PHP5 and sessions

[lazylinepainter]

Hi all,

I'm having a lot of trouble configuring PHP5 of recent and i'm adament to get it working!

My session handling isn't working as i expected and i've been googling for ages for an explanation but nothing i understand!

Heres a sample of what i'm trying:

sessionTest1.php

PHP Code:

<?php
session_start();

$_SESSION['sess_var'] = 'Session variable';

echo '<a href="sessionTest2.php">';
?>

then the session doesn't 'carry over' to the next page:

sessionTest2.php:

PHP Code:

<?php
session_start();

echo $_SESSION['sess_var'];
?>

This page does not print the session variable

Although the session data does appear in my session.savepath, /tmp, but does not pass over to other pages.

I have uncommented the session savepath in the php.ini and also set the use cookies thingy to 1

I'm running apache 1.3.27 with PHP5 on Mac OS X. If it matters, i'm using Safari and the latest Firefox!

Please help if you can! I think i should do my best to work with the latest version of PHP than resort to getting the previous version!

Thanks muchly
Stuart

[Shrike]

Your code works exactly as it should on my machine (WinXP SP2/PHP5.0.1), even through your anchor tag is malformed

[lazylinepainter]

Thanks Shrike for taking the time to check it, at least it narrows down the problem!

I've been checking through my php.ini and i'm guessing it must be something to do with that. I'm so new to the Unix environment that i don't know for definite that the directory variables are set correctly. I appreciate this is a little far but i'm going to post the session part of my php.ini, i would really appreciate it if anyone could take a browse and alert me if anything is wrong.

Quote:

Session

; Handler used to store/retrieve data.
session.save_handler = files

session.save_path = "/tmp"

; Whether to use cookies.
session.use_cookies = 1

; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.
;session.use_only_cookies = 1

; Name of the session (used as cookie name).
session.name = PHPSESSID

; Initialize session on request startup.
session.auto_start = 0

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

; The path for which the cookie is valid.
session.cookie_path = ; Name of the session (used as cookie name).
session.name = PHPSESSID

; Initialize session on request startup.
session.auto_start = 0

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

; The path for which the cookie is valid.
session.cookie_path = /tmp

; The domain for which the cookie is valid.
session.cookie_domain = localhost

; Handler used to serialize data. php is the standard serializer of PHP.
session.serialize_handler = php

this is more or less the stuff i've had to configure in the past!

I realise this is a bit much, but you guys must be used to this! If you recognise anything out of place please tell me

Thanks in advance
Stuart

[Shrike]

I have these settings in my php.ini, I think they might be causing a problem your in your php.ini:

; The path for which the cookie is valid.
session.cookie_path = /

; The domain for which the cookie is valid.
session.cookie_domain =

[The Terminator]

I had this problem a while back when I was starting out with PHP, version 4.0.1 and I found it to be the pathname for the session folder it's self

Looking at my ini file, I see nothing that differs from what you've posted though, sorry

[d~l]

long shot .. do you have a folder /tmp .. or /temp .. or both ??

perhaps leave the default path as blank .. as suggested here ..

http://bugs.php.net/bug.php?id=26757

[The Terminator]

Btw, the /tmp folder is the one that resides under the PHP installation directory, usually

c:/php

But I've seen PHP installed elsewhere In saying that, you can have the sessions directory (and extensions for that matter) whereever you want, provided you change the INI file of course

[d~l]

just to point out a few links I found which discuss the security implications of sessions stored in /tmp default

http://www.zend.com/manual/ref.session.php

which quotes:-

Quote:

session.save_path <string>

Warning
If you leave this set to a world-readable directory, such as /tmp (the default), other users on the server may be able to hijack sessions by getting the list of files in that directory.

Note: Windows users have to change this variable in order to use PHP's session functions. Make sure to specify a valid path, e.g.: c:/temp.

also here ..

http://www.sitepoint.com/blog-post-view.php?id=156260

http://mlsecurity.com/research/?t=phpapache

[youcantry]

Quote:

Originally Posted by d~l

long shot .. do you have a folder /tmp .. or /temp .. or both ??

perhaps leave the default path as blank .. as suggested here ..

http://bugs.php.net/bug.php?id=26757

This is a God-send, d~l - you have no idea how much.

Yes: newbie-ish, here; yes: read the manual and the php.ini notes.

I had created a new folder for session files. In fact, session files were being created, but still, each time I refreshed, a new session ID was generated and the sessions just "weren't working". If I passed the session ID in the URL, I could, in fact get the sessions to work (that is, my counter counted).

Using Win XP (Home) 5.1, IE6, apache 2.0.55, PHP 5.0.3

I read the bug report you listed, which tipped me off that just removing the path will get the system to query the OS. So I set:

session.save_path =

(no value). Still no joy. I was seeing that the path I'd specified earlier was still, in fact, being used. Yes, i'd restarted the server. What on earth was going on???

So I searched the ini for that path. And guess what? I had to *also* set the following:

session.cookie_path =

(to no value)

argh.

Now I did say I was newbie-ish; I've been around long enough to know that I was doing all the right things, reading all the right documentation and following all the right rules - but for some reason, sessions just weren't behaving themselves, and I *don't* think that was my fault in the end. After all - the session files *were* being created. With correct data.

Whatever.

Now. To switch off my full cookie acceptance setting again

Chris.

[audiodef]

I have winXP SP2/PHP5.2/Apache2.2. I have gone through all the forum posts here on sessions in PHP5 and nothing has worked. I installed PHP manually (downloaded the zip file and not the installer) and PHP otherwise works as expected.

I have a little test script that has worked for others on PHP4 and is not working on my localhost:

Code:

<?
if (!session_is_registered('count')) {
   session_register('count');
   $count = 1;
} else {
   $count++;
}
?>

<p>
Hello visitor, you have seen this page <?php echo $count; ?> times.
</p>

<p>
To continue, <a href="test.php?<?php echo strip_tags(SID); ?>">click
here</a>.
</p>

Here's my php.ini

[motowater]

I just had this problem today after reformatting my server. My problem was the /tmp file in the php directory did not exist for some reason. Just be sure in your php folder, you have a folder called /tmp there (assuming you haven't changed it from the default).

[Weedpacket]

Just as another note:

Quote:

; Whether to use cookies.
session.use_cookies = 1

; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.
;session.use_only_cookies = 1

If the browser doesn't accept cookies then you'll have trouble with the session not "sticking" on the client side.

[BrownSugar]

How I solve the problem is thus:

In php.ini, I changed


session.cookie_path = /tmp

to

session.cookie_path = "c:\scook"

I then created a folder named scook under c: drive and set the folder security to allow read and write.

I re-booted and session started working as it should.

Hope it helps someone.