phpsession-cookiesispconfig

Logging on ISP Config broke my PHP sessions and cookies forever


To explain my problem I have to add some context info:

We have a website, it works with sessions and has been working for 7 years with no problems, except for our server administrator, he can not login, and we never knew why... until now...

Our Server administrator is on vacations, so I had to do some of his works, it include login on ISP Config which is located on the same server and domain using a different port (8080), I logged there, to check some values and then when I go back to our website, I could not login, just as our server administrator.

Doing some debug I found it is a problem with sessions, on every refresh session_id() changes.

using ini_get I got session.cookie_domain and session.cookie_secure are empty.

If I do a print_r($_COOKIE) there is no PHPSESSID, if I set it to any value it dissapears, even if I write a long expiration It is not saved, If I set 2 cookies like this:

setcookie("PHPSESSID", "MYSESSION", time()+365*24*60*60, '/');
setcookie("a", "b", time()+365*24*60*60, '/');

and then print_r($_COOKIE); I get this:

Array ( [a] => b )

I don't have any .htaccess, so there is no rules in my side, seems like there is something in ISP config what changed the way I store cookies.

I could ask on webmasters.stackexchange.com but I need a PHP answer to set the new values when someone log in my website after logging in ISP config.

This is my current code to test:

<?php
session_set_cookie_params(3600,"/");
session_start();
//$_SESSION[b_id]=1;
setcookie("PHPSESSID", "GTS", time()+365*24*60*60, '/');
setcookie("a", "b", time()+365*24*60*60, '/');
echo "<div>b_id: $_SESSION[b_id]</div>";
echo "<div>session_id: ".session_id()."</div>";
echo "<div>cookie_domain: ".ini_get('session.cookie_domain')."</div>";
echo "<div>save_path: ".ini_get('session.save_path')."</div>";
echo "<div>cookie_secure: ".ini_get('session.cookie_secure')."</div>";
print_r($_COOKIE);
/*echo "<pre>";
print_r(ini_get_all());
echo "</pre>";*/
?>

This is the output, (session_id value changes each time):

b_id:
session_id: du95eljbkct54qktvcd18a7ej0
cookie_domain:
save_path: /var/lib/php/sessions
cookie_secure:
Array ( [a] => b )

This is the output of ini_get_all() function:

