PHP - Session ID changing when using session.use_trans_sid

Question

I have developed a PHP web application that used cookie-based sessions and it was all working fine - until I realised that it won't work in browsers that have third party cookies disabled (because the script is going to be loaded in an iframe on another website/domain).

So I decided to switch over to URL-based sessions (which I presume will be safe as, because the script is in an iframe, there will be no visible URL for the user to share or bookmark, etc.).

However, for some reason, since I switched to domain-based sessions, each page in my web application is using a different session ID.

Here's my code...

ini_set("session.use_cookies", 0);
ini_set("session.use_only_cookies", 0);
ini_set("session.use_trans_sid", 1);
ini_set("session.cache_limiter", "");
session_start();
echo "<p>Session ID: " . session_id() . "</p>"; // Test output

...which is the very first thing to be called on each page (with no previous output that I'm aware of).

The first page in my web app contains a form and I see that the required hidden session ID input is automatically added to it by PHP:

<input type="hidden" name="PHPSESSID" value="m4jbeec47uplnf95ue2h244a02" />

But the session ID reported by the next page (that the form submits to) is

Session ID: iiovfkrf3hesj1um5orasv7it6

Also, when I load the first page using https:// (instead of http://), submitting the form results in the same page being reloaded (rather than the next page being loaded).

What I've already tried:

ini_set("session.cookie_secure", 0);

and

ini_set("session.cookie_secure", 1);

and

ini_set('session.gc_maxlifetime', 30 * 60); // expires in 30 minutes

and (at the end of the script)

session_write_close();

and removing

ini_set("session.cache_limiter", "");

From phpinfo():

session.auto_start  Off Off
session.cache_expire    180 180
session.cache_limiter   nocache nocache
session.cookie_domain   no value    no value
session.cookie_httponly Off Off
session.cookie_lifetime 0   0
session.cookie_path /   /
session.cookie_secure   Off Off
session.entropy_file    no value    no value
session.entropy_length  0   0
session.gc_divisor  1000    1000
session.gc_maxlifetime  1440    1440
session.gc_probability  1   1
session.hash_bits_per_character 5   5
session.hash_function   0   0
session.name    PHPSESSID   PHPSESSID
session.referer_check   no value    no value
session.save_handler    files   files
session.save_path   /tmp    /tmp
session.serialize_handler   php php
session.upload_progress.cleanup On  On
session.upload_progress.enabled On  On
session.upload_progress.freq    1%  1%
session.upload_progress.min_freq    1   1
session.upload_progress.name    PHP_SESSION_UPLOAD_PROGRESS PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix  upload_progress_    upload_progress_
session.use_cookies On  On
session.use_only_cookies    On  On
session.use_strict_mode Off Off
session.use_trans_sid   0   0

Any ideas?

Answer 1

I think the problem must be due to a bug in my code somewhere. I've created the test script, below, and it works as expected (on the same server):

url-session-test.php

<?php

$page_title = "URL Session Test (v11)";

ini_set("session.use_cookies", 0);
ini_set("session.use_only_cookies", 0);
ini_set("session.use_trans_sid", 1);
//ini_set("session.cache_limiter", "");
ini_set('session.gc_maxlifetime', 30 * 60); // expires in 30 minutes
session_start();
$session_id = session_id();

$is_new_session = !isset($_SESSION["existing"]);
$_SESSION["existing"] = true;
if ($is_new_session) {
    $_SESSION["my_key"] = "MY PRIVATE KEY";
}
$my_session_key = $_SESSION["my_key"];

$timezone = $_SESSION["timezone"];
if ($timezone) {
    date_default_timezone_set($timezone);
}

if ($_POST['PHPSESSID']) {
    $session_id_received = $_POST['PHPSESSID'];
}
else {
    $session_id_received = "";
}

?><!DOCTYPE html>
<html>
    <head>
        <title><?php echo $page_title; ?></title>
    </head>
    <body>
        <h1><?php echo $page_title; ?></h1>
        <p>Is new session: <?php echo $is_new_session; ?></p>
        <p>My session key: <?php echo $my_session_key; ?></p>
        <p>Received session ID: <?php echo $session_id_received; ?></p>
        <p>Actual session ID: <?php echo $session_id; ?></p>
        <form method="POST">
            <input type="submit" value="Click this form submit button to see how if the above session ID is received by the next page" />
        </form>
        <a href="url-session-test.php">Hover over this link to check the session ID parameter</a> 
    </body>
</html>

Will post the actual bug once I've found it...

UPDATE

The problem was that I was using a POST-Redirect-GET model and I was not appending the required PHPSESSID parameter to the GET url!