PHP creating new session with each reload

Question

For my website, session management mostly works ok. Sessions are created, saved and used later without problems.

But when the code is using session_start(), it always creates new, totally empty session. Code in question below.

header('Content-Type: text/html; charset=UTF-8');

$main_domain = $_SERVER["HTTP_HOST"];
$expld = explode('.', $main_domain);

if(count($expld) > 2) {
   $tld = array_pop($expld);
   $domain = array_pop($expld);
   $main_domain = $domain . "." . $tld;
}

session_set_cookie_params (0, '/', $main_domain);
session_name('sid');
session_start();
echo session_id();
exit;

When this script is executed, in every reload new session is created.

smar@ran ~> ls /tmp/sess_* | wc -l
10
smar@ran ~> ls /tmp/sess_* | wc -l
11
..
smar@ran ~> ls /tmp/sess_* | wc -l
17

But only the one of those sessions has any data inside it, and is used by application.

Output in browser is always same: 87412d5882jr85gh5mkasmngg7, which is id in browser’s cookie and session id in /tmp that has data populated to it.

What could be cause of this behaviour? Those empty files aren’t exactly huge problem, but they do make /tmp (or session dir) quite populated for no reason.

EDIT 1:

Looks like this is server related problem, since it works for some people. My configuration is Gentoo Linux (32 bit) with Apache and PHP 5.3.6.

If I force it to create new session (like removing my own cookie), it creates two session files instead of one. If it reuses old one, it creates “only” one.

EDIT 2:

Session configuration, as requested (all config rows with session.):

session.save_handler = files
session.save_path = "/tmp"
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = On
session.bug_compat_warn = On
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5

EDIT 3:

Even more strangely, I tried to use sessions from CLI. There, where no session cookies are set, it always created one new session. When setting fixed session value with session_id() stopped new session creation altogether and used old session instead.

This behaviour is identical with Apache, so I’m starting to suspect this is bug in PHP. No new sessions created if name specially set with session_id(), and session correctly used.

Even more absurdly, when I took phpsessid from $_COOKIE["PHPSESSID"] and set that to session_id(), it started to create new (useless empty ones) sessions again.

EDIT 4:

Since I didn’t write it enough clearly: simply having

session_start()

as single argument causes this problem to happen, it is not specific to my code.

Answer 1

I'd hate to be the stick in the mud, but have you checked that /tmp is both readable and writeable by PHP (in most cases, this means the www-data user)? If not, move the session save location to a location that you can write to.

Answer 2

I think powtac is right in a way, but session_start(); should be your first operation you do, even before the header('Content-Type: text/html; charset=UTF-8');

Answer 3

This is not exactly about the original cause, but the resolution is exactly same: new session ids gets defined with each reload.

In this case, fault was Varnish, which was set to put every request to pass mode (return (pass)) instead of caching everything. As consequence, every request made it to the backend, where session_start() was called every time.

But when the response was sent through Varnish to the client, cookies were removed from the response. This is due that backend sets cookies (session id, along with others) even when we want to have the site be cached. Anyway, cookies get removed, client does another request and does not pass any cookies (it never received any!) and there PHP goes again calling session_start() without any session id present...

This is more of fault in recognization of error in this case, which appeared as multitude of unnecessary sessions created. Those would’ve not been created in first place if caching was enabled in first place.

There is also another way to manage to create these sessions: have browser not to accept cookies at all. Stupid reason, I know, but it does happen...

For the original problem, I haven’t stumbled it since moving from original development machine away.

Answer 4

Use session_start() as first session command, before all other session_*() methods!

Answer 5

Cookies are only returned to the vhost / path where they were set from.

Since your path is '/', that implies that the pages are not being requested via $domain . "." . $tld;

e.g. user requests page via www.example.com

cookie is set for example.com

user access subsequent page from www.example.com - the cookie is not in scope.

From RFC 2965

x.y.com domain-matches .Y.com but not Y.com.

Actually, if you read on, the spec does say that the user agent should prefix the host with a dot if none is supplied however you getting into the realm where browser behavuiour varies.

If you simply return the cookie with a vhost matching the request it will work as expected.