php session lost after redirect - tried all things from google and stackoverflow

Question

I have a process_form page like this :

<?php
    include_once 'includes/db_connect.php';
    include_once 'includes/functions.php';
    sec_session_start(); // Our custom secure way of starting a PHP session.
    if (isset($_POST['email'], $_POST['p'])) {
        $email = $_POST['email'];
        $password = $_POST['p']; // The hashed password.  
        if (login($email, $password, $mysqli) == true) {
            // Login success
            header('Location: test.php');
            die();
        } else {
            // Login failed 
            header('Location: login.php?error=1');
            exit;
       }
   } else {
         // The correct POST variables were not sent to this page. 
         echo 'Invalid Request';
  }

 ?>

If i do a print_r($_SESSION) after //Login success i have all $_SESSION OK. After redirect it's gone. I have tried almost all (put exit; exit(); die(); after header() and still nothing .

My test php page :

<?php
include_once 'includes/functions.php';
sec_session_start();
print_r($_SESSION); 

and the sec_session_start() function :

function sec_session_start() {
    $session_name = 'sec_session_id';   // Set a custom session name
    $secure = true;
    // This stops JavaScript being able to access the session id.
    $httponly = true;
    // Forces sessions to only use cookies.
    if (ini_set('session.use_only_cookies', 1) === FALSE) {
        header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
        exit();
    }
    // Gets current cookies params.
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"],
        $cookieParams["path"], 
        $cookieParams["domain"], 
        $secure,
        $httponly);
    // Sets the session name to the one set above.
    session_name($session_name);
    session_start();            // Start the PHP session 
    session_regenerate_id(true);    // regenerated the session, delete the old one. 
}

I set $_SESSION parameters in login function

I dont know what to do to debug this .

php.ini SESSION parameters :

session.save_path="C:\xampp\tmp"
session.use_strict_mode=0
session.use_cookies=1
session.use_only_cookies=1
session.name=PHPSESSID
session.cookie_lifetime=0
session.cookie_path=/
session.cache_expire=180
session.save_handler=files

After removing line by line from the sec_session_start() I made it work by removing this :

$cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"],
        $cookieParams["path"], 
        $cookieParams["domain"], 
        **$secure**,
        $httponly);

Now i can receive $_SESSION variable in test.php .

Update #2 : just setting $secure = false is working .

Answer 1

I know this code from here @ WiKiHow.

Just comment out this line:

session_name($session_name);

and it will work. I'm not pro, so I'm not sure this is the best way to solve the problem but, you can get more info here @ GitHub.

"Acording to this marc.info/?l=php-doc-bugs&m=120303453328364&w=2 you cannot set session name via session_name($session_name) if it's set using php_admin_value in 'httpd.conf' (it's feature not bug). It happens on shared hosting accounts."

Answer 2

Actually i figure it out . I was the $secure = true options that forced sessions only over secure connections .

Answer 3

You won't need this line:

session_regenerate_id(true);

This line will regenerate new ID which will overwrite the existing one.

session_regenerate_id() will replace the current session id with a new one, and keep the current session information.

Source: http://php.net/manual/en/function.session-regenerate-id.php

Answer 4

Remove this line:

//session_regenerate_id(true); // regenerated the session, delete the old one.

As in the comment written, this line will delete the old session and regenerate a new one.

http://php.net/manual/en/function.session-regenerate-id.php

Answer 5

Problem is this

session_regenerate_id(true);    // regenerated the session, delete the old one.

Remove this line it always generating new id and removes old one.