PHP creating new session with each reload

Question

For my website, session management mostly works ok. Sessions are created, saved and used later without problems.

But when the code is using session_start(), it always creates new, totally empty session. Code in question below.

header('Content-Type: text/html; charset=UTF-8');

$main_domain = $_SERVER["HTTP_HOST"];
$expld = explode('.', $main_domain);

if(count($expld) > 2) {
   $tld = array_pop($expld);
   $domain = array_pop($expld);
   $main_domain = $domain . "." . $tld;
}

session_set_cookie_params (0, '/', $main_domain);
session_name('sid');
session_start();
echo session_id();
exit;

When this script is executed, in every reload new session is created.

smar@ran ~> ls /tmp/sess_* | wc -l
10
smar@ran ~> ls /tmp/sess_* | wc -l
11
..
smar@ran ~> ls /tmp/sess_* | wc -l
17

But only the one of those sessions has any data inside it, and is used by application.

Output in browser is always same: 87412d5882jr85gh5mkasmngg7, which is id in browser’s cookie and session id in /tmp that has data populated to it.

What could be cause of this behaviour? Those empty files aren’t exactly huge problem, but they do make /tmp (or session dir) quite populated for no reason.

EDIT 1:

Looks like this is server related problem, since it works for some people. My configuration is Gentoo Linux (32 bit) with Apache and PHP 5.3.6.

If I force it to create new session (like removing my own cookie), it creates two session files instead of one. If it reuses old one, it creates “only” one.

EDIT 2:

Session configuration, as requested (all config rows with session.):

session.save_handler = files
session.save_path = "/tmp"
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = On
session.bug_compat_warn = On
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5

EDIT 3:

Even more strangely, I tried to use sessions from CLI. There, where no session cookies are set, it always created one new session. When setting fixed session value with session_id() stopped new session creation altogether and used old session instead.

This behaviour is identical with Apache, so I’m starting to suspect this is bug in PHP. No new sessions created if name specially set with session_id(), and session correctly used.

Even more absurdly, when I took phpsessid from $_COOKIE["PHPSESSID"] and set that to session_id(), it started to create new (useless empty ones) sessions again.

EDIT 4:

Since I didn’t write it enough clearly: simply having

session_start()

as single argument causes this problem to happen, it is not specific to my code.

Answer 1

Cookies are only returned to the vhost / path where they were set from.

Since your path is '/', that implies that the pages are not being requested via $domain . "." . $tld;

e.g. user requests page via www.example.com

cookie is set for example.com

user access subsequent page from www.example.com - the cookie is not in scope.

From RFC 2965

x.y.com domain-matches .Y.com but not Y.com.

Actually, if you read on, the spec does say that the user agent should prefix the host with a dot if none is supplied however you getting into the realm where browser behavuiour varies.

If you simply return the cookie with a vhost matching the request it will work as expected.