0

I am using Facebook's PHP SDK for validating users to leave comments and it works quite well. Once, validated, I store the user information in a session variable, but first call session_regenerate_id() and then reload the page. When the page reloads, the old session data is still available, including the Facebook SDK state variable, however, the session variable I added is not available. The following is a snippet of the code:

session_regenerate_id();
$_SESSION[...] = ...;

header('Location: ...');
die();

If I take out the session_regenerate_id() then everything works perfectly. Any ideas what I am doing wrong?

EDIT

If I log session_id() every page load, I see that session_regenerate_id() generates a new id and the session contains everything I expect. However, when the page reload occurs, the session id is the previous session id and not the new one, hence I cannot access the new session variables. Why would this happen?

steveo225
  • 11,394
  • 16
  • 62
  • 114
  • `"; print_r($_SESSION); ?>` – Alive to die - Anant Jul 26 '16 at 12:36
  • Why are you doing the `session_regenerate_id();` if you have a session use it – RiggsFolly Jul 26 '16 at 12:38
  • @Anant I did that and everything looks good. However, while testing that again, I did notice that the session id reported after the `session_regenerate_id()` is not the same when I reload the page, which is still the old session. So, I guess the question becomes, why isn't the session id actually changing? – steveo225 Jul 26 '16 at 12:51
  • @RiggsFolly http://stackoverflow.com/questions/22965067/when-and-why-i-should-use-session-regenerate-id (When and why I should use session_regenerate_id()?) – steveo225 Jul 26 '16 at 12:52

1 Answers1

0

After a lot of logging and scanning the headers being sent and received, I determined that when the initial session was created, the domain used for the cookie was: .domain.com (without the www). However, session_regenerate_id() was setting the domain for the cookie to: www.domain.com. When the browser made a determination of which to send, it always sent the original one, so the session used was always the old one. Once I manually deleted that cookie, everything worked fine.

To ensure this sort of thing doesn't happen again, I added the following before starting my session:

session_set_cookie_params(0, '/', $_SERVER['SERVER_NAME'], true, true);

What is odd, the .htaccess file enforces www.domain.com for consistency, so I am not sure why the initial cookie's domain was set the way it was.

steveo225
  • 11,394
  • 16
  • 62
  • 114