-1

[UPDATED with code]

I have a strange session problem that only seems to occur the first time someone accesses the page.

If you go to the following page and click Next Step you may find that you get sent to a page not found page. If you then go back to the link and press Next Step again this time it will work.

https://pulse.gd/Xchbeb

The weird thing is that if you clear your cookies and all other browser related history the issue doesn't seem to occur again. Nor does it if you try from a different browser.

I have had a look at the Resources tab on Chrome and can see that the session isn't saved initially but is on the second attempt.

This is the relevant parts of the code. So at the beginning of the script:

// set the http headers
header("Content-Type: text/html;charset=utf-8");
header("X-XSS-Protection: 1; mode=block");
header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
header("X-Content-Type-Options: nosniff");
header("X-Permitted-Cross-Domain-Policies: master-only");

session_set_cookie_params ( $lifetime = 0, $path = "/", $domain= "pulse.gd", $secure = TRUE, $httponly = true );

// set-up the session handler
session_set_save_handler("sess_open", "sess_close", "sess_read", "sess_write", "sess_destroy", "sess_gc");
register_shutdown_function("sess_shutdown");

then at the top of function that is being called:

session_start();

then when it has built the array to be passed to the next step

// store the step array in the session object
$_SESSION['stepArray'] = serialize($stepArray);

At which point it (should) display the next page. This is handled by Smarty.

Does anyone have any suggestions?

Thanks

Martin
  • 22,212
  • 11
  • 70
  • 132
williamsdb
  • 1,054
  • 2
  • 17
  • 29

1 Answers1

0

A rewrite of your code:

I'm pretty sure you don't need half those headers and most of those session settings are invalid syntax. 

// set the http headers
header("Content-Type: text/html;charset=utf-8");
//header("X-XSS-Protection: 1; mode=block");
//header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
header("X-Content-Type-Options: nosniff");
//header("X-Permitted-Cross-Domain-Policies: master-only");

session_set_cookie_params( 0, "/", "pulse.gd", TRUE, true );

/*** What is the intended purpose of these below functions? **/
// I'm pretty sure you don't need to set these. 
// UNLESS they've been set in place by Smarty, in which case leave them.
// set-up the session handler
// session_set_save_handler("sess_open", "sess_close", "sess_read", "sess_write", "sess_destroy", "sess_gc");
// register_shutdown_function("sess_shutdown");

The error may well be in your sess_open function, which I really doubt you actually need.

  • I would also say that if your page is 5k lines of code that you're doing it wrong.
  • Do not put session_start at the top of a function it needs to be at the top of the page that is being sent to the browser.
  • Also research and implement PHP Error Logging.
  • RE:session_set_save_handler plase check this anwser: https://stackoverflow.com/a/13963907/3536236
Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132
  • A few points. I didn't say that the 5k lines of code were in one file... I have PHP error logging and that hasn't helped. The session_start is called first. The lines you have commented out are definitely needed as they implement storing the session in the database rather than on the server. I can see the session created in the database but a new PHPID seems to be being generated which I probably should have stated at the outset. I will look at the headers thought, thanks! – williamsdb Apr 07 '16 at 10:38