PHP session data changes in Internet Explorer

Question

I've defined a session to storing token using PHP like below:

$_SESSION['token'] = sha1(uniqid(mt_rand(), true));

when I want to read this session, I have not any problem in Chrome or Firefox. But in IE, it changes to something else before regenerating. For example if I store its value in a hidden field of form and submit it like this:

<input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />

I will get this result in IE in the next page:

echo $_SESSION['token']; // shows 1b05fab5ec11f1d50713aea6e74f84727d29b4a3
echo $_POST['token']; // shows e8fac6d55b04d1752f37ecde953f7f08b112ccca

Whereas if I print $_SESSION['token'] immediately after creation or even in end of its creation page, it shows the content exactly and with no problem.

What is this problem for ?

Edit:
This is my form :

<form action="process/login.php" method="post">
   <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />
   <label>Email: </label><input type="text" name="email" />
   <div class="space"></div>
   <label>Password: </label><input type="password" name="password" />
   <div class="space"></div>
   <input type="submit" value="Login" class="button" />
</form>

Answer 1

Since PHP and session storage are server side and IE is obviously a client, the problem does not reside in your session code.

Sessions are usually kept track of by a cookie (session cookie) or though a POST/GET variable. By default in PHP this value is named PHPSESSID.

Probably, in your case either the session cookie or POST/GET variable that is linked to your server side session is not coming over okay in IE. In case of a cookie, it might have to do with cookie settings and whether or not cookies are allowed at all. In case of a POST/GET it could be that your HTML is malformed in a way that IE doesn't like, but other browser do understand.

Now once that value is lost in IE, PHP assigns that browser a new session on each request, and the session token is regenerated on each request. But your hidden field remembers the old token as well...

If you show us more code (you can edit your question), I can edit my answer to give you more details.

edit You can start by showing us the relevant php.ini settings lines that concern sessions and session cookies. And by double checking your IE cookie settings. In specific I would like to know if you have set a cookie_path, making cookies only available in the same directory.

Maybe you even have an IE security setting or add-on installed preventing cookies. So try checking your IE settings and disable all add-ons and test it again.

Also check if the first page (that sets the session) and the second page (that reads the session) have EXACTLY the same domain name.

So for example www.yourdomain.com in the first page, should not be yourdomain.com on the second page (without the www) or www.yourdomain.com. (with an extra dot at the end).