1

My development environment is a VirtualBox Debian VM running on Windows with Apache and PHP. I currently access it in the browser using a specific local IP 192.168.33.10. I've created these two simple test scripts:

stest1.php:

<?php
session_start();
$_SESSION['session_temp_id'] = 12345;
echo session_id();
?>
<a href="stest2.php">go to two</a>

stest2.php:

<?php session_start();
echo 'Session Info:';
echo session_id();
var_dump($_SESSION);
phpinfo();

If I access this via http://192.168.33.10/stest1.php and navigate to stest2, the session is restored and I can see the ["session_temp_id"]=> int(12345) and the same session id, so it works when using the ip directly.

I'm setting this up to use a specific domain name locally, so I've added ServerName local.mydev.com to my apache VirtualHost configuration, and I've added 192.168.33.10 local.mydev.com to my hosts file in Windows. When I visit http://local.mydev.com/stest1.php I see the correct page load, so it seems the configuration is working. However navigating to stest2 gives me a different session id with an empty array for $_SESSION.

From chrome dev tools, I can see a cookie created for local.mydev.com which the id persists from stest1 to stest2, but it seems for some reason session_start() can't retrieve the session from that cookie.

Here are my session settings from php_info via web:

session
Session Support enabled
Registered save handlers    files user
Registered serializer handlers  php_serialize php php_binary wddx
Directive   Local Value Master Value
session.auto_start  Off Off
session.cache_expire    180 180
session.cache_limiter   nocache nocache
session.cookie_domain   no value    no value
session.cookie_httponly no value    no value
session.cookie_lifetime 0   0
session.cookie_path /   /
session.cookie_secure   0   0
session.gc_divisor  1000    1000
session.gc_maxlifetime  1440    1440
session.gc_probability  0   0
session.lazy_write  On  On
session.name    PHPSESSID   PHPSESSID
session.referer_check   no value    no value
session.save_handler    files   files
session.save_path   /var/lib/php/sessions   /var/lib/php/sessions
session.serialize_handler   php php
session.sid_bits_per_character  5   5
session.sid_length  26  26
session.upload_progress.cleanup On  On
session.upload_progress.enabled On  On
session.upload_progress.freq    1%  1%
session.upload_progress.min_freq    1   1
session.upload_progress.name    PHP_SESSION_UPLOAD_PROGRESS PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix  upload_progress_    upload_progress_
session.use_cookies 1   1
session.use_only_cookies    1   1
session.use_strict_mode 0   0
session.use_trans_sid   0   0
khartnett
  • 831
  • 4
  • 14
  • Please update your question to include your php configuration settings for sessions. For ease of reference, add ` – Will B. Feb 16 '22 at 20:28
  • Sessions are connected to a cookie, and cookies are per-domain. So you can't have a session that works across different domains or IPs. – Barmar Feb 16 '22 at 20:33
  • Thanks Will, updated. Barmar, I understand that, but it's not what I'm trying to do. My intention is to use the domain. When I start at http://local.mydev.com/stest1.php THAT cookie originates from local.mydev.com, and should persist to http://local.mydev.com/stest2.php – khartnett Feb 16 '22 at 20:39
  • According to the manual `session_start()` must be called before outputting anything to the browser to use cookie based sessions. Your `stest2.php` indicates you are outputting text before calling `session_start()` so maybe try without that text? It doesn't seem to matter on my localhost but maybe it does on your system. – cOle2 Feb 16 '22 at 21:37

1 Answers1

0

I've discovered the reason I'm having this issue, and I'm going to admit I did something I should not have. I modified my example to 'simplify' the question. While I posted http://local.mydev.com what I should have posted was http://local.myCompanyWebsite.com. It turns out our production website (https://myCompanyWebsite.com) also had a session going in the browser and the cookies were in conflict.

I found that modifying the domain in my hosts file, or visiting the url in an incognito window, caused the test scripts to work as expected.

I'm not sure if there's a way to get these to work together, or if it's better to just use a different domain. I did notice the dev cookies had PHPSESSID and production had __utmc. I'm not sure what causes this since both instances list PHPSESSID as session.name

khartnett
  • 831
  • 4
  • 14
  • 1
    Cookies cannot conflict each other, while being for different cookie domains (a different scope). – Martin Zeitler Feb 16 '22 at 22:17
  • 1
    @MartinZeitler that’s not entirely true https://stackoverflow.com/questions/18492576/share-cookie-between-subdomain-and-domain – AD7six Feb 16 '22 at 22:24
  • There seems to be something conflicting. Even if I clear the cookie in dev tools and reload, for some reason PHPSESSID will not get set in the cookie info (when using the matching production domain). It will appear however when using incognito mode – khartnett Feb 16 '22 at 22:28
  • The subdomain shouldn't cause a conflict, unless the configuration of `session.cookie_domain` encompasses them. Meaning the server domain name being applied as the default value (none) is being shared between the two virtual servers and should be separated (check hosts). Otherwise the value on the production site is set to `.myCompanyWebsite.com`. One solution should be to use `session.cookie_domain = local.myCompanyWebsite.com`. I also advise using `myCompanyWebsite.local` for dev environments to avoid other related FQDN issues. – Will B. Feb 16 '22 at 22:34