PHP SESSION data lost between page loads with WAMPserver 2.0 on localhost

Question

I have a PHP authentication system on my website using the $_SESSION variable.

A form submits a username and password to the file "login.php". It is handled like this:

<?php include '../includes/sessionstart.inc.php'; ?>
<?php ob_start(); ?>

if($_POST){
    $q = mysql_query("SELECT id, company FROM users WHERE username = '".mysql_real_escape_string($_POST['username'])."' AND password = '".md5($_POST['password'])."'");
    if(mysql_num_rows($q) >= 1){
        $f = mysql_fetch_Array($q);
        $_SESSION['company'] = $f['company'];
        $_SESSION['id'] = $f['id'];
        $_SESSION['logedin'] = true;
        session_write_close();

        ob_clean();
        header("Location: index.php");

}

Afterwards, index.php is loaded and checks whether 'logedin' is true.

<?php include '../includes/sessionstart.inc.php'; ?>
<?php if(!isset($_SESSION['logedin'])) header('Location: login.php'); ?>

On my production server, it continues, but on my Wampserver, it reverts back to login.php. I notice that Wampserver is very slow in page loading, this might have to do something with it. That's why I included the session_write_close, to make sure session data is saved before the pages are switched, but it doesn't help.

The contents of session_start.inc.php are simply:

<?php
    session_start();
?>

I used to have more code in there, but at the moment it's just this. The problem also existed before I started using an include file.

Does anybody have an idea what I'm doing wrong? Why doesn't Wampserver transmit my SESSION data to the next PHP file?

Answer 1

After a long time I have fixed this bug finally.

On my localhost WAMP, the session data is not saved between page loads, because the session data is stored in a cookie, and there is no cookie domain to be set for localhost.

The solution:

'session.cookie_domain' should be set to empty string for all local domain names, not only for 'localhost' (but should not be empty for local IP addresses):

<?php
ini_set('session.cookie_domain', (strpos($_SERVER['HTTP_HOST'],'.') !== false) ? $_SERVER['HTTP_HOST'] : '');
?>

Thanks to Marcin Wiazowski who posted it here.

Answer 2

WAMP server 2 - settings are not set by default for $_SESSION var.

PHP.ini requires the following settings

C:\wamp\bin\apache\apache2.4.2\bin\php.ini
session.cookie_domain =
session.use_cookies = 1
session.save_path = "c:\wamp\tmp"   ;ensure the \ is used not /

---

Session testing - load.php -- load $_SESSION var.

<?PHP
session_start();
$_SESSION['SESS_MEMBER_ID'] = 'stored variable';
session_write_close();
header("location:print.php");
?>

print.php -- print $_SESSION var.

<?PHP
session_start();
var_dump($_SESSION);
?>

run the script in your browser var_dump() should produce results

go to c:\wamp\tmp Files containing the session data will appear here.

Answer 3

First of all: the index logedin seems strange for keeping track of a user being logged in. Is this just a typo on SO, or really a code-typo?

Second (depending on the desired behavior), try another approach for making pages login-protected. Your page should look something like

<?php
  include 'login.inc.php';

  if(authorized()) {
    // put some more script here, if needed
    ?>
    // put some plain HTML here  
    <?php
  }
?>

Where login.inc.php handles the session, cookies. In particular, the authorized function should return TRUE if a client is already logged in. If a client is not logged in, it should display a form with action $_SERVER['PHP_SELF'] and return FALSE. If you name the submit-input something like login_submit, you can let login.inc.php handle the verification.

This way, you don't need to refer users to a dedicated login page, and after logging in, user are directly shown the requested page. You can tweak this a bit to make query-strings persistent through login as well.

Answer 4

Try to replace

if($_POST){...}

with

if( isset($_POST['username']) && isset($_POST['password']) ){...}

... at least for debugging purposes. It's possible that some different settings are causing a non-empty $_POST array where it's not expected.

Also, your code seems to be missing exit() calls after header() redirections. Sending an HTTP Location header doesn't automatically stop your script.

Answer 5

I had this problem using WAMPSERVER for development on /localhost. I needed to change session.use_only_cookies either in-line or in the php.ini setting from

session.use_only_cookies = 1

to

session.use_only_cookies = 0

Explanation

Using default cookie-based sessions was working as expected but I needed a cookie-less solution. A test starting page:

<?php
// page1.php

ini_set('session.use_cookies', '0');
session_start();

$_SESSION['time'] = time();

echo '<br /><a href="page2.php?' . SID . '">page 2</a>';
?>

The session data was created and stored successfully in the WAMPSERVER temp directory, e.g., C:\wamp\tmp\sess_0rkdlonl5uia717rf03d4svs16. The link generated by the above code looks similar to (note the UID matches the session data file name):

page2.php?PHPSESSID=0rkdlonl5uia717rf03d4svs16

But the destination page2.php was throwing undefined errors for the variable 'time' whilst attempting to retrieve the session data:

<?php
// page2.php

ini_set('session.use_cookies', '0');
session_start();

echo date('Y m d H:i:s', $_SESSION['time']);

echo '<br /><a href="page1.php?' . SID . '">page 1</a>';
?>

By setting session.use_only_cookies FALSE in either the script before session_start();:

ini_set('session.use_only_cookies', '0');

or changing it globally in php.ini:

; This option forces PHP to fetch and use a cookie for storing and maintaining
; the session id. We encourage this operation as it's very helpful in combatting
; session hijacking when not specifying and managing your own session id. It is
; not the end all be all of session hijacking defense, but it's a good start.
; http://php.net/session.use-only-cookies
session.use_only_cookies = 0

solved the problem.

Answer 6

Faced the same problem but it was being caused by

session_regenerate_id(true);

So I just deleted it from my code.

Answer 7

Update to WAMP 2.5 and now the problem is solved!