Windows Server having problems keeping my session after the next page load

Question

I'm going to share my basic configuration with hopes that somebody can clue in onto where my problem lies with my session variables. The sessions are not saving in-between page loads, and for the life of my I cannot decide why.

This is my first Windows PHP application that I'm building, so I'm at a loss right now after having tried everything I can think of.

The session save path IS WRITABLE. Verified using this code:

if (!is_writable(session_save_path()) ) {
    echo 'Session path "'.session_save_path().'" is not writable for PHP!'; 
}

The session.cookie_domain is blank (not set to anything). Again, this is correct based on my experience.

I'm using ToroPHP as my simple router. For my test, I simply route to a very simple class. You'll see it below.

Here is my Web.Config file. This is what allows me to use ToroPHP

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Toro" stopProcessing="true">
                    <match url="^(.*)$" />
                    <conditions logicalGrouping="MatchAll">
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="index.php/{R:1}" />
                </rule>
            </rules>
        </rewrite>
        <httpErrors errorMode="Detailed" />
        <asp scriptErrorSentToBrowser="true"/>
    </system.webServer>
        <system.web>
            <customErrors mode="Off"/>
            <compilation debug="true"/>
        </system.web>
</configuration>

Here is my configuration script, it's the very first thing called (besides setting my $ABS_SITE_PATH var):

error_reporting(E_ALL);
ini_set('display_errors', 'On');
//SET TIMEZONE
    date_default_timezone_set('America/New_York');

    $expireTime = 60 * 60 * 7 * 20; // 20 week expire time: seconds, minutes, days, weeks.
    ini_set('session.save_path', $ABS_SITE_PATH.'/sess');
    session_set_cookie_params($expireTime,"/",NULL, TRUE, TRUE);
    session_start();

And here is my simple test I'm performing:

class sessionTestHandler{
    public function get()
    {

        if (!isset($_SESSION['count'])) {
          $_SESSION['count'] = 0;
        } else {
          $_SESSION['count']++;
        }
        var_dump($_SESSION['count']);
    }
}

I get int(0) output to my screen on every page load, no matter what. If I var_dump the entire session variable, I get: array(1) { ["count"]=> int(0) }

If any additional information is needed I'll be happy to provide. Thanks.

UPDATE: This is across all browsers.

UPDATE 1/14: On every page load, I am outputting session_id(); and it shows a different ID on every load. So the session ID is not persistent between page loads.

Answer 1

Your code looks fine to me. I'll assume it's an error in the test procedure or a configuration error. As there comes no further information I will present some general advices:

Set the session save path before the session is started

Changing the session path should happen before the session is started:

session_save_path() needs to be called before session_start()

You might start the session unintentionally before changing the save path (e.g. session.auto_start or some session_start() somewhere in your framework). Double check that the session was not started! If it was it might be advisable to move application specific runtime configuration into a .htaccess.

Start the session before you access $_SESSION

Make sure that your session is started before you access the session for your test case.

Ensure the propagation of the session id

Check on the browser side that you use for each subsequent request the same session id. You can do this either by checking the session id in the URI or by checking the session cookie. Double check on the server side the result of session_id(). Note that session.cookie_secure can restrict does in your case restrict the session propagation to HTTPS only. If this is the case, adopt your test procedure to HTTPS or allow the session propagation by a http cookie (e.g. session_set_cookie_params($expireTime,"/",NULL, FALSE, TRUE);).

Compare the expected configuration with phpinfo()

You are making some runtime changes to the configuration. There are scenarios where those won't be applied. Compare the output of phpinfo() with your expectations. In your case check each session.* property.