#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    150
    Rep Power
    3

    Question $_SESSION's working in I.E. but not in FF?


    Hi all,

    I've got $_SESSION working in I.E., but they are not working in FF in this way (basic set up):

    After successful sign in, some session variables are set, and then checked at various places afterwards.

    While using Firefox, I look in Tools -> Options - Privacy [Show Cookies]

    I can see the PHPSESSID cookie.

    When I check for that PHPSESSID cookie on the filesystem, I can see that corresponding file...and in it are the $_SESSION[vars] that I'm setting.

    However, I'm not able to access those $_SESSION[vars] while using Firefox, like I can while using I.E.

    Any ideas why?

    [Edit: Add] P.S. I was using Firefox 20.0.1 (just now upgraded to version 21.0 - still has this issue) and I.E. 9
    Last edited by we5inelgr; May 22nd, 2013 at 05:07 PM.
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    sessions are stored and processed on the server. They have absolutely nothing to do with what browser you use. In fact, the server doesn't even know your browser (contrary to popular belief), the same way it doesn't know the background image of your desktop or the color of your skin.

    The only way that sessions could seemingly "not work in your browser" is that the browser simply doesn't send the session cookie. You said you've checked that the cookie exists, but you didn't check if it actually gets sent. So install Firebug and do that -- or simply make a var_dump() of $_COOKIE.

    Again, sessions have nothing to do with whether you're using Firefox 1.2.3 or IE12. I can open the console of my operating system right now and make a raw HTTP request without any browser involved. The session will "work" if I send the cookie, and it will "not work" if I don't.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    150
    Rep Power
    3
    Thanks for the reply.

    Yeah, I know sessions are stored on the server (which I why I mentioned filesystem).

    My description wasn't that great, so I'll try again.

    Same php script, accessing the same php session file (on the server) in the php session directory (on the server). I can verify that it is there, and it does have the expected session var data in it, as expected.

    When the script is run using I.E., the contents of that session file can be read (by the php script) and verifications done with it and processing as expected.
    When the script is run using FF, the contents of that session file appear not to be able to be read (by the php script).

    When I place a var_dump($_SESSION) in the php code, and run it with:

    I.E. I get:
    array(5) { ["varA"]=> string(16) "aaaaaaaaaaaaaaaa" ["varB"]=> string(32) "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" ["varC"]=> string(20) "cccccccccccccccccccc" ["varD"]=> int(1111111111) ...etc
    F.F. I get:
    array(0) { }
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    I understand the problem, and I already said what you need to check: the session cookie.

    Forget about Firefox and Internet Explorer. One of your browsers (which one doesn't matter) sends the correct sessions cookie, but the other one doesn't. The question is: Does the browser send a cookie at all? If yes, do you actually visit the script that stores the values? If yes, what happens with the cookie between this script and the above one?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    150
    Rep Power
    3
    When I echo var_dump("$_COOKIES");

    In F.F., I get:
    array(1) { ["PHPSESSID"]=> string(32) "ca9bde2634812c352990c2fdfa5e199a" }
    In I.E., I get:
    array(2) { ["slider1"]=> string(9) "slider1:0" ["PHPSESSID"]=> string(32) "9eecab137abebbcf220f4aca6b30cbbf" }
    Last edited by we5inelgr; May 23rd, 2013 at 04:47 PM.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    150
    Rep Power
    3
    Doing more testing with just Firefox, I found a file in the php session location (on the server):

    session_mm_cgi-fcgi716.sem
    It's empty. Not sure what that is, perhaps some kind of bug "report?"
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    150
    Rep Power
    3
    by writing the session_id() into a file during different phases to the sign in process (instead of echo'ing out and causing header issues), and testing using I.E. and F.F., I can see that the session_id() is changing 3 times during my testing with F.F., and is not being changed at all testing with I.E. (all the rest of the php code remaining unchanged).

    At least now I know why this is happening when I use F.F. and not I.E.

    Now, I just need to track down why/where the code is creating 3 different session_id()'s.

    It's pretty strange to me though, why this would be happening in Firefox and not in Internet Explorer. Why the code would be behaving different based on use of different browsers.
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,989
    Rep Power
    375
    is there an extension that removes the cookies and then the server things that there is no cookie set so creates a new session id/cookie?
  16. #9
  17. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by we5inelgr
    Why the code would be behaving different based on use of different browsers.
    It does not. Your browser may behave differently, you may behave differently. But the PHP code does not depend on the browser. It cannot. It's impossible. The server doesn't know at all which browser you're using. You say you understand the concept, but you keep repeating this wrong idea.

