2

I'm on localhost. Much discussion has been done on cookies and sessions on localhost. However, my case appears to be exceptional. I have tried setting cookies in different ways but none seems to work, even $_SESSION array remains empty after setting session variables. I have tried the following combinations to set cookie on my local host:

  • setcookie("name", "value")
  • setcookie("name", "value", 0)
  • setcookie("name", "value", 0, "/", false)
  • setcookie("name", "value", time()+86000, "/", false)
  • setcookie("name", "value", time()+86000)
  • setcookie("name", "value", time()+86000, ".localhost.com")
  • setcookie("name", "value", time()+86000, "localhost.com")
  • setcookie("name", "value", time()+86000, "localhost")
  • setcookie("name", "value", 0, "/", ".localhost.com")
  • setcookie("name", "value", 0, "/", ".localhost.com", false, false)
  • setcookie("name", "value", 0, "/", "localhost")
  • setcookie("name", "value", 0, "/", "localhost.com", false, false)
  • setcookie("name", "value", 0, "/", "localhost.com")

I also edited the session cookie values in PHP.ini file to reflect my futile trials with setcookie. I also tried changing the path from "/" to "/user" for all attempts.

I'm using PHP 7.1 on Apache 2.4.33 and configured a "localhost.com" to point to a directory "/app_support" on the document root of my server. I have also configured "app.localhost.com" to point to "/subdomains/app" directory, which is also on the root of the server. I'm accessing my site through "app.localhost.com", then using AJAX to access "localhost.com/user". On "localhost.com/user" directory, I have "user.php", a file with a class User that I use for logging in and setting the cookie.

I have verified in Firefox 60 that the cookie headers are being sent for my custom cookies as well as for the session cookies, so it is clear that it is the browser that rejects them for some reason. I get identical results in Chrome 68 and Chromium 66.

EDIT: Here's the parts where I'm setting the cookies.

session_regenerate_id();
$_SESSION['user']['id'] = $user['investor_id'];
$_SESSION['user']['surname'] = $user['surname'];
$_SESSION['user']['name'] = $user['given_name'];
$_SESSION['user']['email'] = $user['email'];
$selector = $this->generateCode(9);
$authenticator = $this->generateCode(33);
$expiry = time() + 2592000;

setcookie("logged_in", $selector.':'.$authenticator, $expiry, '/', '.localhost.com');

EDIT 2: On Firefox, here are the cookie headers received:

logged_in   
    domain  .localhost.com
    expires 2018-09-15T08:35:07.000Z
    path    /
    value   F668B2928:417076134356498468FDA03D496336BDA
PHPSESSID   
    domain  localhost.com
    httpOnly    true
    path    /user
    value   77h432cjgu25mrnauktnc6s471
Supreme Dolphin
  • 2,248
  • 1
  • 14
  • 23
  • Can you add remaining codes. – E141 Aug 16 '18 at 08:41
  • @E141 What remaining codes? – Supreme Dolphin Aug 16 '18 at 08:43
  • 1
    think it might be useful to see `user.php` and the class that you mention? – Professor Abronsius Aug 16 '18 at 08:45
  • We need to see the script that is setting the cookie. You do remember that cookies have to be sent BEFORE any other output from your script dont you – RiggsFolly Aug 16 '18 at 08:48
  • @RamRaider `user.php` is several thousands of lines long. However, everything in that class works as expected (connecting to the database, fetching user information, verifying the information and then logging the user in). I will add the relevant parts where I'm setting the cookies (using `setcookie` and `$_SESSION`) of the code to the question. – Supreme Dolphin Aug 16 '18 at 08:49
  • @RiggsFolly There is absolutely no output before setting the cookies. – Supreme Dolphin Aug 16 '18 at 08:50
  • if you ignore all other files and create a really simple script that just sets a cookie does it work? – Professor Abronsius Aug 16 '18 at 08:52
  • @RamRaider I tried using a file with these contents `` and it did not work. Like I said, I can see the cookie headers being sent to the browser, but the browser ignores them. – Supreme Dolphin Aug 16 '18 at 08:56
  • and your php error log - does it reveal any information that might be useful? – Professor Abronsius Aug 16 '18 at 09:02
  • @RamRaider My error log has nothing cookie-related. Otherwise the cookie headers wouldn't be getting sent to the browser. I have viewed the file to confirm this. – Supreme Dolphin Aug 16 '18 at 09:12
  • @RamRaider, I have added the headers received by the browser – Supreme Dolphin Aug 16 '18 at 09:18
  • Well, do you have anything related to sessions in your code such as `session.save_handler` or `session.save_path`(or `session_set_save_handler` if you're using PHP > 5.4). Please also check your php.ini and if you're using php-fpm also check your www.conf. If you have any of those, also post them here. – Cemal Aug 16 '18 at 10:20
  • @Cemal my `session.save_handler` is set to `files`. However, would that have an effect on normal cookies even though that was a problem? Both session and regular cookies aren't working. – Supreme Dolphin Aug 16 '18 at 10:55
  • Check for your permissions for write access to the folder. – Cemal Aug 16 '18 at 10:56
  • @Cemal I did `sudo chmod -R 777 /var/lib/php/sessions`. Still not working. – Supreme Dolphin Aug 16 '18 at 16:17

1 Answers1

0

So, it turns out my problem was actually exceptional as it has nothing to do with PHP whatsoever. The problem with the cookies was because I was accessing the page setting the cookies via JQuery.ajax which causes the browser to automatically reject the cookies as discussed here due to CORS regulations. My request is considered cross-domain since I'm sending a request from a subdomain. The solution was not in the PHP, but on the client, as shown in this answer. However, if it is useful to you to have the 'x-requested-with' header retained by applying that solution, then you must manually set the header as shown in this answer.

Supreme Dolphin
  • 2,248
  • 1
  • 14
  • 23