We help IT Professionals succeed at work.

PHP - session variables lost between subfolders

sabecs
sabecs asked
on
I have a file in www.mywebsite.com/subfolder/test.php that sets a few session variables as below:

session_start();

$_SESSION['user'] = "OK";
$_SESSION['id'] = $row_user['id'];
$_SESSION['contact'] = $row_user['contact'];

and another file in the same directory that checks the session variable which displays the session data OK.
www.mywebsite.com/subfolder/test2.php

<?php session_start();
echo "session user".$_SESSION['user'];
echo $_SESSION['userid'];
echo $_SESSION['contact'];            
?>

But if I then go to any files outside the subfolder say www.mywebsite.com/index.php and then go back to www.mywebsite.com/subfolder/test2.php session_variables are all lost.

I have session_start() on all files in my website so why am I losing session data?
Comment
Watch Question

Avinash ZalaWeb Expert

Commented:
in test2.php file try below code:


<?php
if(!$_SESSION)
session_start();
echo "session user".$_SESSION['user'];
echo $_SESSION['userid'];
echo $_SESSION['contact'];            
?>

Hope this helps,
Addy
Top Expert 2007

Commented:
maybe anywhere else you do a $_SESSION = array() or session_destroy()?
Most Valuable Expert 2011
Top Expert 2016

Commented:
Session variables are tied to the session cookies.  The PHP session handler sets cookies that work DOWN the tree, but not up the tree - in other words, a cookie set in a sub-directory may be unavailable to other directories that are not in its path.  So you want to set your own session cookies to avoid this issue.  Try the scheme here and see if it helps, then post back if you have any questions.  Another strategy is to set all your cookies in a startup script that is in the WWW root,

A similar effect can be observed when clients visit your site with domain.org and www.domain.org - these will get different cookies and thus, different sessions.  Log in to domain.org and your login may not be valid for www.domain.org pages.

HTH, ~Ray
<?php
// START THE SESSION AND SET THE COOKIE 
$sess_name = session_name();
if (session_start())
{
// MAN PAGE http://us.php.net/manual/en/function.setcookie.php
    setcookie($sess_name, session_id(), NULL, '/');
}

Open in new window

Commented:
Hi sabecs,
Sounds like you are probably losing your session values on the index.php page.

1. Check if you are using session_start(); on index.php page
2. If yes, check if the session values are being overwritten by blanks or if the integrity of the session values are being maintained.
3. Check if you are unsetting the session variables in any way throughout the index.php page.
4. Do you have any other scripts hiding at the top of the index.php script? If yes, then go through that. Maybe you are destroying any sessions and may not have noticed that.
5. What exactly are the session destroy conditions in your scripts? It would help if you can tell us how you are initializing and destroying them.
6. Lastly(maybe not that applicable), how long are you waiting before you access the scripts in the sub-folders from the index.php page? Are you waiting for a long time? Maybe your sessions are expiring. If you are not awaiting a long time, then this may not be the problem. It may be one among 5 possible problems I listed above.

Please check above and let me know. Thanks.
Most Valuable Expert 2011
Top Expert 2016

Commented:
Afterthought.  You might want to look at your cookies!  It will reveal a multitude of interesting detail.  In Firefox, use Tools => Options => Privacy, and depending on your version of FF, you may find a link to display cookies or a link to remove individual cookies.  Either one will let you look at the cookies.  Click on the cookie name, and it will show you the content, domain and path settings.

best of luck with it, ~Ray

Author

Commented:
Thanks for your help,
I tried below as Ray suggested however when I check cookies I can't see any that have been created.
<?php
// START THE SESSION AND SET THE COOKIE
$sess_name = session_name();
if (session_start())
{
// MAN PAGE http://us.php.net/manual/en/function.setcookie.php
    setcookie($sess_name, session_id(), NULL, '/');
}
Vimal DMSenior Software Engineer

Commented:

Author

Commented:
I found a PHP.INI on the remote server with "register_globals = On "
got rid of the file and everything now works.
Anyone know why this file would be there and why it would cause the original problem.
Most Valuable Expert 2011
Top Expert 2016

Commented:
That is often a setting that is left over from old PHP installations, where the server administrator does not understand the danger of the setting.  If your code accidentally relied on register_globals, I can understand how it could be a problem.  You can avoid some of these issues by using error_reporting(E_ALL) when you are developing your code.

These kind of things are written up on the PHP web site.  Please see the large red warning box here:
http://www.php.net/manual/en/ini.core.php#ini.register-globals

Best, ~Ray
Most Valuable Expert 2011
Top Expert 2016

Commented:
http://bugs.php.net/bug.php?id=15983 - CLOSED in 2002
http://bugs.php.net/bug.php?id=14636 - BOGUS in 2001

Both refs identify session_register, which is documented here (along with another one of those big red boxes):
http://us.php.net/manual/en/function.session-register.php
Vimal DMSenior Software Engineer

Commented:
hai

When it is like this "register_globals = On" which will cost problems,.just follow this below link

http://blog.php-security.org/archives/3-register_globals-is-not-evil.html

suppose if you want it to be on,just write PHP code for that particular page alone for the register_globals to be on or off

This would be the better practice.
Most Valuable Expert 2011
Top Expert 2016
Commented:
Rather than try to program around deprecated features of the language, it might be a better practice to use STRICT error reporting and fix the programming that relied on the deprecated features.  Testing the environment for dangerous conditions is one part of being a professional.  Here is one example of how to do that.

Best to all, ~Ray
if (ini_get('register_globals')) die('DANGER = register_globals is ON');

Open in new window

Author

Commented:
Thanks Ray.
Most Valuable Expert 2011
Top Expert 2016

Commented:
Glad to help - it's a great question. ~Ray