Geek Answers Handbook

PHP session data changes in Internet Explorer

I defined a session to store the token using PHP, as shown below:

$_SESSION['token'] = sha1(uniqid(mt_rand(), true));

when I want to read this session, I have no problem in Chrome or Firefox. But in IE, he goes on to something else before regeneration. For example, if I save its value in a hidden form field and submit it as follows:

 <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />

I will get this result in IE on the following page:

 echo $_SESSION['token']; // shows 1b05fab5ec11f1d50713aea6e74f84727d29b4a3 echo $_POST['token']; // shows e8fac6d55b04d1752f37ecde953f7f08b112ccca

While if I print $_SESSION['token'] immediately after creation or even at the end of the creation page, it accurately and without any problems displays the contents.

What is this problem for?

Edit:
This is my form:

 <form action="process/login.php" method="post"> <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" /> <label>Email: </label><input type="text" name="email" /> <div class="space"></div> <label>Password: </label><input type="password" name="password" /> <div class="space"></div> <input type="submit" value="Login" class="button" /> </form>
+6
source share
7 answers

Since PHP and session storage are server side and IE is obviously a client, the problem is not related to your session code.

Sessions are usually tracked by a cookie (session cookie) or the POST / GET variable. By default in PHP, this value is called PHPSESSID.

Probably in your case, the session cookie variable or POST / GET associated with the server side session does not pass in IE. In the case of cookies, this may be related to cookie settings and cookies are generally allowed. In the case of POST / GET, it may happen that your HTML is incorrect so that IE does not like it, but the other browser really understands.

Now that this value is lost in IE, PHP assigns a new session to this browser for each request, and the session token is regenerated for each request. But your hidden field also remembers the old token ...

If you show us more code (you can edit your question), I can edit my answer to give you more details.

edit You can start by displaying the appropriate php.ini settings strings that relate to sessions and session cookies. And double check your IE cookie settings. In particular, I would like to know if you set cookie_path, which makes cookies only available in the same directory.

You might even have an IE security setting or an add-on that prohibits the use of cookies. So try checking your IE settings and disabling all add-ons and testing it again.

Also check that the first page (which establishes the session) and the second page (which reads the session) have EXACTLY the same domain name.

So, for example, www.yourdomain.com on the first page should not have yourdomain.com on the second page (without www) or www.yourdomain.com. (with an extra dot at the end).

+3
source

I think that after your form submits you, you can create a different token value.

use

 if(!isset($_POST['token'])){ $_SESSION['token'] = sha1(uniqid(mt_rand(), true)); }
+2
source

I would try changing the input name to something else, maybe IE is doing some weird things with the token name. I was looking for a network, but does not mention anything about it, but just to be safe, and delete this option, I would do it.

 <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />

in

 <input type="hidden" name="my_session_token" value="<?php echo $_SESSION['token']; ?>" />

And try changing $_SESSION['token'] to $_SESSION['my_session_token'] as above in the comment

+1
source

I'm pretty sure that you assign $_SESSION['token'] twice. It can be the same line of code executed twice, or you also assigned a variable somewhere else. To find the problem, you need to define the function as a wrapper for assigning a session record. Then call the function instead of directly assigning the variable. Here is an example code:

 function assign_token() { $_SESSION['token'] = sha1(uniqid(mt_rand(), true)); }

But you need to make sure never assign token directly anywhere in your code. And instead, call this function. Once you do this, if you have a debugger, all you have to do is set a breakpoint in this function and see how many times it is called and where it comes from.

But if you do not have a debugger installed or, even worse, if the assignment occurs not in one request, but in two, you need to change your function as follows:

 function assign_token() { file_put_contents('/tmp/assign_token.txt', time() ."\n". print_r(debug_backtrace(), true), FILE_APPEND); $_SESSION['token'] = sha1(uniqid(mt_rand(), true)); }

The added line will help you keep track of each time the function is called. Even if it is called twice in two separate queries, you can identify them thanks to FILE_APPEND and time() . The first is added to the file (obviously), so the log entries will not be overwritten by each other, and the second helps to find out if two entries of your log are made in one request.

That's all I have. In the end, you might want to style your journal entries, making them more readable.

+1
source

I would do something more line by line:

 md5(uniqid($_SERVER['REMOTE_ADDR'], true))

Ensuring that the token will always be unique.

0
source

Correct me if I am wrong, but I have already tested the code below in Chrome FF and IE 7, and it seems that there are no problems with IE.

 <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title></title> </head> <body> <form method="POST" action="/"> <?php session_start(); if(!$_SESSION['token']){ $_SESSION['token'] = sha1(uniqid(mt_rand(), true)); } ?> <input type="hidden" value="<?php echo $_SESSION['token']; ?>" name="token"/> <button type="submit" name="send">Send</button> <?php if(!empty($_POST)){ var_dump($_POST); var_dump($_SESSION['token']); } ?> </form> </body> </html>

If you have php version> = 5.4, try installing the embedded server in php using this command ():

 php -S localhost:88 -t /path/to/your/app

Suppose you are testing on your local computer. Mayby is something wrong with the apache + php stack on your server.

0
source

Check the value of sha1 (uniqid (mt_rand (), true)) . IE has problems with names that contain "-" or "_" - they cannot support the session! I had this problem twice in the past, and I always need years to understand, and I'm shocked, IE did not fix it.

Just make sure you don’t have such characters!

0
source

More articles:


All Articles