CODEWITHSUNDEEP
phpcodeignitersessioncookies
mpavey
mpavey

Reputation: 403

Why is PHP not reading the session ID sent via cookie?

I am upgrading an application from CodeIgniter 2.2.1 to 3.1.8. The application authenticates users and saves the authentication state in a session, and after upgrading that has broken such that users can no longer log in. I'm running PHP Version 7.1.12 via PHP-FPM on nginx, on a Linux virtual machine.

I've spent the best part of 1.5 days trying to get to the bottom of this. As best I can tell it boils down to PHP not reading the session ID that is sent in by the browser via cookie, and creating a new session (and session ID) for each request. I can tell this from the fact that the ci_session value from the request cookie is different from the ci_session value in the corresponding response cookie (as display in Firefox devtools), as well as the fact that a new file is created each time. (I have configured CodeIgniter to use the files driver.)

In attempting to debug, if I log the value of session_id() before the call to session_start() (in /system/libraries/Session/Session.php, line 143), I just see a blank string. Immediately afterwards, I see the same new session ID that Firefox shows in the response cookie.

I've read fairly extensively through:

and tried the following remedies to no avail:

Below I've pasted what I believe are all the relevant settings from CI and from PHP. Clearly I am missing something, quite possibly something really basic. How can I diagnose further/fix?

CodeIgniter settings

$config['cookie_prefix']    = "";
$config['cookie_domain']    = "";
$config['cookie_path']      = "/";
$config['cookie_secure']    = FALSE;


$config['sess_cookie_name']     = 'ci_session';
$config['sess_expiration']      = 3600 * 24 * 60; // 60 days
$config['sess_use_database']    = FALSE;
$config['sess_table_name']      = 'ci_sessions';
$config['sess_match_ip']        = FALSE;
$config['sess_time_to_update']  = 300;
$config['sess_driver'] = 'files';
$config['sess_save_path'] = BASE . 'storage/session';

PHP settings

Session Support     enabled
Registered save handlers    files user
Registered serializer handlers  php_serialize php php_binary wddx
Directive   Local Value Master Value
session.auto_start  Off Off
session.cache_expire    180 180
session.cache_limiter   nocache nocache
session.cookie_domain   no value    no value
session.cookie_httponly Off Off
session.cookie_lifetime 0   0
session.cookie_path /   /
session.cookie_secure   Off Off
session.gc_divisor  1000    1000
session.gc_maxlifetime  1440    1440
session.gc_probability  1   1
session.lazy_write  On  On
session.name    PHPSESSID   PHPSESSID
session.referer_check   no value    no value
session.save_handler    files   files
session.save_path   /var/opt/remi/php71/lib/php/session /var/opt/remi/php71/lib/php/session
session.serialize_handler   php php
session.sid_bits_per_character  5   5
session.sid_length  26  26
session.upload_progress.cleanup On  On
session.upload_progress.enabled On  On
session.upload_progress.freq    1%  1%
session.upload_progress.min_freq    1   1
session.upload_progress.name    PHP_SESSION_UPLOAD_PROGRESS PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix  upload_progress_    upload_progress_
session.use_cookies On  On
session.use_only_cookies    On  On
session.use_strict_mode Off Off
session.use_trans_sid   0   0

Upvotes: 1

Views: 882

Answers (2)

mpavey
mpavey

Reputation: 403

OK, I fixed this eventually. I'm not certain what the solution was, but the final change I made which fixed it was to clear from my browser all cookies relating to the site, having noticed that the $_COOKIE superglobal did not include an entry for ci_session (the name of the cookie as configured in $config['sess_cookie_name']), despite it showing up in the browser request displayed in Firefox devtools.

Along the way, I also:

  • Upgraded from PHP 7.1 to PHP 7.2
  • Removed two CI 2.2-era deprecated session settings (specifically, $config['sess_use_database'] and $config['sess_table_name'])
  • Added a new setting present in CI 3.1.8, and possibly earlier versions ($config['sess_regenerate_destroy'] = FALSE;)

By the way, I also noticed that session_id() returns nothing before session_start() has been called, even when sessions are working properly (and the correct ci_session value is present in $_COOKIE). So I was wrong to interpret a blank string being returned by session_id() as indicative of PHP failing to read the value submitted to it as part of the cookie.

Upvotes: 0

DFriend
DFriend

Reputation: 8964

The problem you describe is usually a bad $config item setting.

You need to go to the Upgrading from 2.2.x to 3.0.x doc and work through it step by step. Step 6 talks about what needs to be done to update session usage. Looks to me like you are using v2.x session $config items. There are important changes to $config related to sessions. Look into those first. One of the primary ones is making sure that $config['base_url'] is set properly. A bad value there has all kinds of bad side effects.

You might want to look at each of the "Upgrading" documents between 3.0.0 and the current version to see if there is anything that might affect your site. There aren't a lot "step" beyond replacing the system folder for most versions. Beyond v3.0.0 there are none I can remember that affect sessions. But there are some important items to attend to none the less.

For help determining if sessions are working correctly check out this simple repository on GitHub.

Sometimes this problem, when using the 'files' driver, it can be a permissions issue. But as you see files being created that's not it.

Upvotes: 1

Related Questions