6

I am having an issue with session_start(). It is creating a new session at every refresh/load of the page.

Here is the code of the complete script executed:

    // Stuff added to see why a new session id is created. 
    ini_set(display_errors, 1);
    error_reporting(E_ALL);
    $session_dir = session_save_path();
    $last_session_id = file_get_contents("$session_dir/last_session_id.txt");
    $message =  "Last session id : $last_session_id. -- ";
    if(!is_writable($session_dir)) $message .= "Directory $session_dir is not writable. --";
    if(headers_sent($file, $line)) $message .= "Headers already sent at $line in $file. --";
    // The code just start a session and output a message to see what is going on. 
    if (!session_start()) {
        $message .= "Failed to start the session. --";
    }
    else
    {
      $message .=  "New session id : " . session_id() . "<br>";
      file_put_contents("$session_dir/last_session_id.txt", session_id());
    }
    echo $message; // Last session id : hh3isj5cc1b964itlgek89vm13. -- New session id : 6hss2s8v340n5qad0smbmmlfm3

There is no warning or notice, nothing, just the message showing a different new session id each time, on a local server with only me executing this script. This is a duplicate of session_start() creates new session every refresh , session_id() creates new session every reload and PHP creating new session with each reload, but the answers do not apply. Here are the relevant php.ini settings:

session.save_handler = files
session.save_path = "/var/www/html/php_session"
session.use_strict_mode = Off
session.use_cookies = 1
session.cookie_secure = On
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly = On
session.serialize_handler = php
  • Why a down vote? I admit, I expected it to be down voted, in view of the facts that the others were marked as duplicates. I disagree that they should have been marked as duplicate. When I saw that one of them was marked as duplicate, even before an answer was provided, I felt that it made no sense. Hey, the message say, `if those answers do not fully address your question, please ask a new question.` That is what we do, but people keep marking it as duplicates or worst down vote it with no explanation, before an answer can be provided. –  Nov 03 '15 at 07:07
  • some people just love to downvote, don't worry too much about it, unless you get a *lot*.... – Martin Nov 03 '15 at 15:48

1 Answers1

9

Ok, I figured it out. It is simply that session.cookie_secure = On and I was not using https. So, just as expected, no session cookie was returned back and a new session was created. Still, I feel that it could help others to see that. I don't get at all why such questions are marked as duplicate, even before people have a chance to answer. It is especially hard to understand given that, clearly, the "duplicated" questions did not have satisfying answers. It is as if some people here have the attitude that, if there are a few ways some thing can go wrong, then don't ask why. There are not so many ways a session can get recreated at each reload. This question can be taken care in a Q&A format, perfectly.

  • 1
    This makes me curious if there is a way for PHP to output an error re: sessions/cookies using `secure` flags on an insecure domain. How did you discover this fault? – Martin Nov 03 '15 at 15:49
  • I don't know why PHP does not output an E_NOTICE level error. I think it should - just a simple notice. Some people even say that http should be deprecated in favor of https, another reason for such a notice. I discovered it by going through all the settings, looking for an explanation why PHP creates a new session id. –  Nov 03 '15 at 16:11
  • deprecating HTTP is extremely complex and is a very interesting discussion, mainly because for HTTPS to work then each website needs its own domain IP address, and there are simply not enough IP addresses to do that, so here in the UK I try and get new SSL certificates for clients but the cost is excessive as there are less and less IPs to go around and the ISP companies are being extremely slow and tedious in actually rolling out IPv6. Also, as SSLQuery labs illustrates, having a HTTPS is not a magic bullet to ensure safety of data, but a helpful tool. I find this all a fascinating subject! – Martin Nov 03 '15 at 16:20
  • Thanks for posting this. I've just run into the same issue and would probably spend hours sorting it out. – jacekn Feb 18 '22 at 17:40