session_start is not resuming a session when a domain is used-CodePudding

My development environment is a VirtualBox Debian VM running on Windows with Apache and PHP. I currently access it in the browser using a specific local IP 192.168.33.10. I've created these two simple test scripts:

stest1.php:

<?php
session_start();
$_SESSION['session_temp_id'] = 12345;
echo session_id();
?>
<a href="stest2.php">go to two</a>

stest2.php:

<?php session_start();
echo 'Session Info:';
echo session_id();
var_dump($_SESSION);
phpinfo();

If I access this via http://192.168.33.10/stest1.php and navigate to stest2, the session is restored and I can see the ["session_temp_id"]=> int(12345) and the same session id, so it works when using the ip directly.

I'm setting this up to use a specific domain name locally, so I've added ServerName local.mydev.com to my apache VirtualHost configuration, and I've added 192.168.33.10 local.mydev.com to my hosts file in Windows. When I visit http://local.mydev.com/stest1.php I see the correct page load, so it seems the configuration is working. However navigating to stest2 gives me a different session id with an empty array for $_SESSION.

From chrome dev tools, I can see a cookie created for local.mydev.com which the id persists from stest1 to stest2, but it seems for some reason session_start() can't retrieve the session from that cookie.

Here are my session settings from php_info via web:

session
Session Support enabled
Registered save handlers    files user
Registered serializer handlers  php_serialize php php_binary wddx
Directive   Local Value Master Value
session.auto_start  Off Off
session.cache_expire    180 180
session.cache_limiter   nocache nocache
session.cookie_domain   no value    no value
session.cookie_httponly no value    no value
session.cookie_lifetime 0   0
session.cookie_path /   /
session.cookie_secure   0   0
session.gc_divisor  1000    1000
session.gc_maxlifetime  1440    1440
session.gc_probability  0   0
session.lazy_write  On  On
session.name    PHPSESSID   PHPSESSID
session.referer_check   no value    no value
session.save_handler    files   files
session.save_path   /var/lib/php/sessions   /var/lib/php/sessions
session.serialize_handler   php php
session.sid_bits_per_character  5   5
session.sid_length  26  26
session.upload_progress.cleanup On  On
session.upload_progress.enabled On  On
session.upload_progress.freq    1%  1%
session.upload_progress.min_freq    1   1
session.upload_progress.name    PHP_SESSION_UPLOAD_PROGRESS PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix  upload_progress_    upload_progress_
session.use_cookies 1   1
session.use_only_cookies    1   1
session.use_strict_mode 0   0
session.use_trans_sid   0   0

CodePudding user response：

I've discovered the reason I'm having this issue, and I'm going to admit I did something I should not have. I modified my example to 'simplify' the question. While I posted http://local.mydev.com what I should have posted was http://local.myCompanyWebsite.com. It turns out our production website (https://myCompanyWebsite.com) also had a session going in the browser and the cookies were in conflict.

I found that modifying the domain in my hosts file, or visiting the url in an incognito window, caused the test scripts to work as expected.

I'm not sure if there's a way to get these to work together, or if it's better to just use a different domain. I did notice the dev cookies had PHPSESSID and production had __utmc. I'm not sure what causes this since both instances list PHPSESSID as session.name

CodePudding user response：

Unconditionally calling session_start() does exactly what it says: it starts a new session without any if or then; always check for the session ID first. Also make sure, that the cookie-domain has been set up properly (this value might not match). For reference: setcookie().