no session IDs with PHP 4.3.2

Wichelhaus

I recently upgraded from PHP 4.2.3 to 4.3.2. The same php code for handling sessions that formerly worked well now doesn't work. session_start() creates a new session id but in concurrent scripts session_start() doesn't reuse the sid but creates a new one. And the session ids aren't applied to any links within the html code. Any suggestions? I guess I forgot to set a switch during compilation.

tsinka

Hi,

try to set session.use_trans_sid to 1 in the php.ini and restart the server. That parameter in the php.ini causes the session id to be added as get parameter to all your links.

Wichelhaus

It doesn't seem to work. Does it matter that I compiled PHP as static?

tsinka

No,

that shouldn't make a difference. Can you post the script and your php.ini ?

Do you use Windows as server or Linux/Solaris/HP-UX ... ? If Linux ... which distribution ?

Wichelhaus

The system is running debian 3.0
The login script creates a new session id, apparently in a correct way.
The other script is

<?php
session_start();
?>
<html><head><title>Test</title></head>
<body>
<a href="logout.php">logout</a><br>
<?php
$name=$_SESSION["name"];
print "hello $name<br>";
?>
<a href="page1.php">page 1</a><br>
<a href="page2.php">page 2</a><br>

....

This script doesn't use the session but creates a new one. As already mentioned the links aren't rewritten at all.

The php.ini is the php.ini-dist, I modified the session.use_trans_id part accordingly.

I checked the php test page - php is compiled with --enable-trans-sid, nevertheless the test page says 'session.use_trans_sid Off'.

What's next?

Wichelhaus

Got it!
I created a .htaccess file with
php_flag session.use_trans_sid on
in, now it works.

tsinka

Hi,

that should also work with directly modifying php.ini, did you rename php.ini-dist to php.ini and copy it to the location where php expects it (phpinfo() output) ?

Wichelhaus

You're right, I got the wrong path to php.ini.

But maybe you can help me with this:
I use

<?php
session_start();
$_SESSION["name"]="William Shakespeare";
Header("Location: nextpage.php");
?>

for logging in.

The session id file is still empty. As far as I understood the session stuff the sid file should contain those session variables.

In nextpage.php

<?php
session_start();
echo $_SESSION["name"];
?>

doesn't output anything. I guess it's related to the empty sid files. Is this correct?

tsinka

Hi,

can you post your php.ini ?

Wichelhaus

Do you mean the whole php.ini? As I mentioned, I solely modified the session.use_trans_sid.

I removed the comments so the php.ini fits in here:

engine = On
short_open_tag = On
asp_tags = Off
precision    =  12
y2k_compliance = On
output_buffering = Off
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func=
serialize_precision = 100
allow_call_time_pass_reference = On
safe_mode = Off
safe_mode_gid = Off
safe_mode_include_dir =								
safe_mode_exec_dir =
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
disable_functions =
disable_classes =
expose_php = On
max_execution_time = 30     ; Maximum execution time of each script, in seconds
max_input_time = 60	; Maximum amount of time each script may spend parsing request data
memory_limit = 8M      ; Maximum amount of memory a script may consume (8MB)
error_reporting  =  E_ALL & ~E_NOTICE
display_errors = On
display_startup_errors = Off
log_errors = Off
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off


variables_order = "EGPCS"
register_globals = Off
register_argc_argv = On
post_max_size = 8M
gpc_order = "GPC"
magic_quotes_gpc = On
magic_quotes_runtime = Off    

magic_quotes_sybase = Off
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
doc_root =
user_dir =
extension_dir = "./"
enable_dl = On

file_uploads = On
upload_max_filesize = 2M
allow_url_fopen = On
default_socket_timeout = 60
[Syslog]
define_syslog_variables  = Off
[mail function]
SMTP = localhost
sendmail_from = [email]me@localhost.com[/email]
[Java]
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1  

odbc.defaultlrl = 4096  

odbc.defaultbinmode = 1  

[MySQL]
mysql.allow_persistent = On
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port =
mysql.default_socket =
mysql.default_host =
mysql.default_user =
mysql.default_password =
mysql.connect_timeout = -1
mysql.trace_mode = Off
[mSQL]
msql.allow_persistent = On
msql.max_persistent = -1
msql.max_links = -1
[PostgresSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off 
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[Sybase]
sybase.allow_persistent = On
sybase.max_persistent = -1
sybase.max_links = -1
sybase.min_error_severity = 10
sybase.min_message_severity = 10
sybase.compatability_mode = Off
[Sybase-CT]
sybct.allow_persistent = On
sybct.max_persistent = -1
sybct.max_links = -1
sybct.min_server_severity = 10
sybct.min_client_severity = 10
[dbx]
dbx.colnames_case = "unchanged"
[bcmath]
bcmath.scale = 0
[browscap]
[Informix]
ifx.default_host =
ifx.default_user =
ifx.default_password =
ifx.allow_persistent = On
ifx.max_persistent = -1
ifx.max_links = -1
ifx.textasvarchar = 0
ifx.byteasvarchar = 0
ifx.charasvarchar = 0
ifx.blobinfile = 0
ifx.nullformat = 0
[Session]
session.save_handler = files
session.save_path = /tmp
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor     = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = On
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="
[MSSQL]
mssql.allow_persistent = On
mssql.max_persistent = -1
mssql.max_links = -1
mssql.min_error_severity = 10
mssql.min_message_severity = 10
mssql.compatability_mode = Off
mssql.secure_connection = Off
[Assertion]
[Ingres II]
ingres.allow_persistent = On
ingres.max_persistent = -1
ingres.max_links = -1
ingres.default_database =
ingres.default_user =
ingres.default_password =
[Verisign Payflow Pro]
pfpro.defaulthost = "test-payflow.verisign.com"
pfpro.defaultport = 443
pfpro.defaulttimeout = 30
[Sockets]
sockets.use_system_read = On
[com]
[Printer]
[mbstring]
[FrontBase]
[Crack]
[exif]

tsinka

Hi,

I wanted to see the other session parameters.

session.use_cookies = 1

Your php is set up to use cookies for the session so you wouldn't need trans_sid at all. You can either set the above value to 0 or use trans sid's. I sometimes had problems, when both use_cookies and use_trans_sid were enabled. If you disabled Cookies in your browser the sessions might not work. You might also try to set session.auto_start to true so you don't need session_start() anymore 🙂

Thomas

Wichelhaus

Okay, I turned session.use_cookies to 0 now, the session ids are generated but the session files still are empty :-(

tsinka

Hi,

it might a problem with the header call which might cause php not to write session data correctly. Try this:

session_start(); 
$_SESSION["name"]="William Shakespeare"; 
session_write_close();
Header("Location: nextpage.php");

tsinka

session_start(); 
$_SESSION["name"]="William Shakespeare"; 
session_write_close();
Header("Location: nextpage.php?".session_name()."=".session_id());

Wichelhaus

Originally posted by tsinka
Or

session_start(); 
$_SESSION["name"]="William Shakespeare"; 
session_write_close();
Header("Location: nextpage.php?".session_name()."=".session_id());

[/B]

That worked! Thank you very much!

encrypton_z

Hi!

I would suggest checking out the NEWS file for php 4.3.2. It mentions something about the session_regenerate_id() function.

Apparently, it alleviates the problem you were having with session id's. Hope this helps!