0

So this is how my login process works:

authenticate.php

sessionStart();
if (isset($_SESSION) && !empty($_SESSION['LOCATION'])) {
    $location = $_SESSION['LOCATION'];
    unset($_SESSION['LOCATION']);
} else {
    $location = '//' . $_SERVER['SERVER_NAME'];
}
session_write_close();

sessionStart();
$userIsOnline = isset($_SESSION['ID']);
session_write_close();

sessionStart();
if (!$userIsOnline) {
    // Get the user from the database
    // Validate the user's password
    $_SESSION['ID'] = $user->id;
    $_SESSION['UN'] = $user->un;
    // ... more information
}
session_write_close();

header($location);
exit();

The contents of the sessionStart function:

if (session_id() == '') {
    session_name('MyWebsite');
    session_set_cookie_params(86400, '/', $_SERVER['SERVER_NAME'], true, true);
    session_start();

    $_SESSION['LAST_ACTIVITY'] = time();
    $_SESSION['CREATED'] = time();
}

Then on the top of every page on my website:

sessionStart();
print_r($_SESSION);
$_SESSION['LOCATION'] = $_SERVER['REQUEST_URI'];
session_write_close();

Prints an empty array. So for some reason, it is wiping my session array during the redirect? Anyone have any ideas?

Also, the values of CREATED and LAST_ACTIVITY are from this question.

Community
  • 1
  • 1
NobleUplift
  • 5,631
  • 8
  • 45
  • 87
  • why are you constantly closing your session ? – lagbox Apr 28 '14 at 15:20
  • 1
    Yes, you certainly can. But the code you've shared never reads or writes to session, does it? – Álvaro González Apr 28 '14 at 15:22
  • I've specified which functions are writing to the session. – NobleUplift Apr 28 '14 at 15:28
  • [This question](https://stackoverflow.com/questions/23296676/how-do-i-stop-curl-from-deadlocking-my-php-session) is the reason that I'm using `session_write_close` and not `session_destroy`, to avoid a deadlock. The documentation says that the former, `End[s] the current session and store[s] session data. `. So what is it storing? – NobleUplift Apr 28 '14 at 15:56
  • Can you add the code from `getHTTPLocationFromSession` and `setHTTPLocation` to your question? – SilverlightFox Apr 29 '14 at 06:38
  • ... who voted to close my question and why? Also, I'll post it now @SilverlightFox. – NobleUplift Apr 30 '14 at 15:01
  • Thanks. One more question - is your URL HTTP or HTTPS? – SilverlightFox Apr 30 '14 at 15:34
  • We have a `RewriteRule` in the HTTPD config that redirects all HTTP requests to HTTPS. – NobleUplift Apr 30 '14 at 15:37
  • Can you verify that the session cookie is getting set and is sent to the `$location` page? I was going to suggest trying `session_set_cookie_params(86400, '/', $_SERVER['SERVER_NAME'], false, true);` in case you were passing over HTTP to ensure it is sent. PS don't forget to include @SilverlightFox in any reply. ;-) – SilverlightFox Apr 30 '14 at 15:47
  • With or without the `session_write_close` @SilverlightFox? Without the `session_write_close`, the cookie is properly set and the `$location` properly redirects. – NobleUplift Apr 30 '14 at 16:09
  • With the `session_write_close`. – SilverlightFox Apr 30 '14 at 16:18
  • With the `session_write_close`, the `$_SESSION['LOCATION']` is unset before it reaches the `authenticate.php`. Before the `header` is run in the `authenticate.php`, a `print_r` of `$_SESSION` shows that every index set during the authentication is there, `ID`, `UN`, etc. – NobleUplift Apr 30 '14 at 16:23
  • Oh, and I forgot to tag @SilverlightFox. Is there a way to autocomplete the names that show up at the top-left of comment boxes? – NobleUplift Apr 30 '14 at 16:49
  • Yes it should auto complete. Can you see the cookie being set in dev tools? – SilverlightFox Apr 30 '14 at 16:54
  • @SilverlightFox When you press what? Spacebar? Right arrow? I thought it was Enter and that was a derp lol. Also for the cookie: Name: `MyWebsite`, Content: `asdf`, Domain: `.subdomain.domain.tld`, Path: `/`, Send for: `Encrypted sessions only`, Expires: `At end of session`. – NobleUplift Apr 30 '14 at 20:27
  • `@` makes the completion tooltip appear, and tab completes. – SilverlightFox Apr 30 '14 at 21:29
  • Was my answer useful? – SilverlightFox Jul 29 '14 at 09:55

1 Answers1

0

If it is not the issue that HTTPS is not used, but the session cookie is set to Secure then my other thought is to change

if (session_id() == '') {
    session_name('MyWebsite');
    session_set_cookie_params(86400, '/', $_SERVER['SERVER_NAME'], true, true);

to

if (session_name('MyWebsite') != 'MyWebsite') {
    session_set_cookie_params(86400, '/', $_SERVER['SERVER_NAME'], true, true);

I wonder if it is giving you a Session ID under a different name, which is why print_r($_SESSION); is coming up empty. If not, I'm out of ideas!

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145