PHP creates a new session with every reboot

Question

PHP creates a new session with every reboot

For my site, session management basically works fine. Sessions are created, saved and used later without problems.

But when the code uses session_start (), it always creates a new, completely empty session. The code discussed below.

header('Content-Type: text/html; charset=UTF-8'); $main_domain = $_SERVER["HTTP_HOST"]; $expld = explode('.', $main_domain); if(count($expld) > 2) { $tld = array_pop($expld); $domain = array_pop($expld); $main_domain = $domain . "." . $tld; } session_set_cookie_params (0, '/', $main_domain); session_name('sid'); session_start(); echo session_id(); exit;

When this script is executed, a new session is created in each reboot.

 smar@ran ~> ls /tmp/sess_* | wc -l 10 smar@ran ~> ls /tmp/sess_* | wc -l 11 .. smar@ran ~> ls /tmp/sess_* | wc -l 17

But only one of these sessions has any data inside it and is used by the application.

The output in the browser is always the same: 87412d5882jr85gh5mkasmngg7 , which is the identifier in the cookie cookie and the session identifier in / tmp, on which there is data filled by it.

What could be causing this behavior? These empty files have an absolutely huge problem, but they make make / tmp (or session dir) completely full for no reason.

EDIT 1:

This seems to be a server issue as it works for some people. My configuration is Gentoo Linux (32 bit) with Apache and PHP 5.3.6.

If I force it to create a new session (for example, delete its own cookie), it creates two session files instead of one. If he repeats the old, he creates only "one."

EDIT 2:

Session configuration as requested (all configuration lines with session. ):

 session.save_handler = files session.save_path = "/tmp" session.use_cookies = 1 session.use_only_cookies = 1 session.name = PHPSESSID session.auto_start = 0 session.cookie_lifetime = 0 session.cookie_path = / session.cookie_domain = session.cookie_httponly = session.serialize_handler = php session.gc_probability = 1 session.gc_divisor = 1000 session.gc_maxlifetime = 1440 session.bug_compat_42 = On session.bug_compat_warn = On session.referer_check = session.entropy_length = 0 session.entropy_file = session.cache_limiter = nocache session.cache_expire = 180 session.use_trans_sid = 0 session.hash_function = 0 session.hash_bits_per_character = 5

EDIT 3:

Even stranger, I tried to use sessions from the CLI. Where session cookies were not set, he always created one new session. When setting a fixed session value using session_id() the creation of a new session is completely stopped and the old session is used instead.

This behavior is identical to Apache, so I'm starting to suspect that this is a bug in PHP. No new sessions were created if the name was specifically set using session_id() and the session was used correctly.

Even more absurd, when I took phpsessid from $_COOKIE["PHPSESSID"] and set it to session_id (), it started to create new (useless empty) sessions again.

EDIT 4:

Since I did not write clearly enough: just

 session_start()

since one argument causes this problem, this does not apply to my code.

+7

php session

Smar Jul 25 '11 at 11:19

source share

5 answers

symcbean · Answer 1 · 2011-07-25T12:08:58+0000

Cookies are returned only to the vhost / path from which they were installed.

Since your path is '/', this means that pages are not being requested via $ domain. "", $ TLD;

eg. user request page through www.example.com

cookie set for example.com

user access to the next page from the site www.example.com - the cookie is not included in the volume.

From RFC 2965

xycom domain-matches .Y.com, but not Y.com.

In fact, if you read, the specification says that the user agent must prefix the node with a dot if none is specified, but you get into the area where the behavior of the browser changes.

If you simply return the cookie with vhost matching the request, it will work as expected.

powtac · Answer 2 · 2011-07-25T12:42:13+0000

Use session_start() as the first session command before all other session_*() methods!

Ivan Schrecklich · Answer 3 · 2012-06-11T10:58:45+0000

I think powtac is fine, but session_start(); should be your first operation you do, even before header('Content-Type: text/html; charset=UTF-8');

Smar · Answer 4 · 2012-12-13T13:18:53+0000

This is not entirely about the original reason, but the resolution is exactly the same: new session identifiers are determined with each reboot.

In this case, the error was Varnish, which was configured to have each request pass a mode ( return (pass) ) instead of caching everything. As a result, each request made it to the backend, where session_start () was called every time.

But when the response was sent via Varnish to the client, cookies were removed from the response. This is because the backend sets cookies (session ID with others), even if we want the site to be cached. In any case, cookies are deleted, the client makes another request and does not send any cookies (he never received any!), And there PHP again calls session_start () without the presence of a session identifier ...

It is rather an error in recognizing an error in this case, which appeared as many unnecessary sessions. They were not created in the first place if caching were enabled in the first place.

There is also another way to create these sessions: the browser should not accept cookies at all. Stupid mind, I know, but it happens ...

For the original problem, I did not stumble because I switched from the original development machine.

Scott Arciszewski · Answer 5 · 2014-02-17T21:11:08+0000

I wouldn’t like to be a stick in the mud, but have you checked that /tmp is read and written by PHP (in most cases, this means that the user is www-data)? If not, move the session save location to a place you can record to.

PHP creates a new session with every reboot

More articles: