session variables get lost even when starting session before accessing them

Question

Sorry for the title, it's always difficult to write a good one.

I start my session using a function, so I can declare/configure everything.

public static function sec_session_start() {
    if (ini_set('session.use_only_cookies', 1) === FALSE) {
        $session_error = 'Error: Cannot create new user session.';
        return $session_error;
    }
    else {
        $session_name   = 'aet_session_id';
        $domain         = '.domain.com';
        $secure         = TRUE;
        $httpOnly       = TRUE;                         // prevents cookie theft

        // Get the current cookies params.
        $cookieParams = session_get_cookie_params();
        // Set the current cookies params.
        session_set_cookie_params($cookieParams['lifetime'], $cookieParams['path'], $domain, $secure, $httpOnly);

        // Sets the session name to the one set above.
        session_name($session_name);
        session_start();                                // Start the PHP session

        if (!isset($_SESSION['CREATED'])) {
            $_SESSION['CREATED'] = time();
        } else if ((time() - $_SESSION['CREATED']) > 1800) {
            // session started more than 30 minutes ago
            session_regenerate_id(TRUE);                // change session ID for the current session and invalidate old session ID
            $_SESSION['CREATED'] = time();              // update creation time
        }
/*
        $hasExpired = FALSE;

        if (isset($_SESSION['staff_id'], $_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY']) > 9999) {  // 300 (5 mins)
            // last request was more than 5 minutes ago
            $_SESSION = array();                        // unset $_SESSION variable for the run-time
            $params = session_get_cookie_params();      // Get session parameters
            setcookie(session_name(),                   // Delete the actual cookie
                      '',
                      time() - 3600,
                      $params["path"],
                      $params["domain"],
                      $params["secure"],
                      $params["httponly"]);
            session_destroy();                          // destroy session data in storage

            $hasExpired = TRUE;                         // now we know the user has lost his session for inactivity
        }

        $_SESSION['LAST_ACTIVITY'] = time();            // update last activity time stamp*/
    }

    //return $hasExpired;
}

This function belongs to a class that is initialized in every index.php of each domain/subdomain.

If I specify a subdomain:

$domain = 'sub.domain.com';

for the cookie (session_set_cookie_params()), then the session variables works for that subdomain, but I need the same session for another subdomain so I removed the subdomain name, leaving a leading dot before the domain name:

Optional note*(This was working back when I started writing this framework for another website that needed session in the main domain and multiple subdomains since the beginning, but currently, in this project I was only in need for the session in one subdomain but now I need to change this. It's worth mention that that was in another hosting with a lower PHP version and another configuration.)

For some mysterious reason, now the session variables get lost when reloading (in this case when doing a header('Location: /'); after checking the login details).

Any idea why is this happening? I can't figure out what is going on...

I made some debug: I tried echoing the session variables (account id and login_string) before redirecting and they're ok, but after the redirection I can't echo them.

// index.php
$web_user = new web_user();
$web_user->sec_session_start();

echo $_SESSION['client_id'];

$client = $web_user->login_check();

// since $client is FALSE
include('login_post.php');

// login_post.php
$web_user->client_login($email, $password);

// web_user.php
$client = new Client();
// login is ok
$_SESSION['client_id'] = $client->getId();
return 'login_ok';

// back in login_post.php
header('Location: /');

// index.php
$web_user = new web_user();
$web_user->sec_session_start();

echo $_SESSION['client_id'];

That outputs: "Undefined index: client_id" before and after the login (redirection).

So...

$client = $web_user->login_check();

Is FALSE again...

To clarify a bit... I say another subdomain because I need the session to be valid for the domain and all subdomains. But the problem is about the same subdomain:

Let's say login.domain.com, if I specify the subdomain (login) in the cookie, the session variables works (allowing me to log in) but if I remove the subdomain (leaving the leading dot) then they won't work anymore (and I won't be able to log in).

If I'm not wrong:

login.domain.com

The session will only be valid for that subdomain, but:

.domain.com

The session will be valid for the domain and all subdomains (including login.domain.com), right?

This `$domain = 'sub.domain.com';` and `header('Location: /');` that.... is my guess, your session is only good on the subdomain. — ArtisticPhoenix, Sep 04 '16 at 19:57
@ArtisticPhoenix That was before, I've changed it to `$domain = '.domain.com';` so that the domain and subdomains get the same session. — Chazy Chaz, Sep 04 '16 at 20:19

score 1 · Accepted Answer · edited May 23 '17 at 12:08

Problem solved. There's no need anymore for a leading dot in the cookie domain. Thanks to https://stackoverflow.com/a/23086139/4067132

That and I had old cookies for .subdomain.domain.com so the request didn't match.

After deleting the old cookies and changing the cookie domain to:

$domain = 'domain.com';

the session variables are working again. Plus now my website only needs one cookie for all subdomains.

session variables get lost even when starting session before accessing them

1 Answers1