Unable to save session data after session_regenerate_id ();

Question

Unable to save session data after session_regenerate_id ();

I have a webpage where I want to restore the session ID when a user logs in. The problem I encountered is running session_regenerate_id(); and then try adding $_SESSION['user'] = $row; where $ row is an array.

I tried everything in the book, for example, destroying a session, and then starting again. I have been working on it for at least 2 hours and I have no solution.

I removed a lot of irrelevant php and left some, so you get the gist of what I'm trying to do, but here's the script

 <?php session_start(); if(!isset($_SESSION["CSRF"])){ $_SESSION["CSRF"] = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 10); } if(!empty($_POST)){ if($_POST["action"]==="login"){ //querying DB for $_POST values $stmt = $db->prepare($query); $result = $stmt->execute($query_params); $login_ok = false; $row = $stmt->fetch(); if($row){ $checked = //check password is okay if ($checked) { $login_ok = true; } } if($login_ok) { session_regenerate_id(); unset($row['salt']); unset($row['password']); $_SESSION['user'] = $row; } } }

I'm also out of luck.

 <?php session_start(); if(!isset($_SESSION["CSRF"])){ $_SESSION["CSRF"] = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 10); } if(!empty($_POST)){ if($_POST["action"]==="login"){ //querying DB for $_POST values $stmt = $db->prepare($query); $result = $stmt->execute($query_params); $login_ok = false; $row = $stmt->fetch(); if($row){ $checked = //check password is okay if ($checked) { $login_ok = true; } } if($login_ok) { unset($row['salt']); unset($row['password']); $_SESSION['user'] = $row; $arr = $_SESSION; session_regenerate_id(true); $_SESSION = $arr; } } }

EDIT

Sorry, I did not specify the name, but basically I will try to save the current session in a variable, and I will regenerate the session identifier and add an attempt to add the saved session variable to a new session, however, the session identifier does not contain the old data, and I do not get any errors.

+7

php session

Yusaf khaliq Feb 22 '14 at 0:18

source share

3 answers

Mike · Answer 1 · 2014-03-02T01:02:25+0000

I had the same problem, but it's really just a shot in the dark, because it was such a specific case.

I had two domains, www.domain.com and secure.domain.com . When I went to www.domain.com, it set a cookie, however, in the cookie settings, I set the domain to .domain.com , which means that it was used for domain.com and all subdomains.

Then on secure.domain.com I also used session cookies, however the domain used in the cookie was secure.domain.com (i.e. it would work only in the secure subdomain). to check if the user was logged in, I did something in the if (isset($_SESSION['username'])) lines to check if it was set in the session, but since domain.com did not use the array key username in its sessions, it was receiving a domain.com cookie session without it. Then, when I logged in, I would set username and everything worked fine, right up until the moment when I restored the session ID. As soon as I did this, the user immediately logged out. It really took me a long time to figure out what was happening, but basically I had two session cookies in the browser, which was sent to .domain.com and the other sent to secure.domain.com , and they contradicted each other.

This can be fixed in two ways:

make a cookie from the main domain only for the www subdomain, and not for all subdomains.
Use a different session_name() for one of the domains. That was what I did.

Andrei B · Answer 2 · 2014-02-25T22:02:31+0000

Are you sure $ login_ok is getting true? You can print something there to be sure. From my test (a simplified version of your script), it works fine:

 <?php session_start(); $data = $_SESSION['data']; $sid = session_id(); echo "Old data is $data<br>Sid is $sid<br>"; if($_GET["action"]==="login"){ session_regenerate_id(); $_SESSION['data'] = $data + 1; } $data = $_SESSION['data']; $sid = session_id(); echo "New data is $data\n<br>Sid is $sid\n<br>";

junkfoodjunkie · Answer 3 · 2016-10-24T13:48:02+0000

Correct me if I am wrong, but why are you reassigning the contents of $ _SESSION? session_regenerate_id () does not skip the contents of the session, it just gives the session a new identifier - the content of the session remains the same as before the regeneration. Therefore, there is no need to reassign values.

Therefore, this should be perfectly true for this:

 if($login_ok) { unset($row['salt']); unset($row['password']); $_SESSION['user'] = $row; session_regenerate_id(); }

No need to rewrite.

In addition, you should always check if the session is started before the session starts, so do it at the beginning: if (session_id()) { session_start(); } if (session_id()) { session_start(); } instead of session_start() .

Unable to save session data after session_regenerate_id ();

EDIT

More articles: