I have an odd situation that's come up on my production server. However, it's not a problem in my local development environment. Here's a test script with which I can replicate the problem:
<?php
session_start();
$_SESSION['test'] = 'test';
echo 'session_id(): '.session_id();
session_write_close();
?>
<form method="POST">
<input type="submit" value="Post to self" />
</form>
If I load this page in my browser, and refresh the page (CTRL+R), I'm shown the same session_id() value each time.
However, if I then click the submit button, I get two different outcomes:
session_id() value (the expected outcome).session_id() value.Further, on the production server, if I then reload the page again I get the original session_id() value back.
How do I get the production server to persist the session_id() value? Any advice would be greatly appreciated.
Thanks!
Details From Comment: In the basic example I posted, it's like this:
array(5) {
["lifetime"]=> int(0)
["path"]=> string(1) "/"
["domain"]=> string(0) ""
["secure"]=> bool(false)
["httponly"]=> bool(false)
}
In the actual production code it's like this:
array(5) {
["lifetime"]=> int(0)
["path"]=> string(1) "/"
["domain"]=> string(0) ""
["secure"]=> bool(true)
["httponly"]=> bool(true)
}
(I'm using HTTPS in production).
Sorry everyone; wild goose chase. On my host's advice, I had run EasyApache to upgrade the server to PHP to v5.5. In doing so the PHP handler had inadvertently been switched to something other than SuPHP, and was therefore having read permissions issues on the session files in /tmp. As a result, PHP was continually generating new session files.
Edit: I should also note that is_writable(session_save_path()) was returning true, which is what misled my understanding of the problem.
// session_regenerate_id()
session_start();
if(isset($_POST)){
$_SESSION['IDONE'] = session_id();
session_regenerate_id();
$_SESSION['IDTWO'] = session_id();
var_dump($_SESSION);
}
Set the "name" attribute to the <input> tag so the $_POST variable will consist of a variable.
Safest way is to tell PHP to use cookies. Requires users to allow session coookies.
session_name(SESSION_NAME);
// PHP 5.2+ Prevent x-domain cookie sess theft. Dont let Client scripts see cookie
$HTTPONLY = 1; // 0 or 1;
if (function_exists('session_set_cookie_params'))
{
session_set_cookie_params(3600, '/', '.domain.com', 0, $HTTPONLY);
} elseif (function_exists('ini_set'))
{
ini_set('session.cookie_lifetime', 3600);
ini_set('session.cookie_path', '/');
ini_set('session.cookie_domain', '.domain.com');
ini_set('session.cookie_httponly', $HTTPONLY);
}
You could also keeping passing the SESSION_ID through a form variable but that is not as safe.