    Think of client and server as two people in two different rooms separated by a big wall. They can't see each other, and they can't hear each other. There's only a small slot they can use to exchange messages written on a paper. Now, is it possible that the server behaves differently depending on whether the client is male, female, black, white, ...? No! The server knows nothing about the client except where he/she is. The server may act depending on the message or just do random stuff. And it may even look like, say, male clients and female clients are treated differently. But it's impossible. Either the messages are different, or it's just chance.

    OK, at least we know now that both browsers do send cookies. So the question is: What happens between storing the session values and using them?

    Make two scripts:

    write_session.php
    PHP Code:
    <?php

    session_start
    ();

    $_SESSION['foo'] = 'bar';

    echo 
    'Writing session<br />';
    echo 
    'Session ' session_id() . ' should contain the following:<br />';

    var_dump($_SESSION);
    read_session.php
    PHP Code:
    <?php

    session_start
    ();

    echo 
    'Session ID sent with cookie:<br />' $_COOKIE['PHPSESSID'] . '<br />';
    echo 
    'Actual session ID used by PHP:<br />' session_id() . '<br />';
    echo 
    'Content of session:<br />';

    var_dump($_SESSION);
    Delete all existing session cookies in both browsers and clear the session folder (unless there's something important in it). Visit the "write" script with both browsers and then check the cookie and the session file: Did both browsers store the session cookie? Do both sessions exist on the server and have the right content? Then visit the "read" script with both browsers: Do both browsers send the original session cookie? What's the actual session ID as used by PHP?

    Post the answers and the output of both scripts here.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    150
    Rep Power
    3
    okay, starting out with an empty session folder (i.e. no session files on the server).

    1. Used I.E. to run write_session.php:
    PHP Code:
    <?
    session_start
    (); 

    $_SESSION['foo'] = 'bar'

    echo 
    'Writing session<br />'
    echo 
    'Session ' session_id() . ' should contain the following:<br />'

    var_dump($_SESSION);
    ?>
    Results in I.E. browser:
    Writing session
    Session f0bc13353a471be978b003fb95e575c5 should contain the following:
    array(1) { ["foo"]=> string(3) "bar" }
    Contents of session file "sess_f0bc13353a471be978b003fb95e575c5" on the server:
    foo|s:3:"bar";
    Then using I.E. to immediately run read_session.php:

    Results in I.E. browser:
    Session ID sent with cookie:
    f0bc13353a471be978b003fb95e575c5
    Actual session ID used by PHP:
    f0bc13353a471be978b003fb95e575c5
    Content of session:
    array(1) { ["foo"]=> string(3) "bar" }
    Server session file "sess_f0bc13353a471be978b003fb95e575c5" remains unchanged.


    I then deleted the session file described above.

    2. Used F.F. to run write_session.php.

    Results in F.F. browser:
    Writing session
    Session 6f1b5545d78493437b5799d86e18df9e should contain the following:
    array(1) { ["foo"]=> string(3) "bar" }
    Contents of session file "sess_6f1b5545d78493437b5799d86e18df9e" on the server:
    foo|s:3:"bar";
    Then using F.F. to immediately run read_session.php:
    Session ID sent with cookie:
    6f1b5545d78493437b5799d86e18df9e
    Actual session ID used by PHP:
    6f1b5545d78493437b5799d86e18df9e
    Content of session:
    array(1) { ["foo"]=> string(3) "bar" }
    Server session file "sess_6f1b5545d78493437b5799d86e18df9e" remains unchanged.
  20. #11
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    OK. So this small test work perfectly, didn't it?

    Of course that doesn't mean the previous errors you experienced were all just an illusion. But at least you know that both browsers generally do store and send the session cookie correctly. Now you should check this on your real site. Make sure to do it step by step like this test. Make the exact same things with both browser and always check the result afterwards. Then you should find out if and why FF loses the session cookie.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  22. #12
  23. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    150
    Rep Power
    3
    Thanks for the reply (& suggestion).

    The bigger picture was that I was trying to have a sign in page (& it's action page) to be on HTTPS and then after successful sign in, send the user back to HTTP. I was on a shared cert on the server I'm on and didn't want the user to be on that shared cert the entire time. More of a cosmetic thing and potential confusion (url would have a name that wasn't my site) to the users than anything else.

    This would be similar to such sites as Yahoo, when you sign in (on HTTPS), if successful, you are back on HTTP.

    This involved storing some info about the HTTPS session info in a db table, and upon a redirect, reading that table and setting HTTP session vars. Convoluted, I know, but I had it working in I.E., but just couldn't get it working when using F.F.

    So, I went and got an SSL cert for my site. About 20-30% of the users on the site would be using HTTPS at any given time. Now I simply leave the user, who would normally sign in to the site, on HTTPS after good sign in.

IMN logo majestic logo threadwatch logo seochat tools logo