13 Replies - 1036 Views - Last Post: 24 December 2012 - 06:40 PM Rate Topic: -----

#1 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 763
  • Joined: 31-August 11

$_SESSION Variables Not Working After ini_set?

Posted 28 November 2012 - 03:17 PM

So this has been driving me crazy and I've used my code on two different servers meaning I'm almost sure this is an error on MY PART not the servers part. In the php.ini file I set code directives like so

session.cookie_secure
session.cookie_httponly
session.use_only_cookies

all to true or 1.

This appears to work fine because when I use phpinfo() you can see these directives turned to on. Then here's what happens.

$_SESSIONS don't work anymore. You can't login to the site. It says you're logged in but no session or session variables are created. Essentially sessions don't work at ALL anymore.

I can't for the life of me figure out why this is happening? Any ideas for you awesome folks here?

Is This A Good Question/Topic? 0
  • +

Replies To: $_SESSION Variables Not Working After ini_set?

#2 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3079
  • View blog
  • Posts: 10,796
  • Joined: 08-August 08

Re: $_SESSION Variables Not Working After ini_set?

Posted 28 November 2012 - 07:30 PM

From the manual:

Quote

session.cookie_secure specifies whether cookies should only be sent over secure connections. Defaults to off

Do you have an SSL certificate?

Sessions require a cookie (with the session id) to be stored on the client's computer.
Was This Post Helpful? 2
  • +
  • -

#3 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 763
  • Joined: 31-August 11

Re: $_SESSION Variables Not Working After ini_set?

Posted 28 November 2012 - 09:34 PM

View PostCTphpnwb, on 28 November 2012 - 07:30 PM, said:

From the manual:

Quote

session.cookie_secure specifies whether cookies should only be sent over secure connections. Defaults to off

Do you have an SSL certificate?

Sessions require a cookie (with the session id) to be stored on the client's computer.


Right I'm supposing I must have them right? Since sessions work JUST FINE when these security php directives are turned off. Am I missing something here?
Was This Post Helpful? 0
  • +
  • -

#4 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 763
  • Joined: 31-August 11

Re: $_SESSION Variables Not Working After ini_set?

Posted 01 December 2012 - 12:50 AM

Sorry to be a bug but does anyone have any idea what this could be? This has been driving me crazy for weeks and I finally brought myself to ask people here?
Was This Post Helpful? 0
  • +
  • -

#5 Xupicor  Icon User is offline

  • Nasal Demon
  • member icon

Reputation: 249
  • View blog
  • Posts: 582
  • Joined: 31-May 11

Re: $_SESSION Variables Not Working After ini_set?

Posted 01 December 2012 - 01:42 AM

You didn't answer the first question. Do you connect trough "https://..."?
Was This Post Helpful? 2
  • +
  • -

#6 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 763
  • Joined: 31-August 11

Re: $_SESSION Variables Not Working After ini_set?

Posted 02 December 2012 - 03:28 PM

View PostXupicor, on 01 December 2012 - 01:42 AM, said:

You didn't answer the first question. Do you connect trough "https://..."?


No is that the reason I'm having this issue? I'm using http. How do you use https?
Was This Post Helpful? 0
  • +
  • -

#7 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3079
  • View blog
  • Posts: 10,796
  • Joined: 08-August 08

Re: $_SESSION Variables Not Working After ini_set?

Posted 02 December 2012 - 03:32 PM

You buy an SSL certificate. I believe they're $100/year.
Was This Post Helpful? 2
  • +
  • -

#8 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 763
  • Joined: 31-August 11

Re: $_SESSION Variables Not Working After ini_set?

Posted 06 December 2012 - 04:21 AM

View PostCTphpnwb, on 02 December 2012 - 03:32 PM, said:

You buy an SSL certificate. I believe they're $100/year.


Right. Can I use the other PHP ini directives and not use the secure.cookies then?
Was This Post Helpful? 0
  • +
  • -

#9 Anthonidas  Icon User is offline

  • D.I.C Head

Reputation: 31
  • View blog
  • Posts: 223
  • Joined: 25-April 11

Re: $_SESSION Variables Not Working After ini_set?

Posted 06 December 2012 - 06:06 AM

Well, just don't set the ini directives to use SSL. Review your first post, you should not set them to 1 or true if you don't want to use them...
Was This Post Helpful? 4
  • +
  • -

#10 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 763
  • Joined: 31-August 11

Re: $_SESSION Variables Not Working After ini_set?

Posted 08 December 2012 - 04:20 PM

View PostAnthonidas, on 06 December 2012 - 06:06 AM, said:

Well, just don't set the ini directives to use SSL. Review your first post, you should not set them to 1 or true if you don't want to use them...


So I'm still confused. Are you saying I can still use these directives without SSL because yes I would like to use them and make the server more secure.
Was This Post Helpful? 0
  • +
  • -

#11 Anthonidas  Icon User is offline

  • D.I.C Head

Reputation: 31
  • View blog
  • Posts: 223
  • Joined: 25-April 11

Re: $_SESSION Variables Not Working After ini_set?

Posted 08 December 2012 - 04:44 PM

If you want to use SSL, you need a certificate, as said by CTphpnwb. If you don't have one, you have to buy it. If you don't want to buy a certificate you mustn't set session.cookie_secure to on. Not really difficult to understand.

The other two directives have nothing to do with SSL, so you still can use them...
Was This Post Helpful? 2
  • +
  • -

#12 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 763
  • Joined: 31-August 11

Re: $_SESSION Variables Not Working After ini_set?

Posted 09 December 2012 - 03:18 PM

View PostAnthonidas, on 08 December 2012 - 04:44 PM, said:

If you want to use SSL, you need a certificate, as said by CTphpnwb. If you don't have one, you have to buy it. If you don't want to buy a certificate you mustn't set session.cookie_secure to on. Not really difficult to understand.

The other two directives have nothing to do with SSL, so you still can use them...


Thanks for your help I appreciate that. So short of packet sniffing attacks against a user which happen on public networks etc. doesn't just setting the other two directives avoid 99% of all the other classic session hijacking techniques? Like of course the classic XSS attacks that steal cookie SID's from javascript? How much more paranoid do I need to be than that since my site isn't about banking or anything super confidential?

Also are there any other techniques that help secure these things without an SSL?
Was This Post Helpful? 0
  • +
  • -

#13 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 763
  • Joined: 31-August 11

Re: $_SESSION Variables Not Working After ini_set?

Posted 24 December 2012 - 10:52 AM

Unless your site is like banking or something is it really necessary to have secure cookies and by settings the other two directives don't you make it hard to impossible for most hacking techniques like XSS to work?
Was This Post Helpful? 0
  • +
  • -

#14 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3079
  • View blog
  • Posts: 10,796
  • Joined: 08-August 08

Re: $_SESSION Variables Not Working After ini_set?

Posted 24 December 2012 - 06:40 PM

XSS can work by injecting javascript into HTML regardless of the cookies.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1