View Full Version : Session Woes

06-22-2010, 10:37 PM
I'm using sessions in my PHP web app. When someone logs into my system, I store their username in a session var.

I have one person who when logging in, seems to lose the session data held in that $_SESSION["php_username"] var. Further debugging reveals that her browser is not holding any session vars.

Everyone is accessing the same php code. Why would almost everyone else be able to login and use my site and this person can't login because she is losing all of the session var data? I'm puzzled.

Thanks for any help...

06-22-2010, 10:40 PM
It'll be because their local security settings are wiping the session/cookies (like Firefox and other modern browsers do on closing if you want them to). If they're the only person this happens to, its a userside issue.

That being said, if their system seems to store cookies ok (though if its losing sessions...), one thing you can do is store the data as a cookie and session, and revalidate both each page (more queries, but greater security IMO, though someone else might know why its not a good idea).

06-23-2010, 04:13 PM
This is something we generally have to choose how to handle as well. For any non-secure site, I'd recommend allowing cookies to be disabled.
Using the SID constant, you can make the determination if their browser is rejecting cookies. This cannot accomodate loss of cookies of course, only inability to set them.
To use this, you need to apply SID to all your links like so:

$sURL = 'http://somelocation.com/somepage.php';
if (!empty(SID))
$sURL .= '?' . SID;

As you can see, this becomes a little on the complex side when regarding current flat URL's with already existing querystrings. This can be handled by using parse_url and http_build_query instead.

Alternatively, you can pull the lazy route (which if I use the builtin session I usually do >.<), and enable your session.use_trans_sid. This is an ini_all directive, so you can simply add it to the top of your page:

ini_set('session.use_only_cookies', false);
ini_set('session.use_trans_sid', true);
// do some stuffs.
echo '<a href="index.php">Home</a>';

// Result:
<a href="index.php?PHPSESSID=754d3b148df7a597947f5556cbe06628">Home</a>