PHP version 5.4.41
Apache version 2.2.15
Linux version 2.6.32
CentOS 6.6
I have some code that won't redirect properly. There is a lot of code and configuration, so I'm going to try and keep it as simple as possible. My session is continuously lost after a header redirect. There are no errors and there are no warnings…the redirect proceeds fine. I session_start(); and var_dump[$_SESSION] on the page after the redirect to get NULL. If I session_start and dump right before the redirect, the session dumps fine. I'm guessing it has something to do with the htaccess mod_rewrites dropping the session between pages, but am unsure how to fix it. I keep reading to add [L, QSA] but that is not helping. Sessions work fine for simple pages on the same server that don't use the mod_rewrites.
I think the domain is the same seeing how it goes from:
http://localhost:8000/web/someus/login
http://localhost:8000/web/someus/home
I chmoded & chowned recursively the whole www folder so that apache had all permissions and owned everything in the site.
The .htaccess file looks like:
RewriteCond %{REQUEST_URI} !=/web/[a-z0-9]{6}/index.php
RewriteCond %{REQUEST_URI} !error [NC]
RewriteCond %{REQUEST_URI} !css [NC]
RewriteCond %{REQUEST_URI} !images [NC]
RewriteCond %{REQUEST_URI} !js [NC]
RewriteRule ^([a-z0-9]{6})/(.*)$ /web/index.php?id=$1&page=$2 [L,QSA]
httpd.conf has a DocumentRoot:
DocumentRoot "/var/www/html"
httpd.conf has an alias set up that looks like:
Alias /web /var/www/html/website/
<Directory "/var/www/html/website/">
AllowOverride All
Order allow, deny
Allow from all
</Directory>
in php.ini output_buffering is turned on.
session.cookie_path = /var/www/html/session
session.use_cookies = 1
session.use_only_cookies = 1
The header redirect looks like with the $url value containing 'home' replacing the login with home in the url:
header("Location: $url",true,302);
exit();
When I curl -i on the home page
I get:
HTTP/1.1 302 Found
Date: Wed, 10 Jun 2015 21:54:38 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.41
Set-Cookie: PHPSESSID=08079c815224b0b129d566dc274e0081; path=/web/someus; domain =127.0.0.1; secure
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ebde43200c30ad6ac18e88b8bfb71371; path=/web/someus; domain =127.0.0.1; secure
Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/web/ webdmo; domain=127.0.0.1; secure; httponly
Location: login
Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-WebKit-CSP: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Strict-Transport-Security: max-age=631138519; includeSubDomains
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
When I curl -i on the login page that redirects to the home page
I get:
HTTP/1.1 200 OK
Date: Wed, 10 Jun 2015 21:58:21 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.41
Set-Cookie: PHPSESSID=d79a57eaabb9a41e99f4e0dda202a598; path=/web/someus; domain=127.0.0.1; secure
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-WebKit-CSP: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Strict-Transport-Security: max-age=631138519; includeSubDomains
Content-Length: 2890
Connection: close
Content-Type: text/html; charset=UTF-8
I think it's interesting that the 127.0.0.1 domain is secure in one and not the other–I'm not sure if that has anything to do with it.
Best Answer
You are confusing
session.cookie_path
which is set to/var/www/html/session
withsession.save_path
.See the definitions from the links provided above. You probably want
session.save_path
to be/var/www/html/session
and leave cookie path alone.The session cookie path will tell the browser that those cookies should only be used for certain URL paths on your site.
For example, if I set a cookie with
session.cookie_path
of/web/someus
and then tried to visit/web/somethingelse
, the previously set cookie will not be sent because it is not in the path/web/someus
.If you leave the cookie path as the default
/
then the session cookie will be sent after the redirect.