session vars not being saved - but use_trans_sid is on

raspberryh

Hi,
My session variables are not being saved... But my session.use_trans_sid is on.
I used the test by toplay in this post and it put the SID in the URL - which I guess means that session cookies aren't allowed, or something...
Well, I am not sure what exactly needs to be turned on for this...
The actual site itself is on a server that I can't really send a link to (because we are moving the site to new server, and the dns currently points to the old site, where the session ids are working)... But, I copied & pasted the phpinfo from the new one (where the session ids are not working) into an html file... I was hoping someone could look at it and let me know if there is something I need to change?
The phpinfo file is here .
Thanks so much!
Heather

toplay

Hi, I just happen to come across your post here.

Well, your phpinfo() session settings look fine.

When a session cookie can't be created it's usually due to the environment on the (pc) machine you're using. Under the Windows platform, the use of certain software such as Norton Internet Security or Personal Firewall, McAfee Personal Firewall Plus, GhostSurf Pro, and ZoneAlarm may block cookies from being created. Turn these types of software off or adjust their settings to allow cookie generation. Have you tried testing your web site from another computer or different browser at least?

Your error reporting is set to 261. I would set it to E_ALL while testing/debugging this. See:
http://us2.php.net/manual/en/function.error-reporting.php#AEN40763

The other possibility is that you're sending output before the session_start() and you're suppressing or not seeing the warnings. It's hard to say without seeing the code. For all I know you maybe using ob_start() for buffering the output and what I just said may not apply.

You can always provide us with the link so members can test and report back to you. If the DNS is not set on the new site, you should find and post the link using the IP address of the server - i.e. http://111.222.333.444/script.php

That way I can run it and immediately tell you if my browser created a session cookie or not.

raspberryh

Hey toplay 🙂
Thanks for responding to my post!
Well, as far as computer/browser settings go, I am on a MAC, but also, the session variables work fine on our old server, but they don't work on the new server, using the same computer/browser, etc. I have also tried in different browsers though - Firefox, IE, and Safari.
As far as session_start and all that - I tried using the code that you gave, you know, the set.php, etc? And the session vars didn't work with that...
I don't think I can send you a link though, because we have multiple domains on that one server - so when I go to the IP address in my browser it just gives the PLESK default page since we have multiple domains on it... So I don't think I can do that...
The way that I test the page on my MAC machine is by going to System Preferences -> Network and then under DNS Servers I put the IP address and under Search Domains I put the website address (www.ideas-r-new.com). However, if there is an easier way to do this I would really like to know (it's annoying not being able to view both sites simultaneously - I always have to go and change the network settings to switch b/w the old and new site).
Anyways I kind of went off on a tangent there, sorry about that...
Hmmm, well I will try your suggestion of setting the error reporting to E_ALL, and let you know what happens.
Let me know about that whole ip-address thing with multiple domains on one, if there's some way to access a specific one.
Thank you soooo much!
Heather

toplay

Post relevant code snippets. Your register_globals is off and it should be for security reasons. But maybe your old server had it on and your code was relying on that.

raspberryh

Yeah, I am realizing that this code uses a lot of things that it shouldn't...
It uses session_register() and the register globals on... I tried rewriting all those parts to their equivalent using $SESSION (for the session_register() stuff) and I used

foreach($_REQUEST as $key => $value)
  ${$key} = $value;

But I was STILL having problems.
GRRR, it's so frustrating because I didn't write the code. I HATE having to use other people's code :mad:
Would it be really bad to have those things enabled for this one domain?
I mean, we have had the website on our old server for forever, and nothing bad has happened, so it's not like we'd be going backwards any. We would just have it at the same security as it was before...
Heather

toplay

I would not use any code relying on session_register() and related functions. It's the old style of writing things and the fact it requires register_globals on. Here's a link about it:
http://phpsec.org/projects/guide/1.html#1.3

I would not use $REQUEST but rather use the $GET, $POST or $COOKIE directly. And if you wanted to duplicate the behavior of register_globals on without turning them on, then look into using import_request_variables() or extract():
http://us2.php.net/manual/en/function.import-request-variables.php

I got hacked last year and I didn't have a site that had anything to do with money. I read last week two different members having problems with hacking and one was even a non-profit organization. Today, someone posted that his admin area got hacked and they deleted a lot of stuff. So, it's up to you whether you want to take the chance or not, but it only takes one mistake or vulnerability for a hacker to get in and destroy your work.

There's a whole book (165 pages) on PHP security that I would recommend (available for download):
http://www.phparch.com/shop_product.php?itemid=98

Good luck.