
$lastname=sqlsrv_get_field($lastname_qr,0);
if(sqlsrv_fetch($permission_qr)===false)
{
die("Permissions could not be verified, terminating connection.");
}
$permissions=sqlsrv_get_field($permission_qr,0);
/* If the username and password query results exist then do code. */
if(isset($qresults))
{
/* Number of rows is fetch array of username and pass results. */
$num_rows=sqlsrv_fetch_array($qresults,SQLSRV_FETCH_NUMERIC);
/* If rows is not null or is set then do code. */
if($num_rows!=null)
{
$_SESSION['username']=$username;
$_SESSION['firstname']=$firstname;
$_SESSION['lastname']=$lastname;
$_SESSION['permissions']=$permissions;
/* If permissions is equivelant to admin send to admin page. */
if($_SESSION['permissions']==="admin")
{

session_write_close();
echo '<meta http-equiv="refresh" content="0; url=./content/admin_dash.php">';
die();
//endif
}
else
{

session_write_close();
echo '<meta http-equiv="refresh" content="0; url=./content/user_dash.php">';
die();
//endelse
}
//endif
}
else
{
//elseif num_rows not true
echo "Invalid Login.<br/>Your credentials did not match or there was an error.<br/>";
$_SESSION['username'] = '';
if(sqlsrv_errors(SQLSRV_ERR_ALL)==null)
{
echo "No errors detected.";
//endif
}
else
{
echo "Errors detected:<br/>";
print_r( sqlsrv_errors(SQLSRV_ERR_ALL));
//endelse
}
//endelse
}
//endif
}
else
{
die("Error with query. Contact your system admin.");
//endelse
}
//endif
}
else
{
die("Request was not POST. Please use login page.");
//endelse
}
?>

Answer 1

I found the issue, the C:\Windows\Temp folder permissions hadn't been set to accept from the IIS_IUSRS user thus preventing IIS from saving anything in the Temp folder including sessions.

Answer 2

As previously mentioned, the session cookie only stores the session ID.

If you want to save to a cookie with custom content, see this post. http://davidwalsh.name/php-cookies

Answer 3

The cookie just enables the PHP to look up the session variables that are stored on your web server (either as a file or in a database). It adds extra security as people cannot sniff the data values and also does not require cookies to become very long.

Answer 4

Because that's not how sessions (typically) work. A session cookie stores just a session ID. The actual information in the session is only stored on the server.