Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1382
  • Last Modified:

PHPSESSID Session Cookie Doesn't Stick for more than 1 page

I have a web page on www.domain1.com, with an iframe that opens up a PHP-based site on www.domain2.com.

When the application in D2 (www.domain2.com) loads, it issues a PHP session cookie (PHPSESSID) and correctly loads the rest of the page (images, external css, javascript, etc). If I watch the HTTP headers, I can see that the first request got a PHPSESSID cookie, and it persists while the rest of the page is loading.

However, once I click on another link that takes me to another page inside the same application, the PHPSESSID seems to disappear, and it prompts me to log into the application again (issuing a different PHPSESSID cookie).

This happens every time I click to change a page.

When I access www.domain2.com directly (no IFRAME), the application works fine. I can login and browse through mulitple pages without any problem.

If I go into my cookie settings and accept all cookies for D2, then the application ALSO works fine. However, I don't want to force all our users to change their browser settings, and I do not have control over D1, so it HAS to be through an IFRAME.

This USED to work fine, too. We had an outside programmer working on an upgraded version of the application, and it seemed like after he made some "upgrades" this problem started happening. Now I'm trying to clean up the mess (he has no idea what he changed and suggests buying and adding a security certificate, which doesn't work when I test it using a self-signed cert).
0
gr8gonzo
Asked:
gr8gonzo
  • 4
  • 3
1 Solution
 
Beverley PortlockCommented:
AT the start of every page, do you have

if ( session_id() == "" )
     session_start();

Also check that setcookie is using '/' for its 4th parameter. That means the cookie is available for the entire domain and all its sub-folders. More info at

http://www.php.net/setcookie
0
 
gr8gonzoConsultantAuthor Commented:
I don't believe we're setting any cookies manually with setcookie() - everything is done through session_... functions. And no, we don't have that at the top of every page, but I'm not sure why that would make a difference? It technically is starting a new session - the problem is just that it starts a new session every time you do anything.

More research seems to indicate that it's an IE-specific problem with cookies on multiple domains, but I haven't found a solution yet.
0
 
Beverley PortlockCommented:
IT's often hard to determine what is going on remotely. The two fixes I suggested are the most common cures.


if ( session_id() == "" )
     session_start();

This ensures that is a session is in use, it is used rather than a new session being started every time. You did mention that you get new session cookies each time and that is the sort of behaviour that this prevents.

The setcookie problem is caused by the fact that cookies can be restricted to certain folders. By setting it to '/' you ensure that the cookie is usuable from the root folder down (i.e. all folders). Remember that cookies can be set from javascript as well and that they have an additional parameter that limits them to a given domain.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
gr8gonzoConsultantAuthor Commented:
Okay, I set up a separate "test" page that only contains the following:

<?
$expireTime = 60*60*24*100; // 100 days
session_set_cookie_params($expireTime,"/","www.domain2.com"); // Added just to see if it would make any difference.

if ( session_id() == "" )
     session_start();
     
session_register("mytest");

$_SESSION["mytest"]++;
print $_SESSION["mytest"] . " - <a href='iframetest.php'>test " . time() . "</a><br>\n";
?>

The result is that whenever I click on the link, it goes back to the same test page. The time has been updated, but the $_SESSION["mytest"] variable is ALWAYS 1.

I'm pretty confident that it has to deal with the <iframe> being called from a different domain. The cookie simply seems like it is not being accepted by IE. If I turn on "always allow cookies" for domain2, then the cookie is accepted, and the session works fine.

Also, regarding the if(session_id() == "") piece - if a session is in use, then session_start should not start a new session, but simply read the existing cookie and link up to the correct session. That is the default behavior, per PHP.
0
 
gr8gonzoConsultantAuthor Commented:
Found a good workaround from MS. If you add the following line before session_start():

header('P3P: CP="CAO PSA OUR"');

Apparently, P3P is a privacy-related header. The CP stands for Compact Policy, and then CAO, PSA, and OUR are parameters. They apparently establish the kind of site that is being contacted, so IE can trust the cookie that it's being sent.
0
 
Beverley PortlockCommented:
If it works, it works, though I admit to being baffled. I'm taking a few days off (family wedding to go to) so good luck.
0
 
gr8gonzoConsultantAuthor Commented:
Thanks. Have fun!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now