PHP session_start doesn't work

Question

My issue is that, when I use session_start(); in my php code, instead of a PHPSESSID cookie being set, a cookie with blank title and value "HttpOnly" is set instead. Using var_dump($_SESSION), I see that I can set session variables and they'll display on the page, but they won't display on any other page. For what it's worth, the two pages are at: login.domain.com/index.php and login.domain.com/login. The same code works fine locally, and other php files running on different subdomains on the same server work. I can't find any info, so if anyone has any ideas, I'd love to hear them.

This is the php on index.php:

    <?php
        session_start();
    ?>

And this is the php on login/login.php

<?php
session_start();
$role = 0; //default to "guest"
$was_success = false; //default to a failed login
if(isset($_POST["user"]) && isset($_POST["password"])){ //if the post details are set then continue
    $pass = password_hash("PASSWORD", PASSWORD_DEFAULT);

    if (!isset($_COOKIE["mellifluous_loginRefer"])){
            $arr = array("Username" => $_POST["user"],
            "Error" => "No destination set!",
            "Success" => false
            );
            die(json_encode($arr));
    }

    if (password_verify($_POST["password"], $pass) && ($_POST["user"] == "USER")){
       $was_success = true;
       if ($_COOKIE['mellifluous_loginRefer'] == "home"){
          $_SESSION['mellifluous']['home']['username'] = $_POST['user'];
       }
    }
    else $was_success = false;
    $arr = array("Username" => $_POST["user"],
                 "Role" => $role,
                 "Success" => $was_success
    );
    if ($was_success) setcookie("mellifluous_loginRefer", "", time() - 10, "/");
    echo(json_encode($arr));
    //echo "You sent in: ";//Username: " . $_POST["user"] . " Password: ";//. $password;
}
else if(isset($_GET["user"]) && isset($_GET["password"])){
    die("This interface has been deprecated.");
    //$pass = password_hash($_POST["password"], PASSWORD_DEFAULT);
    $arr = array("Username" => $_GET["user"]);
    echo(json_encode($arr));
    //echo "You sent in: ";//Username: " . $_POST["user"] . " Password: ";//. $password;
}
else{
    die("ERROR!");
}
?>

Many thanks in advance!

Answer 1

I can't answer to the two previous answer, but actually you shouldn't do that.

session.use_only_cookies is as security feature, it prevents from attacks using session identifiant inside URL. see php docs for more information.

 Header set Set-Cookie HttpOnly;Secure
 Header always edit Set-Cookie (.*) "$1; HTTPOnly"
 Header always edit Set-Cookie (.*) "$1; Secure"

About this part, HTTPOnly is required, it prevents cookie to be stolen by an XSS attacks.In fact with Javascript, by default it's possible to show PHPSESSID value. this feature do not provide the value to the source request if is not HTTP. Not sure to be clear, see OWASP recommandation for more informations.

Concerning Secure attribute,, the user agent will include the cookie in an HTTP request only if the request is transmitted through a secure channel (HTTPS).see OWASP recommandation for this feature

Answer 2

I figured it out. I had some weird cookie settings in my apache2 conf file for that site that looked weird/out of place:

     Header set Set-Cookie HttpOnly;Secure
     Header always edit Set-Cookie (.*) "$1; HTTPOnly"
     Header always edit Set-Cookie (.*) "$1; Secure"

Once I removed those lines, things worked fine.

Answer 3

Check assigned values to session.use_cookies, session.use_only_cookies on php.ini file in your server.

You need to set the value of session.use_cookies and session.use_only_cookies in php.ini:

session.use_cookies=1
session.use_only_cookies=0