[session.auto_start] => Array   (
    [global_value] => 0
    [local_value] => 0
    [access] => 2
)
[session.cache_expire] => Array (
    [global_value] => 180
    [local_value] => 180
    [access] => 7
)
[session.cache_limiter] => Array    (
    [global_value] => nocache
    [local_value] => nocache
    [access] => 7
)
[session.cookie_domain] => Array    (
    [global_value] => 
    [local_value] => 
    [access] => 7
)
[session.cookie_httponly] => Array  (
    [global_value] => 
    [local_value] => 
    [access] => 7
)
[session.cookie_lifetime] => Array  (
    [global_value] => 0
    [local_value] => 3600
    [access] => 7
)
[session.cookie_path] => Array  (
    [global_value] => /
    [local_value] => /
    [access] => 7
)
[session.cookie_secure] => Array    (
    [global_value] => 
    [local_value] => 
    [access] => 7
)
[session.entropy_file] => Array (
    [global_value] => /dev/urandom
    [local_value] => /dev/urandom
    [access] => 7
)
[session.entropy_length] => Array   (
    [global_value] => 32
    [local_value] => 32
    [access] => 7
)
[session.gc_divisor] => Array   (
    [global_value] => 1000
    [local_value] => 1000
    [access] => 7
)
[session.gc_maxlifetime] => Array   (
    [global_value] => 1440
    [local_value] => 1440
    [access] => 7
)
[session.gc_probability] => Array   (
    [global_value] => 0
    [local_value] => 0
    [access] => 7
)
[session.hash_bits_per_character] => Array  (
    [global_value] => 5
    [local_value] => 5
    [access] => 7
)
[session.hash_function] => Array    (
    [global_value] => 0
    [local_value] => 0
    [access] => 7
)
[session.lazy_write] => Array   (
    [global_value] => 1
    [local_value] => 1
    [access] => 7
)
[session.name] => Array (
    [global_value] => PHPSESSID
    [local_value] => PHPSESSID
    [access] => 7
)
[session.referer_check] => Array    (
    [global_value] => 
    [local_value] => 
    [access] => 7
)
[session.save_handler] => Array (
    [global_value] => files
    [local_value] => files
    [access] => 7
)
[session.save_path] => Array    (
    [global_value] => /var/lib/php/sessions
    [local_value] => /var/lib/php/sessions
    [access] => 7
)
[session.serialize_handler] => Array    (
    [global_value] => php
    [local_value] => php
    [access] => 7
)
[session.upload_progress.cleanup] => Array  (
    [global_value] => 1
    [local_value] => 1
    [access] => 2
)
[session.upload_progress.enabled] => Array  (
    [global_value] => 1
    [local_value] => 1
    [access] => 2
)
[session.upload_progress.freq] => Array (
    [global_value] => 1%
    [local_value] => 1%
    [access] => 2
)
[session.upload_progress.min_freq] => Array (
    [global_value] => 1
    [local_value] => 1
    [access] => 2
)
[session.upload_progress.name] => Array (
    [global_value] => PHP_SESSION_UPLOAD_PROGRESS
    [local_value] => PHP_SESSION_UPLOAD_PROGRESS
    [access] => 2
)
[session.upload_progress.prefix] => Array   (
    [global_value] => upload_progress_
    [local_value] => upload_progress_
    [access] => 2
)
[session.use_cookies] => Array  (
    [global_value] => 1
    [local_value] => 1
    [access] => 7
)
[session.use_only_cookies] => Array (
    [global_value] => 1
    [local_value] => 1
    [access] => 7
)
[session.use_strict_mode] => Array  (
    [global_value] => 0
    [local_value] => 0
    [access] => 7
)
[session.use_trans_sid] => Array    (
    [global_value] => 0
    [local_value] => 0
    [access] => 7
)
[session.cookie_domain] => Array    (
    [global_value] => 
    [local_value] => 
    [access] => 7
)
[session.cookie_httponly] => Array  (
    [global_value] => 
    [local_value] => 
    [access] => 7
)
[session.cookie_lifetime] => Array  (
    [global_value] => 0
    [local_value] => 3600
    [access] => 7
)
[session.cookie_path] => Array  (
    [global_value] => /
    [local_value] => /
    [access] => 7
)
[session.cookie_secure] => Array    (
    [global_value] => 
    [local_value] => 
    [access] => 7
)

How to go back my session system to default as before logging in ISP config?


Answering Iłya Bursov questions

Opening page in incognito mode let me login normally and PHPSESSID doesn't change.

Clearing cookies didn't work, PHPSESSID still changing.

phpinfo gave me some relevant info:

Set-Cookie: PHPSESSID=ositfoouhvosgcklk2k14r7t25; expires=Fri, 07-Dec-2018 19:28:01 GMT; Max-Age=3600; path=/
// This is the same time it was created, so it is creating and expiring inmediately!

Expires: Thu, 19 Nov 1981 08:52:00 GMT
// 1981!?

I have a co-worker (in the same network) who can login in my website.


After 2 days, I am unable to fix the problem, we made a new test today to reproduce this error, our web developer logged on ISP Config and now he is unable to log in in my system!!

Same error as me and our server administrator.

I am using Chrome in Windows 10.

ISP Config version 3.1.11

It seems like this guy had the same issue 6 years ago: PHPSESSID not being saved to cookie


Solution

  • Well, four months later of testing, I going to answer my own question to help others having this issue.

    ISP Config uses the default PHP name session id, so, if you run a different system in the same domain you can not use the same id.

    the first way to solve this problem is doing what @misorude said in his comment, change all the session names to a different name before starting any session:

    session_name('MySystem'); // your session string ID
    session_start();
    

    For your session string ID use any string you want, use always the same on your whole system and do not use a the default value "PHPSESSID".

    Session expired too fast, this is because I was running 2 systems in the same domain as second2none link commented.

    shorter session.gc_maxlifetime time, will be used for all the systems in the domain.

    this question shows a second alternative way to solve it changing the session directory, calling the session_save_path() function.

    There is a third way if you do not want to change the session name id or the session directory in all your files, you can also change the session.save_path configuration as Álvaro González suggested.