Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't store session data after session_regenerate_id();

Tags:

php

session

I have a webpage where I would like to regenerate the session id when the user logs in. The issue I am having is I run session_regenerate_id(); and then try attaching $_SESSION['user'] = $row; where $row is an array.

I have tried everything in the book, for e.g destroying session and then starting again. I have been working on it for at least 2 hours and I have no solution.

I have removed a lot of irrelevant php and left some in so you get the gist of what I am trying to do but here's the script

<?php
    session_start();
    if(!isset($_SESSION["CSRF"])){
        $_SESSION["CSRF"] = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 10);
    }
    if(!empty($_POST)){
        if($_POST["action"]==="login"){
            //querying DB for $_POST values
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
            $login_ok = false;          
            $row = $stmt->fetch(); 
            if($row){ 
                $checked = //check password is okay
                if ($checked) {
                    $login_ok = true; 
                }
            }
            if($login_ok) { 
                session_regenerate_id();                
                unset($row['salt']); 
                unset($row['password']); 
                $_SESSION['user'] = $row;
            }
        }
    }       

I have also tried with no luck.

<?php
    session_start();
    if(!isset($_SESSION["CSRF"])){
        $_SESSION["CSRF"] = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 10);
    }
    if(!empty($_POST)){
        if($_POST["action"]==="login"){

            //querying DB for $_POST values
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
            $login_ok = false;          
            $row = $stmt->fetch(); 
            if($row){ 
                $checked = //check password is okay
                if ($checked) {
                    $login_ok = true; 
                }
            }
            if($login_ok) {                 
                unset($row['salt']); 
                unset($row['password']); 
                $_SESSION['user'] = $row;
                $arr = $_SESSION;               
                session_regenerate_id(true);
                $_SESSION = $arr;
            }
        }
    }   

EDIT

Sorry I didn't clarify the title but basically I'll try storing the current session in a variable and I'll regenerate the session id and add try adding the stored session variable into the new session, however the session id does not contain the old data, and I am not getting any errors.

like image 980
Yusaf Khaliq Avatar asked Feb 22 '14 00:02

Yusaf Khaliq


People also ask

What is session_regenerate_id ()?

session_regenerate_id() will replace the current session id with a new one, and keep the current session information. When session. use_trans_sid is enabled, output must be started after session_regenerate_id() call. Otherwise, old session ID is used.

How are session variables stored?

By default, session data is stored in the server's /tmp directory in files that are named sess_ followed by a unique alphanumeric string (the session identifier).

What is PHP session_start () and Session_destroy () function?

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called. Note: You do not have to call session_destroy() from usual code.

Do I need session_start on every page?

It must be on every page you intend to use. The variables contained in the session—such as username and favorite color—are set with $_SESSION, a global variable. In this example, the session_start function is positioned after a non-printing comment but before any HTML.


1 Answers

I had the very same problem once, but this really is just a shot in the dark because it was such a specific case.

I had two domains, www.domain.com and secure.domain.com. When I went to www.domain.com it set a cookie, however in the cookie params I set the domain to .domain.com, which means that it was used for domain.com and all sub-domains.

Then on secure.domain.com, I also used session cookies, however the domain used in the cookie was secure.domain.com (i.e. it would only work on the secure subdomain). to check if the user was logged in, I did something along the lines of if (isset($_SESSION['username'])) to check if it was set in the session, but since domain.com didn't use the array key username in its sessions, it was receiving the session cookie domain.com without that. Then when I logged in, I would set the username and all worked perfectly fine, up until the point when I regenerated the session ID. As soon as I did this, the user was immediately logged out again. It really took me a long time to figure out what was happening, but basically I was left with two session cookies on the browser, one that was sent to .domain.com and the other sent to secure.domain.com and they were conflicting with each other.

This can be fixed in two ways:

  1. make the cookie from the main domain only be for the www subdomain and not ALL subdomains.
  2. Use a different session_name() for one of the domains. This was what I did.
like image 194
Mike Avatar answered Sep 27 '22 20:09

Mike