I have a webpage where I would like to regenerate the session id when the user logs in. The issue I am having is I run session_regenerate_id();
and then try attaching $_SESSION['user'] = $row;
where $row is an array.
I have tried everything in the book, for e.g destroying session and then starting again. I have been working on it for at least 2 hours and I have no solution.
I have removed a lot of irrelevant php and left some in so you get the gist of what I am trying to do but here's the script
<?php
session_start();
if(!isset($_SESSION["CSRF"])){
$_SESSION["CSRF"] = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 10);
}
if(!empty($_POST)){
if($_POST["action"]==="login"){
//querying DB for $_POST values
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
$login_ok = false;
$row = $stmt->fetch();
if($row){
$checked = //check password is okay
if ($checked) {
$login_ok = true;
}
}
if($login_ok) {
session_regenerate_id();
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
}
}
}
I have also tried with no luck.
<?php
session_start();
if(!isset($_SESSION["CSRF"])){
$_SESSION["CSRF"] = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 10);
}
if(!empty($_POST)){
if($_POST["action"]==="login"){
//querying DB for $_POST values
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
$login_ok = false;
$row = $stmt->fetch();
if($row){
$checked = //check password is okay
if ($checked) {
$login_ok = true;
}
}
if($login_ok) {
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
$arr = $_SESSION;
session_regenerate_id(true);
$_SESSION = $arr;
}
}
}
Sorry I didn't clarify the title but basically I'll try storing the current session in a variable and I'll regenerate the session id and add try adding the stored session variable into the new session, however the session id does not contain the old data, and I am not getting any errors.
session_regenerate_id() will replace the current session id with a new one, and keep the current session information. When session. use_trans_sid is enabled, output must be started after session_regenerate_id() call. Otherwise, old session ID is used.
By default, session data is stored in the server's /tmp directory in files that are named sess_ followed by a unique alphanumeric string (the session identifier).
session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called. Note: You do not have to call session_destroy() from usual code.
It must be on every page you intend to use. The variables contained in the session—such as username and favorite color—are set with $_SESSION, a global variable. In this example, the session_start function is positioned after a non-printing comment but before any HTML.
I had the very same problem once, but this really is just a shot in the dark because it was such a specific case.
I had two domains, www.domain.com and secure.domain.com. When I went to www.domain.com it set a cookie, however in the cookie params I set the domain to .domain.com
, which means that it was used for domain.com and all sub-domains.
Then on secure.domain.com, I also used session cookies, however the domain used in the cookie was secure.domain.com
(i.e. it would only work on the secure
subdomain). to check if the user was logged in, I did something along the lines of if (isset($_SESSION['username']))
to check if it was set in the session, but since domain.com didn't use the array key username
in its sessions, it was receiving the session cookie domain.com without that. Then when I logged in, I would set the username
and all worked perfectly fine, up until the point when I regenerated the session ID. As soon as I did this, the user was immediately logged out again. It really took me a long time to figure out what was happening, but basically I was left with two session cookies on the browser, one that was sent to .domain.com
and the other sent to secure.domain.com
and they were conflicting with each other.
This can be fixed in two ways:
www
subdomain and not ALL subdomains.session_name()
for one of the domains. This was what I did.If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With