1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 3:47 am May 2, 2026

Forum Moderators: coopster

Message Too Old, No Replies

session_id seems to revert back to original

         

jackvull

2:54 pm on Jan 19, 2006 (gmt 0)

10+ Year Member



Hi
I have some classes and functions that change the session_id when a user logs in.
Unfirtunately, it seems to regenerate the session but it reverts back somehow and I can't find the bug in my code?
Any ideas:

The following is the class I use:
-------------------------------------------------------
class SessionManagement
{

function changeSessionID ()
{
global $user;
$u = $user;

$testsess = session_id();
trigger_error("changeSessioNIDOld:".$testsess);

// copy the old session data
$oldsess = session_id();
$_SESSION['oldsess'] = $oldsess;
$oldSessionData = $_SESSION;
trigger_error("User:".$_SESSION['UserLoggedIn']);

// destroy and recreate the session
session_destroy();
session_start();
session_regenerate_id();
$newsess = session_id();

// copy the data back to the session
$_SESSION = $oldSessionData;

$result = mysql_query("UPDATE PW
SET SessionID = '".$newsess."',
IP = '".$_SERVER['REMOTE_ADDR']."',
Attempts = 0
WHERE CustomerID = '".$u."'")
or trigger_error(mysql_error());
$testsess = session_id();
trigger_error("changeSessioNIDNew:".$testsess);
trigger_error("User:".$_SESSION['UserLoggedIn']);

}
}

Now when I do this in my login page it swaps the session over correctly and I can see this in the error file I have which records from trigger_error (I'm only doing it this way for the moment, I realise it's not an error):
-------------------------------------------------------
$user = $res[0];
$sess = session_id();
$_SESSION['UserLoggedIn'] = $user;
$clsSession->changeSessionID();
$testsess = session_id();
trigger_error("Login:".$testsess);

header('location:index.php');
exit();

So it then redirects the user to index.php which has this at the top of the code:
-------------------------------------------------------
include("session.php"); //which has a session_start() in it
$testsess = session_id();
trigger_error("Index:".$testsess);

and the results are:
-------------------------------------------------------
changeSessioNIDOld:78adc996b95666fa7f73ad04009a9e28"
User:1
changeSessioNIDNew:f93bb49c7864a7ed5f8d836c3106395a"
User:1
Login:f93bb49c7864a7ed5f8d836c3106395a
Index:78adc996b95666fa7f73ad04009a9e28

Am I doing something wrong in the class function - I can't work out why the Index has the old session.

Mr_Fern

10:01 pm on Jan 19, 2006 (gmt 0)

10+ Year Member



Why are you destroying and restarting the session to change the session id?

session_regenerate_id() will replace the current session id and keep the session data.

You're doing more work than necessary.

As for the session id reverting back to the old one, that would be a cookie issue. The new id is not being set in the PHPSESSID(or whatever the session name is) cookie, and the old one persists.

My first suggestion is to get rid of the clutter (copying the old session, destroying session, recreating session, pasting old session) and just use session_regenerate_id() which is supposed to do all you're trying to accomplish already.

If after that suggestion doesn't work, try adding the following after session_regenerate_id():
setcookie(session_name(), session_id(), 0, '/');

That code should overwrite the session cookie with the new session id so that it should propogate to the next page.

jackvull

1:14 pm on Jan 20, 2006 (gmt 0)

10+ Year Member



Thanks.

The cookie set doesn't seem to make a difference. It still reverst to the old session ID.

Not sure that I'm using cookies at the moment though. I have this to start my sessions:
ini_set("url_rewriter.tags","");
ini_set("session.use_trans_sid", false);
session_start();

jackvull

1:19 pm on Jan 20, 2006 (gmt 0)

10+ Year Member



The pages are logging me in correctly and updating the database with the new session id, but as it reverst back to the old session (which should have been destroyed anyway?), none of the other pages maintain the state for me as they are looking at this old session id.

jackvull

1:25 pm on Jan 20, 2006 (gmt 0)

10+ Year Member



Is there anyway that sending a header would mess this up.
All I can see is that my login script validates the user, changes the session and then sends a header...at which point the next page picks up the old session.

jackvull

2:28 pm on Jan 20, 2006 (gmt 0)

10+ Year Member



Also, when the old session is destroyed, shouldn't the file disappear from the PHP sessiondata folder or does it just stay there for a certain time period?

jackvull

10:23 am on Jan 23, 2006 (gmt 0)

10+ Year Member



Bump.
Really need help on this or some ideas please?
I've tried this before writing the header in the login script:
session_write_close();
and that doesn't help either. The new session ID is not be in passed across somehow.

coopster

3:22 pm on Jan 23, 2006 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



Sessions are just a way to maintain state between reads to and from a website. Since HTTP is a stateless protocol (connect to server --> get page from server --> disconnect from server) you may often times want to carry information through a particular user *session* and that is when you employ the method being discussed.

A unique token is assigned a user and the user keeps it with them in their browser either via a cookie or a value that is passed inside each request through hidden form fields or appended to the url in the address. The same token is used to identify a file on the server. When the PHP page sees a session_start() function, it matches the two up and opens the file with the associated name provided by the user request. Your script then reads, updates or deletes data from that session file to be used in the next step of their session processing request.

Have you read up on PHP sessions [php.net] yet? It seems as though you are struggling with some of the configuration directives and exactly how session management works. That page will take some time to read and absorb, including the links on the page, but it is a must read in order to get PHP sessions straight.

jackvull

4:03 pm on Jan 23, 2006 (gmt 0)

10+ Year Member



Hi
Thanks for the reply.

The problem I'm having is that I am trying to change the session id when a user authenticates themself. This is good for security and to prevent hacking.
However, the session_id is changed successfully when they authenticate but as soon as I redirect the user to a different page through use of the header function, the session_id reverts back to the original.
So:
- user opens browser with my domain
- sessionID z4577878ghhjsghs8 allocated
- user logs in successfully and the session ID is changed to sessionID dhdg8763863hj3g3h
- my script then redirects them to another page. However this page picks up the first session z4577878ghhjsghs8 instead of the new one and none of the variables are in that session anymore because it was destroyed by my other script using session_regenerate_id()

jackvull

4:15 pm on Jan 23, 2006 (gmt 0)

10+ Year Member



Really, I'm just wondering if there's a good method that I could try to work out what is going wrong.
For example, could I turn off the cookies in the PHP.ini and try some methods that way?
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 3:47 am May 2, 2026