Why does the session id change when requesting through ajax in php?

Question

I'm logged in on Banana.com. Banana has a api link on /app/ajax_loggedin.

My website is Monkey. Monkey runs a simple GET json to banana's /app/ajax_loggedin, which returns a loggedin value either 1 or 0.

Why is it always returning 0 when it's through ajax, even though I really am logged in on Banana and also when accessing the link directly gives me 1. How can the developer at Banana fix it?

I would have understood it if it's a server side call, but I don't understand why it wont tell me if im logged in, if Banana makes the request. Running session_id() check, it generates a new one each call through ajax and when accessing directly it works just fine and keeps the same.

Is there any fix or another way to do this?

Answer 1

Something in the origin code, and/or in the ajax code is setting the session save handler. So for example your origin may be saving sessions to database while the ajax script is saving sessions to file.

Here is the php manual: http://php.net/manual/en/class.sessionhandler.php

Answer 2

Instead of calling api and checking if session is active. The session id is stored in the cookie if specified where to store the session id in config file, or you can actually check if session id is set using following code after

session_start();      
$session_id=session_id();     
if(isset($_SESSION[$session_id]))

Answer 3

There's actually not enough information to definitively answer this question. However, here's what we can tell based on this information.

If you're using the standard PHP session handler the session cookie will have a domain associated with it (which if not configured in php.ini or in your code will likely just be the domain the script was first called from). So for example, if you call a script that invokes session_start() from the domain www.stackoverflow.com and another script on chat.stackoverflow.com starts a session it will not have access to the cookie with the domain www.stackoverflow.com and thus will begin a new session.

Domains in the cookie header can bubble up, but not down. So if you want your session cookie to have access to all subdomains of Banana.com you must be sure to set the domain parameter correctly in each session initialization request with that domain.

See session_set_cookie_params and session_get_cookie_params for more details...

The domain that the cookie is available to. Setting the domain to 'www.example.com' will make the cookie available in the www subdomain and higher subdomains. Cookies available to a lower domain, such as 'example.com' will be available to higher subdomains, such as 'www.example.com'. Older browsers still implementing the deprecated » RFC 2109 may require a leading . to match all subdomains.

Additionally, you should note that cookies sent with the secure or http_only parameter set to true will not be readable over insecure or JavaScript initiated connections such as in the case of Ajax.

Answer 4

The reasons why you would get a new session ID are

• You cleared the session ID cookie (typically named PHPSESSID)
• You visited a page that called session_regenerate_id() (unlikely)
• Your session hit the max lifetime and was garbage collected. This is a distinct possibility if banana.com has a lot of visitors, because garbage is collected randomly when PHP is invoked
• session_id() was invoked with a different session

So what to do?

• Check out the session files on the server. They're simple text so you can open them and see what's inside. Make sure your session exists.
• Check php.ini for a short session lifetime.
• Load sessions into something else and see if continues. Using a MySQL/memcached system with a custom session handler could reveal issues.

Answer 5

Every point of entry or call to the server (APIs) needs to have session_start() at the beginning. If it does not read in the session identifier, it will act as if there wasn't one and then return a new session identifier. When your browser gets the response, it will overwrite the session identifier with the new one. Make sure that you have session_start() at the top of all places where you make a call to the server so that it knows what session to use.