PHP Session ID changing on every request

Question

I have just migrated my application from a local WAMP to the actual online server. This has caused trouble with the session ID not being saved as it appears.

• I have checked for unwanted characters being outputted before session_start
• I can't seem to find any session file being saved in my /tmp

These are my session settings:

session.auto_start  Off Off
session.bug_compat_42   Off Off
session.bug_compat_warn On  On
session.cache_expire    180 180
session.cache_limiter   nocache nocache
session.cookie_domain   no value    no value
session.cookie_httponly Off Off
session.cookie_lifetime 0   0
session.cookie_path /   /
session.cookie_secure   Off Off
session.entropy_file    no value    no value
session.entropy_length  0   0
session.gc_divisor  1000    1000
session.gc_maxlifetime  1440    1440
session.gc_probability  1   1
session.hash_bits_per_character 5   5
session.hash_function   0   0
session.name    PHPSESSID   PHPSESSID
session.referer_check   no value    no value
session.save_handler    files   files
session.save_path   /tmp    /tmp
session.serialize_handler   php php
session.use_cookies On  On
session.use_only_cookies    On  On
session.use_trans_sid   0   0

• The online server is running: PHP Version 5.3.9 while the WAMP is: PHP Version 5.3.5.
• By viewing the headers sent and the response in every page load I got the following, the set-cookie sends the appropriate session id and the response received sends a new one as if nothing was requested.
• I am running the site on a preview URL (SSL on). I don't know if this has anything to do, my domain is not registered yet.

• Error code is as simple as:

  $sId = session_id();

  if ($sId == '') { session_start(); }

Answer 1

I just had and solved the exact same problem.

It turns out that the cookie PHPSESSID (that keeps record of the session) was been send but it was ignored by the server, so the session was not maintained and the server restarted the session every time the page reloads or changes.

The problem was that I had in my wp-config.php this line:

@ini_set('session.cookie_secure','On');

This means that if the connection is not secure, every cookies is to be ignored, therefore the server the PHPSESSID cookie and the session was restarted.

Check your wp-config.php or your init.php. Is a problem with cookies.

Answer 2

It might be caused by three characters (BOM (Byte Order Mark)) that are injected by certain programs (i.e. dreamweaver, notepad) before the <?php marker, therefore thesession is in fact not initialized.

If you have error_reporting enabled, you will see headers already sent..

Check your file with a hex editor to see if your editor injected any characters.

Answer 3

Only use alphanumeric characters as Session ID. I had this problem when using "." as part of the Session ID.

Answer 4

Question is old and initial issue has been solved for sure. However, previous answers didn't help in that situation, eventually. So, if anyone's encountering similar issue as I did, here is another approach:

Sessions are managed using a cookie, usually called PHPSESSID. If that cookie isn't declared properly and thus fails to be included with succeeding requests of user another session is started on every request resulting in situation at least similar to yours.

I was trying to implement an application running behind some reverse proxy mapping public URLs to multiple applications, e.g.

http://public.example.com/foo/bar/script.php

was delegated to some server behind reverse proxy provided as

http://foo.example.com/bar/script.php

For PHP running in context of foo.example.com with path prefix /bar rather than /foo/bar setting parameters of session cookie PHPSESSID might cause issues when passed to customer unadjusted. This observation was true in my case, at least.

Answer 5

You must have to write session_start(); before accessing any session variables, without it you will not able to access the session variables.

Try to put session_start() on the very first line of the file.

Answer 6

You should first start session to use session_* functions. So first thing you need to do is:

session_start();

then you can ask for session id like this

$id = session_id();

Note that its not recommended to save sessions in public folder that is available to public since visitors could find folder where you save sessions and list all of them. Then they could inject session cookie into their browser and take control of other visitors user accounts. If you really need to do this, limit access to your /tmp folder. For example put .htaccess file in that folder with this code

Deny from all

Or find any other way to disable users to browser your /tmp folder since this can be security problem.

If you want to change session id on every request, for security reasons, you can use session_regenerate_id function

You would do something like this:

session_start();
session_regenerate_id();
// Do other things you want with sessions.

This way, even if someone steals your session cookie, session id would be changed on every request. And this could be your problem. There is a way for PHP to regenerate new session id on every request, so this might be the thing that bothers you.

As far as setting php.ini directives, you should check if your hosting provider allowed you to change .ini directive you are trying to change. It depends on server setup if you can change .ini directive or not. And the way sessions behave can be different from hosting to hosting, depending on how their server setup. Most of the things can be changed using php functions or using ini_set with this list of directives php.ini directives

Answer 7

session_start should be the first thing in your file, you can get the session id afterwards:

session_start();
$sId = session_id();