0

So I have a test environment that I'm developing with and a production environment that I am ultimately deploying my code to. The code I have right now works on my test environment but not on my production environment. So it seems like an environment problem, but if it is I have no idea which setting to change.

Right now I'm trying to test a simple contact page that has a short form and captcha image. The contact page sets a session variable containing the security_code as displayed in the captcha image so that on the next page, called contactSanitize, I can read that variable from the session and verify the user entered the right code.

Again, this works fine on the test environment. However, in the production environment I can fill out the form and submit it at which point the session data is lost and the contactSanitize page sends me back to the contact page because it doesn't see the code I entered.

I do not have a session_destroy call anywhere in these pages and I'm not accidentally setting the $_SESSION variable to an empty array or anything else for that matter (I double and triple checked - also it works on the test env, so it can't be that)

Below are snippets from my log - each line contains the timestamp and, if available, the session ID in addition to my comments. You can see that in fact contactSanitize does have the same session ID it's just that the session itself is empty for some reason.

This is the contact.php page: 

DEBUG  2013-04-04 18:23:07 (varsAndSecurityCheck.php:74) Page requires security, checking to see if authenticated user.
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:07 (varsAndSecurityCheck.php:82) authenticated = false
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:09 (contact.php:130) just before security image
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:09 (contact.php:134) invoking security image functions
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:09 (CaptchaSecurityImages.php:42) code: hwjdtvw7
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:09 (contact.php:137) after security image functions, SESSION: Array
(
    [security_code] => hwjdtvw7
)
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:09 (contact.php:152) Just after security image

I now submit the form and go to contactSanitize.php to validate user input:

DEBUG  2013-04-04 18:23:24 (varsAndSecurityCheck.php:74) Page requires security, checking to see if authenticated user.
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:24 (varsAndSecurityCheck.php:82) authenticated = false
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:26 (contactSanitize.php:8) SESSION: Array
(
)

As you can see above the session is empty so the validation fails:

DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:26 (contactSanitize.php:26) No security code and not authenticated, sending to contact page.
DEBUG  2013-04-04 18:23:26 (varsAndSecurityCheck.php:74) Page requires security, checking to see if authenticated user.
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:26 (varsAndSecurityCheck.php:82) authenticated = false

I am sent back to the contact.php page where a new security code is generated:

DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:29 (contact.php:130) just before security image
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:29 (contact.php:134) invoking security image functions
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:29 (CaptchaSecurityImages.php:42) code: xb66q6jy
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:29 (contact.php:137) after security image functions, SESSION: Array
(
    [security_code] => xb66q6jy
)
DEBUG c744b62f483d1eb02fafbbd11f9e9bdb 2013-04-04 18:23:29 (contact.php:152) Just after security image

EDIT

I added some additional logging to show that the session_start call happens at the beginning of both pages. The following lines now appear at the beginning of the contact and contactSanitize pages: 

DEBUG  2013-04-04 19:26:15 (varsAndSecurityCheck.php:74) Page requires security, checking to see if authenticated user.
DEBUG  2013-04-04 19:26:15 (varsAndSecurityCheck.php:78) page is secure, starting session now.

This is a small snippet from the varsAndSecurityCheck.php page to show where the log comes from that says "starting session":

$log->debug("page is secure, starting session now.");
session_start();

The following are the relevant parts of my code from contact.php: 

<?php
    ...
    //session is started by this first include when secure connection is verified
    include_once "../includes/varsAndSecurityCheck.php";
    //this just connects to my database, no session manipulation here
    include_once "../includes/dbConnect.php";
    //this includes some functions for generating a captcha image
    include_once "../captcha/CaptchaSecurityImages.php";

    //this is just including some basic styling and navigation  
    include '../includes/header.php';
?>
...
    <form method="post" action="contactSanitize.php">
    ...
            $log->debug("just before security image");
        ?>
            <div class="centerText">
                <?php
                    $log->debug("invoking security image functions");
                    $_SESSION['security_code'] = generateCode(8);
                    $log->debug("after security image functions, SESSION: ".print_r($_SESSION,true));
                ?>  
                <?=captchaSecurityImages($_SESSION['security_code'],320,70)?>

            </div>
            ...
            <div class="centerText">
                <input id="security_code" name="security_code" type="text" maxlength="8" />
                <br><br>
                <input type="submit" name="submit" value="Send Message" class='generalFormButton' />
            </div>
        <?
            $log->debug("Just after security image");
        }

        ?>

This is the first part of my contactSanitize page, you can see it fails at the first condition:

<?php

//this starts the session when secure connection is made
include_once "../includes/varsAndSecurityCheck.php";
//This connects to database, no session manipulation here
include_once "../includes/dbConnect.php";
//This includes some e-mail functions, no session manipulation
include_once '../includes/mail.php';

$log->debug("SESSION: ".print_r($_SESSION,true));


$_SESSION['formData'] = array('visitor_name' => $_POST['visitor_name'],
                'visitor_email' => $_POST['visitor_email'],
                'ReasonForContacting' => $_POST['ReasonForContacting'],
                'message_body' => $_POST['message_body']
            );

if(!isset($_SESSION['security_code']) && !$authenticated)
{
    $log->debug("No security code and not authenticated, sending to contact page.");
    $_SESSION['contactError'] = "You must type the security code before sending a message.";
    header("Location: contact.php");
    exit();
}
...
Kal
  • 223
  • 4
  • 11
  • Can you show the php script? did you use session start? – Venkat Selvan Apr 05 '13 at 00:18
  • I'll edit my post to include some of the script code. I am using session start in both pages, it happens when the security check verifies the secure connection. – Kal Apr 05 '13 at 00:28
  • ok will check through once you edited! – Venkat Selvan Apr 05 '13 at 00:29
  • I decided to try a very simple set of pages that set a variable and then print the session. Turns out the "Session save path" was not correctly set and has now been corrected by my hosting provider. – Kal Apr 05 '13 at 02:12

1 Answers1

0

As per my last comment the "Session save path" was not correctly set and has now been corrected by my hosting provider.

Kal
  • 223
  • 4
  • 11