$_SESSION is empty after reloading page

Question

My script, test.php, is below. When I click on Submit, it processes this as a login attempt and successfully sets up $_SESSION variables. But when I reload the page (by clicking a link back to itself), $_SESSION is empty.

<?php
    //test.php

    session_start ();

    function isUserLoggedIn (&$username)    
    {
        $loggedIn = isset ($_SESSION['loggedin']);
        if ($loggedIn) 
            $username = $_SESSION['user']; 
        else 
            $username = ''; 

        return $loggedIn;
    }

    function processLogin () 
    {               
        $_SESSION['loggedin'] = TRUE;
        $_SESSION['user']  = "podunk";

        session_write_close ();         
    } 

    echo '$_SESSION before we do anything..................: '; 
    print_r ($_SESSION); 
    echo "<br>";

    if (isset($_POST['Submit'])) processLogin ();

    $loggedIn = isUserLoggedIn ($username); 

    echo '$_SESSION after processing any login attempt: '; 
    print_r ($_SESSION); 
    echo "<br>";

    if ($loggedIn) 
        echo "I AM LOGGED IN as $username!"; 
    else 
        echo "I am logged out :(";
?>

<html>
  <body>    
    <form name="form1" method="post" action="test.php"> 
        <input type="submit" name="Submit" value="Login">
    </form>

    <a href="test.php">Reload page</a>
  </body>
</html>

This is when I run it on my Linux apache2 server. When I run it on XAMPP, $_SESSION persists and the user remains logged in. So I am guessing it's something to do with php.ini... but maybe I've got a mistake here and XAMPP is being forgiving.

The Linux server is successfully running WordPress, so its setup can't be too strange. Just did a system upgrade, as recommended. The session.save_path exists and has something in it dated today, so I assume it's working, although it's owned by root not www-data, so IDK if that's an issue.

Here are some other things from php info. IDK about that cookie_path, so I changed it to the same place as session.save_path, FWIW.

session.auto_start  On  On
session.cache_expire    180 180
session.cache_limiter   nocache nocache
session.cookie_domain   no value    no value
session.cookie_httponly Off Off
session.cookie_lifetime 0   0
session.cookie_path /   /
session.cookie_secure   Off Off

Behavior is the same using Chrome, Firefox, and IE.

TIA.

you can check that you have the permission to write in the directory where sessions are stored. — Kobi, Feb 09 '18 at 15:43
Is your PHP configuration set to allow cookie based sessions? session.use_cookies http://php.net/manual/en/session.configuration.php#ini.session.use-cookies — Leigh, Feb 09 '18 at 15:54
Can you test if `session_write_close()` returns `true` or `false`? — Mat, Feb 09 '18 at 16:07
R: `$var_dump($_COOKIE)` does show some cookies; none of them change when I reload the page, but none of them look relevant (they aren't named "session_id" or "session" or anything like that. — Topological Sort, Feb 09 '18 at 19:45
Louis: It doesn't seem to return either! It returns '', empty string. Which doesn't match what PHP.net says it's allowed to return. — Topological Sort, Feb 09 '18 at 19:48
Leigh: Yes, session.use_cookies is set to 1. IDK if that's good. — Topological Sort, Feb 09 '18 at 19:52
K: www-data did not have permission to write. I temporarily made it writeable. It now adds a session every time I log in and two new sessions every time I reload the page w/o login. But I still get the same behavior. I wonder if this "I have to make tons of sessions and never keep the same one" is the problem, and why it's doing it. — Topological Sort, Feb 09 '18 at 20:02
can you post the http headers of the first response and of the second request? There should be the PHPSESSIONID cookie variable — Arsenio Siani, Feb 12 '18 at 17:29
Can you check who owns the session files? is it www-data or root? Just run ls -l in your session folder. — Jannes Botis, Feb 12 '18 at 21:24
If you are using the PHP and Apache with default settings the session must work. Did you do any changes in your php.ini? — Praneeth Nidarshan, Feb 13 '18 at 11:36
P: The only changes I've made in php.ini are as described here. diff shows that I no longer have allow_call_time_pass_reference = Off safe_mode = Off safe_mode_protected_env_vars = LD_LIBRARY_PATH, but I think that's because my backup was made before the latest regular update. html_errors is now set to On, session.use_strict_mode is now 0, session.auto_start is now 1, and session.save_path is now /tmp as suggested below. — Topological Sort, Feb 16 '18 at 18:24
Arsenio: $_COOKIE['PHPSESSID'] is nonempty and is the same whether I log in or reload the page. So it looks OK AFAIK. — Topological Sort, Feb 16 '18 at 18:27
Try this: 1) Create "/tmp/sessions" folder, 2) chown www-data:www-data /tmp/sessions 3)ini_set('session.save_path', '/tmp/sessions'); Check owner sessions files again in that folder. — Jannes Botis, Feb 16 '18 at 18:38
Thanks, Jannes; done, and php5 and apache2 restarted. Even though $_COOKIE['PHPSESSID'] is giving a consistent string, I am not seeing any sessions in /tmp/sessions, /tmp (where I had it before), or the location I had it when I first started this question. IDK where they are. — Topological Sort, Feb 16 '18 at 20:09
Ah, good. Did that. /tmp/sessions it is. Lots of sessions there now. They belong to www-data. — Topological Sort, Feb 16 '18 at 22:01
...looks like they're growing by the second. I'd better write-protect that directory — Topological Sort, Feb 16 '18 at 22:02
Did you try this link it same question [https://stackoverflow.com/questions/17242346/php-session-lost-after-redirect](https://stackoverflow.com/questions/17242346/php-session-lost-after-redirect) — Abdelhamid Elmokadem, Feb 17 '18 at 18:45
Try adding exit(): at the end of the file and if that does not work, try using ob_flush. And try setting header() to no-cache. — Nitin, Feb 17 '18 at 20:18
Thanks for the link, Abdelhamid. As I look over, I see that I don't have register_globals showing up in phpinfo() or in php.ini, and I see it's been deprecated. I was about to try sessions_save_path but I think I have something... — Topological Sort, Feb 19 '18 at 14:22
I HAVE A PERSISTENT SESSION. I am posting below under Jannes's answer. — Topological Sort, Feb 19 '18 at 14:25

