Menu
For my website, session management mostly works ok. Sessions are created, saved and used later without problems.
But when the code is using session_start(), it always creates new, totally empty session. Code in question below.
header('Content-Type: text/html; charset=UTF-8');
$main_domain = $_SERVER["HTTP_HOST"];
$expld = explode('.', $main_domain);
if(count($expld) > 2) {
$tld = array_pop($expld);
$domain = array_pop($expld);
$main_domain = $domain . "." . $tld;
}
session_set_cookie_params (0, '/', $main_domain);
session_name('sid');
session_start();
echo session_id();
exit;
When this script is executed, in every reload new session is created.
smar@ran ~> ls /tmp/sess_* | wc -l
10
smar@ran ~> ls /tmp/sess_* | wc -l
11
..
smar@ran ~> ls /tmp/sess_* | wc -l
17
But only the one of those sessions has any data inside it, and is used by application.
Output in browser is always same: 87412d5882jr85gh5mkasmngg7, which is id in browser’s cookie and session id in /tmp that has data populated to it.
What could be cause of this behaviour? Those empty files aren’t exactly huge problem, but they do make /tmp (or session dir) quite populated for no reason.
EDIT 1:
Looks like this is server related problem, since it works for some people. My configuration is Gentoo Linux (32 bit) with Apache and PHP 5.3.6.
If I force it to create new session (like removing my own cookie), it creates two session files instead of one. If it reuses old one, it creates “only” one.
EDIT 2:
Session configuration, as requested (all config rows with session.):
session.save_handler = files
session.save_path = "/tmp"
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = On
session.bug_compat_warn = On
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
EDIT 3:
Even more strangely, I tried to use sessions from CLI. There, where no session cookies are set, it always created one new session. When setting fixed session value with session_id() stopped new session creation altogether and used old session instead.
This behaviour is identical with Apache, so I’m starting to suspect this is bug in PHP. No new sessions created if name specially set with session_id(), and session correctly used.
Even more absurdly, when I took phpsessid from $_COOKIE["PHPSESSID"] and set that to session_id(), it started to create new (useless empty ones) sessions again.
EDIT 4:
Since I didn’t write it enough clearly: simply having
session_start()
as single argument causes this problem to happen, it is not specific to my code.
956
It must be on every page you intend to use. The variables contained in the session—such as username and favorite color—are set with $_SESSION, a global variable. In this example, the session_start function is positioned after a non-printing comment but before any HTML.
session_destroy() function: It destroys the whole session rather destroying the variables. When session_start() is called, PHP sets the session cookie in browser. We need to delete the cookies also to completely destroy the session. Example: This example is used to destroying the session.
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
You can start a session in PHP by using the session_start() function. This function will, by default, first check for an existing session. If a session already exists, it will do nothing, but it will create one if there's no pre-existing session available.
Cookies are only returned to the vhost / path where they were set from.
Since your path is '/', that implies that the pages are not being requested via $domain . "." . $tld;
e.g. user requests page via www.example.com
cookie is set for example.com
user access subsequent page from www.example.com - the cookie is not in scope.
From RFC 2965
x.y.com domain-matches .Y.com but not Y.com.
Actually, if you read on, the spec does say that the user agent should prefix the host with a dot if none is supplied however you getting into the realm where browser behavuiour varies.
If you simply return the cookie with a vhost matching the request it will work as expected.
110
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
