Sorry for the title, it's always difficult to write a good one.
I start my session using a function, so I can declare/configure everything.
public static function sec_session_start() {
if (ini_set('session.use_only_cookies', 1) === FALSE) {
$session_error = 'Error: Cannot create new user session.';
return $session_error;
}
else {
$session_name = 'aet_session_id';
$domain = '.domain.com';
$secure = TRUE;
$httpOnly = TRUE; // prevents cookie theft
// Get the current cookies params.
$cookieParams = session_get_cookie_params();
// Set the current cookies params.
session_set_cookie_params($cookieParams['lifetime'], $cookieParams['path'], $domain, $secure, $httpOnly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
if (!isset($_SESSION['CREATED'])) {
$_SESSION['CREATED'] = time();
} else if ((time() - $_SESSION['CREATED']) > 1800) {
// session started more than 30 minutes ago
session_regenerate_id(TRUE); // change session ID for the current session and invalidate old session ID
$_SESSION['CREATED'] = time(); // update creation time
}
/*
$hasExpired = FALSE;
if (isset($_SESSION['staff_id'], $_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY']) > 9999) { // 300 (5 mins)
// last request was more than 5 minutes ago
$_SESSION = array(); // unset $_SESSION variable for the run-time
$params = session_get_cookie_params(); // Get session parameters
setcookie(session_name(), // Delete the actual cookie
'',
time() - 3600,
$params["path"],
$params["domain"],
$params["secure"],
$params["httponly"]);
session_destroy(); // destroy session data in storage
$hasExpired = TRUE; // now we know the user has lost his session for inactivity
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp*/
}
//return $hasExpired;
}
This function belongs to a class that is initialized in every index.php of each domain/subdomain.
If I specify a subdomain:
$domain = 'sub.domain.com';
for the cookie (session_set_cookie_params()
), then the session variables works for that subdomain, but I need the same session for another subdomain so I removed the subdomain name, leaving a leading dot before the domain name:
Optional note*(This was working back when I started writing this framework for another website that needed session in the main domain and multiple subdomains since the beginning, but currently, in this project I was only in need for the session in one subdomain but now I need to change this. It's worth mention that that was in another hosting with a lower PHP version and another configuration.)
For some mysterious reason, now the session variables get lost when reloading (in this case when doing a header('Location: /');
after checking the login details).
Any idea why is this happening? I can't figure out what is going on...
I made some debug: I tried echoing the session variables (account id and login_string) before redirecting and they're ok, but after the redirection I can't echo them.
// index.php
$web_user = new web_user();
$web_user->sec_session_start();
echo $_SESSION['client_id'];
$client = $web_user->login_check();
// since $client is FALSE
include('login_post.php');
// login_post.php
$web_user->client_login($email, $password);
// web_user.php
$client = new Client();
// login is ok
$_SESSION['client_id'] = $client->getId();
return 'login_ok';
// back in login_post.php
header('Location: /');
// index.php
$web_user = new web_user();
$web_user->sec_session_start();
echo $_SESSION['client_id'];
That outputs: "Undefined index: client_id" before and after the login (redirection).
So...
$client = $web_user->login_check();
Is FALSE
again...
To clarify a bit... I say another subdomain because I need the session to be valid for the domain and all subdomains. But the problem is about the same subdomain:
Let's say login.domain.com, if I specify the subdomain (login) in the cookie, the session variables works (allowing me to log in) but if I remove the subdomain (leaving the leading dot) then they won't work anymore (and I won't be able to log in).
If I'm not wrong:
login.domain.com
The session will only be valid for that subdomain, but:
.domain.com
The session will be valid for the domain and all subdomains (including login.domain.com), right?