score 1 · Answer 1 · answered Feb 18 '18 at 09:10

1

The flow of your script is basically this

start the session

run processLogin();

run isUserLoggedIn()

However, in your processLogin() you force the session to close using session_write_close() therefore when you get to isUserLoggedIn() and query the contents of the session (which is now closed) it looks like you are not logged in.

Try running the code without forcing the session to close.

I have to say I would have been asking why this appears to work on one of your environments!

answered Feb 18 '18 at 09:10

RiggsFolly

93,638
21
103
149

and why close (or force to) your session anyway? – mFontolan Feb 18 '18 at 20:38
OK, I did that. No effect yet. ...the reason I did that is that as I was looking for a solution, I found someone saying that doing that would force the session variable to be written. Anyway, it's gone now. – Topological Sort Feb 19 '18 at 14:06
No, I mean that I took out that line, but it has not changed the problem. No such luck! – Topological Sort Feb 19 '18 at 14:12

Jannes Botis · Accepted Answer · 2018-02-28T21:14:00.467

0

There seems to be 2 issues:

1) Your session.save_path was not writable. You have fixed this as I understand from your comments. Anyway, try to set this on top of your script, just to be sure:

ini_set('session.save_path', '/tmp');

2) You are confusing session.cookie_path with session.save_path, these 2 settings are completely different things. Set session.cookie_path to /, this refers to your url path.

ini_set('session.cookie_path', '/');

How to make session directory writable in unix

Create "/tmp/sessions" directory
Run in terminal chown www-data:www-data /tmp/sessions
ini_set('session.save_path', '/tmp/sessions');

Finally, check owner sessions files in that folder.

edited Feb 28 '18 at 21:14

answered Feb 14 '18 at 15:25

Jannes Botis

11,154
3
21
39

OK, did make those changes and restarted apache2 and php. No help yet. – Topological Sort Feb 16 '18 at 18:16
OK, I have something working! I did `chown www-data /tmp/sessions` as you said, and `chmod 700 /tmp/sessions`. (I thought I did this 2 days ago, but I tried it again as I was using others' fixes.) I am alarmed about the number of files that are coming up in this directory so quickly; should I be? ...Will now play around with it a while and see if the solution is robust. – Topological Sort Feb 19 '18 at 14:29
Problem solved, including with the pre-[mcve] problem I was originally working on, so it's not any of the other things I was trying. J, I want to ask you to repeat from your earlier comment the fix for the path not being writeable, for posterity; it may be obvious, but it was the fix. Thanks for all your help. – Topological Sort Feb 19 '18 at 14:34

score 0 · Answer 3 · answered Feb 18 '18 at 13:45

0

I am sure that you are closing the session and then calling the functions.

With session_write_close — You Write session data and end the session

Try using session_is_registered — Find out whether a global variable is registered in a session instead of session_write_close so you can see if this data has been registered on your server.

answered Feb 18 '18 at 13:45

I tried that, but it's crashing PHP because I have a recent version and `session_is_registered` is deprecated. – Topological Sort Feb 19 '18 at 14:12
I see. You could try and leave it out. If it is server settings you will have to go through logs. There is no need to write the session and close it. If you still have problems lets see what we can do for you on the server side. – Feb 26 '18 at 11:26
Problem resolved (see accepted answer above). Thanks for your help. – Topological Sort Feb 26 '18 at 16:27

$_SESSION is empty after reloading page

3 Answers3