Maxwell S Maxwell S - 1 month ago 10
PHP Question

PHP session_start doesn't work

My issue is that, when I use session_start(); in my php code, instead of a PHPSESSID cookie being set, a cookie with blank title and value "HttpOnly" is set instead. Using var_dump($_SESSION), I see that I can set session variables and they'll display on the page, but they won't display on any other page. For what it's worth, the two pages are at: login.domain.com/index.php and login.domain.com/login. The same code works fine locally, and other php files running on different subdomains on the same server work. I can't find any info, so if anyone has any ideas, I'd love to hear them.

This is the php on index.php:

<?php
session_start();
?>


And this is the php on login/login.php

<?php
session_start();
$role = 0; //default to "guest"
$was_success = false; //default to a failed login
if(isset($_POST["user"]) && isset($_POST["password"])){ //if the post details are set then continue
$pass = password_hash("PASSWORD", PASSWORD_DEFAULT);

if (!isset($_COOKIE["mellifluous_loginRefer"])){
$arr = array("Username" => $_POST["user"],
"Error" => "No destination set!",
"Success" => false
);
die(json_encode($arr));
}

if (password_verify($_POST["password"], $pass) && ($_POST["user"] == "USER")){
$was_success = true;
if ($_COOKIE['mellifluous_loginRefer'] == "home"){
$_SESSION['mellifluous']['home']['username'] = $_POST['user'];
}
}
else $was_success = false;
$arr = array("Username" => $_POST["user"],
"Role" => $role,
"Success" => $was_success
);
if ($was_success) setcookie("mellifluous_loginRefer", "", time() - 10, "/");
echo(json_encode($arr));
//echo "You sent in: ";//Username: " . $_POST["user"] . " Password: ";//. $password;
}
else if(isset($_GET["user"]) && isset($_GET["password"])){
die("This interface has been deprecated.");
//$pass = password_hash($_POST["password"], PASSWORD_DEFAULT);
$arr = array("Username" => $_GET["user"]);
echo(json_encode($arr));
//echo "You sent in: ";//Username: " . $_POST["user"] . " Password: ";//. $password;
}
else{
die("ERROR!");
}
?>


Many thanks in advance!

Answer

I figured it out. I had some weird cookie settings in my apache2 conf file for that site that looked weird/out of place:

     Header set Set-Cookie HttpOnly;Secure
     Header always edit Set-Cookie (.*) "$1; HTTPOnly"
     Header always edit Set-Cookie (.*) "$1; Secure"

Once I removed those lines, things worked fine.