Session disappear after page refresh

Question

This is the first time that I'm using sessions on PHP. Getting some info from StackOverflow and other websites I'm into to build my first PHP Login but I'm getting a problem and don't know how to resolve it.

Basically at the moment that I set a session, after the page refresh, this session disappear. Is not supposed to remain for an amount of time? (that can be set with set_cookie_params etc, but this is another topic)

I have at the beginning of my page (global) this code:

ini_set('session.cookie_httponly', 1);
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.hash_function', 'whirlpool');
ini_set('session.use_only_cookies', 1);
ini_set('session.cookie_secure', 1);

session_name("RANDOMID");
session_start();

if (isset($_SESSION['uid']))
{
    if ($_SESSION['ipremote'] !== getUserIP() && $_SESSION['useragent'] !== getUserAgent())
    {
        session_unset();
        session_destroy();

        session_regenerate_id(true);
    }
}
else
{
    session_regenerate_id(true);

    $_SESSION['ipremote'] = getUserIP();
    $_SESSION['useragent'] = getUserAgent();
}

then in my login.php file, when the user insert the right infos:

$_SESSION['uid'] = 3;

header("Location: index.php");
exit;

The problem that after the redirect the uid session disappear: I put at the end of the index.php page a var_dump of the $_SESSION variable, and I see just the IP and user-agent that is set everytime in the else condition.

EDIT: I tried to replace all the content of the session initialization with just session_start(); and it works, I don't understand why this secure session initialization it doesn't working and making the session disappear.

on `index.php` also `session_start();` required on top, in case you want to access SESSION variables and values — Alive to die - Anant, Jan 30 '18 at 09:56
It's already setted, because the first portion of code is global (is required on both files, login.php and index.php) at the beginning. — Keaire, Jan 30 '18 at 10:00
`session_name("RANDOMID")` – Is that literally "RANDOMID", or does this mean you're randomly generating a new id every time here…? — deceze, Jan 30 '18 at 10:09
It's just a random name, so it's literally RANDOMID (no defines or variables) — Keaire, Jan 30 '18 at 10:18
You use `session_regenerate_id(true)` when you have just destroyed the session. — , Feb 12 '18 at 19:43
if you still have the issue try adding session_start(); on top of login.php file. — Praneeth Nidarshan, Feb 14 '18 at 06:23

score 9 · Accepted Answer · answered Feb 09 '18 at 12:21

Are you calling your page via https:// when you are testing this ...?

Otherwise, the explanation is simple:

ini_set('session.cookie_secure', 1);

This makes PHP set the session cookie with the secure flag, meaning the browser is only allowed to send this cookie back with requests made over a secure connection.

So if you are actually testing this via HTTP only, then the session cookie will not be send back with the next request, so PHP does not find any session id, and therefor starts a fresh, new session when you call session_start ...

score 0 · Answer 2 · answered Feb 09 '18 at 16:07

0

that RANDOMID may change when you refresh/change your page depending on how you generate it!
so make sure you use the same 'session_name' in all youre pages before starting the session, like this.

login page

session_name("SAME_NAME");
session_start();
$_SESSION['uid'] = 3;
header("Location: index.php");
exit;

index page

session_name("SAME_NAME");
session_start();
var_dump($_SESSION['uid']);
exit;

answered Feb 09 '18 at 16:07

zakaria35

857
1
7
12

Your answer is based on the assumption that the name is randomly generated, but OP explains in the comments on his post that he in fact does not randomly generate the session name. – halfpastfour.am Feb 13 '18 at 10:00

score 0 · Answer 3 · 2018-02-12T19:54:27.763

Please try the following, slightly altered snippet below, to replace your global code being in the beginning of every page.

ini_set('session.cookie_httponly', 1);
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.hash_function', 'whirlpool');
ini_set('session.use_only_cookies', 1);
ini_set('session.cookie_secure', 1);

// start session
session_start();
// if session just started and uid is not set, add initial information such as user agent and ip address
if (!isset($_SESSION['uid']))
{
    $_SESSION['ipremote'] = getUserIP();
    $_SESSION['useragent'] = getUserAgent();
}
else
{
    // uid is set in session variables. User gets logged out in case of changed ip address and user agent.  
    if ($_SESSION['ipremote'] !== getUserIP() && $_SESSION['useragent'] !== getUserAgent())
    {
        session_unset();
        session_destroy();            
    }
    // if client information has not changed just regenerate the session
    session_regenerate_id(true);
}

score 0 · Answer 4 · answered Feb 14 '18 at 07:12

try to check session.save_path

find session.save_path from phpinfo()
check if it exists or not. if not, make it with mkdir.
check its permission. change it to others can read/write(chmod 707)

when I installed new php extension(SOAPClient) via yum on my dev server(AWS EC2 Linux AMI), experienced session disappearing when refresh or page move like you.

The reason was my session directory's permission changed to 500, even though i didn't anything. so php couldn't write session file to disk.

hope this can help you :)

score 0 · Answer 5 · answered Feb 14 '18 at 23:18

0

This happens because session_start() must be the first line of your code.

You can see this in an old answer of mine too.

Good luck.

answered Feb 14 '18 at 23:18

score 0 · Answer 6 · answered Feb 15 '18 at 12:24

0

Please use session_start() on top of each page, it is required to access the session data on the page.

answered Feb 15 '18 at 12:24

Harsh Wardhan Gaur

56
4

Session disappear after page refresh

6 Answers6