Reputation: 1487
PHP session is empty even when Session ID is right
Yesterday I searched almost all topics about php sessions, I looked over manual and it still didn't work. I stayed up very late because of that.
Scenario is: I log in using standard html form. My session is populated with some variables and it work fine. Then I use Flash uploadify to upload some photos and I pass with parametrs - PHPSESSID. My php script does not recognize session. It sees it as empty. Then I try to get that session with different client such as Firefox or Opera and it is empty too. Then I try to get that session with different Chrome tab and it works
As you see my only protection is by IP. I don't scan other things so this should work when good PHPSESSID is passed and client IP is matching regardless of client type, version etc.
This is init_session.php, file I include everytime at the begining of other files. Therefore I know that Session ID is beeing passed with Flash. But then session is empty.
Directory is set on the top, and path is direct so there shouldn't be any problems with that. It also doesn't work when save path is default. I also turned of session autostart and session use only cookies. It didn't change a thing except I need to set cookie manually.
Is there something here I can try? I think I ran out of options.
EDIT:
I forgot about most importat thing i think that turning off suhosin.session.cryptua will resolve case but i can't turn it off using ini_set, is there any other way? It seems that this option encrypts session using user-agent field wich would be the case.
ini_set('session.auto_start', '0');
ini_set('session.save_path','/public_html/nowy/tmp');
if (isset($_POST["PHPSESSID"])) {
session_id($_POST["PHPSESSID"]);
} elseif (isset($_COOKIE['PHPSESSID'])) {
session_id($_COOKIE["PHPSESSID"]);
} elseif (isset($_GET["PHPSESSID"])) {
session_id($_GET["PHPSESSID"]);
}
session_start();
setcookie("PHPSESSID", session_id(), time()+3600, "/");
if (!isset($_SESSION['user'])) {
$_SESSION['user'] = 0;
}
if (!isset($_SESSION['initiate'])) {
session_regenerate_id();
$_SESSION['initiate'] = true;
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
echo ini_get('session.save_path').'<br />';
echo $_POST["PHPSESSID"];
print_r($_SESSION);
RESOLVED
This problem has been solved. I couldn't set cryptua off because I needed to copy oryginal php5.ini and replace some variables to get it working.
The problem was as expected suhosin.session.cryptua
Upvotes: 1
Views: 4401
Answers (2)
Reputation: 1487
As Frode suggested in his comment I'm leaving this as an answer.
This can happen when using any flash script, not just uploadify. Any other flash uploader such as SWFUpload won't get the session unless user-agent field is the same.
This happens when your server has suhosin patch installed but it seems that sometimes this problem doesn't occur even when setting suhosin.session.cryptua is enabled as alecgorge suggested. Although I am not convinced about that. Of course you can pass to flash this variable using php scripts to uncover user-agent of user browser and then flash can disguise himself as the same browser but it's not elegant solution and I don't know actionscript so I can't say if flash can actually do it.
Very important: There are actually two settings that can fix this security patch.
- suhosin.session.encrypt
- suhosin.session.cryptua
If the first one is disabled then session is not encrypted at all so problem won't occur. It's not recommended to disable this. If we disable only the second one then session will be encrypted but encryption won't relay on user-agent field. This means that any browser or http client can get any session. Therefore it's recommended to put some other security fields. Suhosin can handle also session ip protection so I recommend to enable suhosin.session.cryptraddr. Other settings can be found here:
Suhosin configuration
To resolve this issue I suggest:
- Check phpinfo() if suhosin is installed. If not then problem won't occur.
- If suhosin is installed and
suhosin.session.cryptuaandsuhosin.session.encryptare enabled then copy existing and working php.ini. It's on the top of php info page:Loaded Configuration File /public_html/php5.ini - Create your own php.ini and set:
- suhosin.session.encrypt = On
- suhosin.session.cryptraddr = On
- suhosin.session.cryptua = Off
Upvotes: 2
Reputation: 17420
Usually with Uploadify I have to do something like this:
$('#uploadify').uploadify('scriptData':{'session_name':'<?php echo session_id(); ?>'}});
On the client in conjunction with something like this on the server side:
if($_POST['session_name']) {
session_id($_POST['session_name']);
}
session_start();
Upvotes: 0
Related Questions
- php session not working with ajax
- PHP session_id( ) null
- session flash data not working in ajax
- PHP SESSION variable changing, but viewed as empty
- PHP not reading session id
- PHP session is coming back null
- PHP session is empty jquery ajax
- PHP sessions not being set
- php sessions value get wiped after ajax request
- Can't access $_SESSION variable in PHP called from Flash