Reputation:
Session showing abrupt behavior
My php session is showing an aberrant behavior. Situation:
- User logs in
(https://example.com)the application - Session cookie validity set for 7 days. (Verified from browser cookie lifetime)
- User moves to another domain (without
https) - When user tries to come back after sometime by clicking the application link, session gets destroyed.
- The behavior is abrupt. Sometimes, it stays valid.
Here is how I start the session:
if(!$this->session_manager_issession_set()) {
$this->set_ini_config();
session_name($this->session_manager_name);
session_set_cookie_params($this->session_cookie_life, "/"); //Required for browser cookie cleanup
}
session_start();
if(empty($_SESSION))
{
$output['status'] = false;
}
else{
// Fetch the variables
}
public function session_manager_issession_set(){
$output = true;
$session_status = session_status();
switch($session_status){
case PHP_SESSION_ACTIVE :
break;
default:
$output = false;
}
return $output;
}
private function set_ini_config(){
$output = true;
ini_set('session.gc_probability', 1); //If session expires then ensure that session is flushed and cleared at all instances
ini_set('session.gc_divisor', 100); //If session expires then ensure that session is flushed and cleared at all instances
ini_set('session.gc_maxlifetime', 7*24*60*60); //MAx life of session cookie
ini_set('session.cookie_secure', true);
return $output;
}
What could be the reason for this? Have I implemented the session in an incorrect manner?
Upvotes: 10
Views: 249
Answers (5)
Reputation: 48357
Rafael is correct in saying that you should try to recreate and solve the problem with a simpler code base. You should also be instrumenting your code to find out what cookies are being returned by the browser.
Have I implemented the session in an incorrect manner?
Yes.
The code is difficult to read, uses a switch statement innappropriately, overrides the system config for no good reason, and many other odd things. Not least is that it is a particularly unusual use case where you should require a session to be active for so long (a "remember me" capability is very different from a session). Once you've licked the session persistence problem you might want to read some PHP style standards and visit codereview.stackexchange.com
Upvotes: 0
Reputation: 286
Before checking any of your Session checked parameters, start with the basics, like for example start by simply
print_r($_SESSION);
This will simply output the Session variables you have in there, like this you see wether the server remembers the session and its variables,
Next, I think that some of the answers here are on to something, you check wether your session has been started but you want to check wether a session is still alive (not same thing)...
So if you know that a certain key in the session variable will always exist, then simply check by using:
if(isset($_SESSION['your_key'])) {
// Your code if session has been made already
}
I know this seems like it's simplistic, but hey returning to the basics in code is not necessairily a bad thing when you're trying to figure out your mistakes :) So try this and if both of the above work for you then you are using some wrong statements that are false even though your Session variables are intact... :)
Upvotes: 1
Reputation: 30881
First of all your function session_manager_issession_set() basically checks if session isn't started (session_status() != PHP_SESSION_ACTIVE), but then you start session ignoring the fact that the session could have been running.
If a session name is important for you, then you must enforce it:
if ($this->session_manager_issession_set()) {
// session has already started, but we haven't set a name for it!
throw new Exception("Session started prematurely");
}
// all fine, session isn't running; continue with setup
$this->set_ini_config();
session_name($this->session_manager_name);
session_set_cookie_params($this->session_cookie_life, "/");
// and finally start the session
session_start();
Since session.name sets a name for a cookie to store session ID, and you use a non-default name for it, my guess is that something starts a session before you do, therefore you can't see the data associated with the session you, by luck, started before.
Other option is to keep all the code, and remove only one line with
session_name($this->session_manager_name);
If it helps, then I must be right.
Upvotes: 1
Reputation: 386
Please read about session.cookie_secure at php.net manual
This bounds your session cookie to a secured (so https) connection only. Resulting in session loss when switching from https to http
Upvotes: 0
Reputation: 7113
As you mentioned in your question and in the comments, the user is not only moving to a different domain, but to a different server altogether (hence the change from http to https makes more sense to us readers). $_SESSION is a superglobal that is saved on the server, hence changing servers is the most likely reason why your $_SESSION value is being destroyed.
IN FACT, it might still exist, but since you are trying to access it from a different server, the server can't find it and hence lead you (or the server) to believe it was destroyed (since it is living on the original server that started the session). This would explain why it sometimes works and sometimes doesn't, since you could be switching between servers and sometimes you get lucky and are on the same server which created the session in the first place.
Upvotes: 0
Related Questions
- What is the difference between localStorage, sessionStorage, session and cookies?
- Check if PHP session has already started
- How do I expire a PHP session after 30 minutes?
- Is setting session.gc_probability and session.gc_divisor equal to 100% a bad idea?
- PHP ini sessions.save neither lifetime are not working
- Session Not Carry Over to another page in https server php
- Error while destroying session in PHP