.htaccess Lost SESSION after header redirect using mod_rewrite [L, QSA] with started session

.htaccessapache-2.2mod-rewriteredirectsession

PHP version 5.4.41
Apache version 2.2.15
Linux version 2.6.32
CentOS 6.6

I have some code that won't redirect properly. There is a lot of code and configuration, so I'm going to try and keep it as simple as possible. My session is continuously lost after a header redirect. There are no errors and there are no warnings…the redirect proceeds fine. I session_start(); and var_dump[$_SESSION] on the page after the redirect to get NULL. If I session_start and dump right before the redirect, the session dumps fine. I'm guessing it has something to do with the htaccess mod_rewrites dropping the session between pages, but am unsure how to fix it. I keep reading to add [L, QSA] but that is not helping. Sessions work fine for simple pages on the same server that don't use the mod_rewrites.

I think the domain is the same seeing how it goes from:
http://localhost:8000/web/someus/login
http://localhost:8000/web/someus/home

I chmoded & chowned recursively the whole www folder so that apache had all permissions and owned everything in the site.

The .htaccess file looks like:

RewriteCond %{REQUEST_URI} !=/web/[a-z0-9]{6}/index.php
RewriteCond %{REQUEST_URI} !error [NC]
RewriteCond %{REQUEST_URI} !css [NC]
RewriteCond %{REQUEST_URI} !images [NC]
RewriteCond %{REQUEST_URI} !js [NC]
RewriteRule ^([a-z0-9]{6})/(.*)$ /web/index.php?id=$1&page=$2 [L,QSA]

httpd.conf has a DocumentRoot:

DocumentRoot "/var/www/html"

httpd.conf has an alias set up that looks like:

Alias /web /var/www/html/website/
<Directory "/var/www/html/website/">
    AllowOverride All
    Order allow, deny
    Allow from all
</Directory>

in php.ini output_buffering is turned on.

session.cookie_path = /var/www/html/session
session.use_cookies = 1
session.use_only_cookies = 1

The header redirect looks like with the $url value containing 'home' replacing the login with home in the url:

header("Location: $url",true,302);
exit();

When I curl -i on the home page

I get:

HTTP/1.1 302 Found
Date: Wed, 10 Jun 2015 21:54:38 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.41
Set-Cookie: PHPSESSID=08079c815224b0b129d566dc274e0081; path=/web/someus; domain                                                                                  =127.0.0.1; secure
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ebde43200c30ad6ac18e88b8bfb71371; path=/web/someus; domain                                                                                  =127.0.0.1; secure
Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/web/                                                                                  webdmo; domain=127.0.0.1; secure; httponly
Location: login
Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-WebKit-CSP: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Strict-Transport-Security: max-age=631138519; includeSubDomains
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

When I curl -i on the login page that redirects to the home page

I get:

HTTP/1.1 200 OK
Date: Wed, 10 Jun 2015 21:58:21 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.4.41
Set-Cookie: PHPSESSID=d79a57eaabb9a41e99f4e0dda202a598; path=/web/someus; domain=127.0.0.1; secure
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-WebKit-CSP: default-src 'self' 'unsafe-eval' 'unsafe-inline'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Strict-Transport-Security: max-age=631138519; includeSubDomains
Content-Length: 2890
Connection: close
Content-Type: text/html; charset=UTF-8

I think it's interesting that the 127.0.0.1 domain is secure in one and not the other–I'm not sure if that has anything to do with it.

Best Answer

You are confusing session.cookie_path which is set to /var/www/html/session with session.save_path.

See the definitions from the links provided above. You probably want session.save_path to be /var/www/html/session and leave cookie path alone.

The session cookie path will tell the browser that those cookies should only be used for certain URL paths on your site.

For example, if I set a cookie with session.cookie_path of /web/someus and then tried to visit /web/somethingelse, the previously set cookie will not be sent because it is not in the path /web/someus.

If you leave the cookie path as the default / then the session cookie will be sent after the redirect.

Related Solutions

Tomcat – Apache2 – mod_expire and mod_rewrite not working in httpd.conf – serving content from tomcat

Probably the ProxyPass / directive you have in your config routes all requests to the Tomcat backend, bypassing all your mod_rewrite directives. You can try to remove the ProxyPass directive and use RewriteRule with the [P] flag after your other rewrites:

mod_rewrite: P|proxy

For the expire headers the situation is worse — in another similar question a solution was not found.

Option +FollowSymLinks would be needed for using mod_rewrite in .htaccess files; in your case it is not required, because you can put everything in the Apache config. Moving rules from config to .htaccess is pointless and can only make things slower. However, there is an important difference between .htaccess and the Apache config — in .htaccess patterns in RewriteRule are matched against relative filesystem paths (which never start with /), while in the VirtualHost context these patterns are matched against the URL path after the hostname, which always starts with /. Therefore at least one of your rules is incorrect:

RewriteRule ^content/(js|css)/([a-z]+)-([0-9]+)\.(js|css)$ /content/$1/$2.$4

should be

RewriteRule ^/content/(js|css)/([a-z]+)-([0-9]+)\.(js|css)$ /content/$1/$2.$4

(note the additional slash in the beginning).

.htaccess redirect not preserving http_referer header

RFC doesn't specify any referrer-specific behavior in status 301 definition, nor 301-specific behavior in Referer header definition. Thus, I have to say that although this referrer-preserving behavior is logical, it is not defined in RFC and thus you can never be sure.

In short i don't belive you will be able to acomplish this with either redirect or mod_rewrite.

Your best bet would be to make a simple php code to redirect the user which will maintain the HTTP_REFERER.

Put a file named index.php on your domain root with the bellow content:

<?php
   header( 'Location: http://www.oursite.com/' ) ;
?>

Make a .htaccess and put it in your domain root directory with the bellow content:

RewriteEngine on
RewriteCond %{REQUEST_URI} !^/index.php$
RewriteRule . index.php

The .htaccess file will take care that anything typed to reach your domain will hit the index.php and the index.php will take care for redirecting to the site it needs to hit.

Best Answer

Related Solutions

Tomcat – Apache2 – mod_expire and mod_rewrite not working in httpd.conf – serving content from tomcat

.htaccess redirect not preserving http_referer header

Related Topic