PHP Session behaves odd

Question

When I run the following code on my local machine (macOS using MAMP Pro), it works fine. Yet when I deploy the same to a live server running centOS, it doesn't want to store the session cookie in my browser.

        $cookieParams = session_get_cookie_params();
        $lifetime     = (!empty($session_lifetime = env('SESSION_LIFETIME'))) ? $session_lifetime * 60 : 3600;

        session_set_cookie_params([
            'lifetime' => $lifetime,
            'path' => $cookieParams['path'],
            'domain' => env('APP_URL'),
            'secure' => true,
            'httponly' => true,
            'samesite' => 'lax' // lax
        ]);

        session_name('WEBSESSION-UUID');
        session_save_path(Path::storage_path('framework/sessions'));
        ini_set('session.gc_probability', 1);
        ini_set('session.gc_maxlifetime', $lifetime);

        if (empty($_SESSION['SESSION_ID'])) {
            if (self::isSessionStarted() === false) session_start();

            $_SESSION['SESSION_ID'] = hash('crc32b', uniqid() . date('Y-m-d H:i:s') . uniqid());
        }

    session_regenerate_id(true);

Sessions are created in the correct location, which is stated in the session_save_path. Yet every time I reload the page, it'll load a new one. The domain is also the exact domain I am using to call the page.

Permissions of the session_save_path folder are set to 755 with apache:apache as the owner.

Sessions are again, successfully created. If I print the session_id after session_start, it'll output a session. It really appears to be somewhere in the cookie, which has to link the php session to the user session.

Am I not noticing something really obvious?

Edit: No errors what so ever. The only error I got was a permission error, which I fixed by chown -R apache:apache folder/.

@LawrenceCherone Yes I am. I'm using Apache + SSL underneath a Varnish/Nginx reverse proxy. Could that be a problem? — Mastraio, Apr 27 '22 at 15:38
Sessions are just cookies, do you see the cookie directive(s) coming from the server to your browser in your inspection tools? — Chris Haas, Apr 27 '22 at 15:40
@ChrisHaas If I look under the cookies tab in my browser, it doesn't show the session. But that only goes for the live server. Locally, it does show up correctly. — Mastraio, Apr 27 '22 at 15:41
How about just in the _Network_ tab, looking at the raw headers being sent, looking for `set-cookie` directives? If you don't see anything, my guess is that Varnish is configured to strip cookies, so you might want to check the VCL. Nginx could be doing it, too, but I know it is a common setting when setting of Varnish, you often have to specifically declare the cookies that you want to pass through. — Chris Haas, Apr 27 '22 at 15:48
@ChrisHaas The also show that there's happing "nothing". It could very well be Varnish, since I haven't really configured it much. How could I pass a cookie? — Mastraio, Apr 27 '22 at 15:53
@ChrisHaas I've tested it without Varnish (disabled Varnish). The site still works and the cookie is still not set. Appears not to be in Varnish. — Mastraio, Apr 27 '22 at 16:09
In that case, you might want to check out the proxy settings in Nginx, specifically `proxy_set_header` . See this answer for more details: https://stackoverflow.com/a/39716709/231316 — Chris Haas, Apr 27 '22 at 16:42
@ChrisHaas I've tried that, yet it keeps throwing Bad Requests (400). My website is behind a double proxy (A load balancer and some kind of router) + upstream. I've also tried to set a normal cookie in PHP, using setcookie and those cookies also don't show up in my browser. So it's definitely the passing between the server and browser. — Mastraio, Apr 27 '22 at 17:09
@ChrisHaas When I use: proxy_set_header Host $upstream_addr; proxy_set_header X-Forwarded-For $remote_addr; add_header X-Host $host; — it works, yet still no cookies are passed. — Mastraio, Apr 27 '22 at 17:11
@ChrisHaas I think I made a mistake. Varnish does seem to be active, so that could be the problem. — Mastraio, Apr 27 '22 at 18:06
Generally speaking, most people use Varnish because they want to cache HTML, but if you want to use sessions, that means the request needs to bypass the cache so that the origin can make sure that the session is still valid. If this is a site-wide thing, then you might want to reconsider Varnish as an option. If this can be isolate to "folder", you can probably do some VCL rules around that. The other options are to move your stuff that requires sessions to something like ESI, or to move it to client-side with AJAX which is what a lot of people do. — Chris Haas, Apr 27 '22 at 19:44
@ChrisHaas I've discovered what went wrong. There was a header I've set in apache (`Set-Cookie: ^(.*)$ $1; HttpOnly; Secure`) which for some reason broke all server side set cookies. Nginx and Varnish were set correctly fortunately. Anyway, thank you very much for your help! — Mastraio, Apr 27 '22 at 20:47

PHP Session behaves odd

0 Answers0