Session not started. Wrong session settings?

Question

I found these session settings on the Security SO, but since I've been using it, it came to my attention that my session variables weren't set on every request. I var_dumped the session_start() but it returned true. So it must be some of these settings that are making this happen.

Is there anything with my session settings?

//enable user sessions
ini_set('session.cookie_httponly', 1);           //helps mitigate xss
ini_set('session.session.use_only_cookies', 1);  //prevents session fixation
ini_set('session.entropy_file', "/dev/urandom"); //better entropy source
ini_set('session.cookie_lifetime', 0);           //smaller exploitation window for xss/csrf/clickjacking...
ini_set('session.cookie_secure', 1);             //owasp a9 violations

session_start();

//create and tie csrf token to session
if (!isset($_SESSION['token'])) {
    $alnumGen = new AlnumGen();
    $_SESSION['token'] = $alnumGen->generate();
}

Answer 1

The issue lies with ini_set('session.cookie_secure', 1);. Because you are testing on localhost, unless you have installed your own self signed certificate, your connection is not secure. Since you have told PHP only to send the cookie over a secure connection, no cookie is sent.

Your solution could be:

1. Remove that setting entirely
2. Comment it out for development and re-enable it when you push to production
3. Use an if/else statement to determine if you are on localhost or in production and enable that setting accordingly