Note: I have updated and rewritten my question to try and solve this issue point by point. Cheers.
I have a problem and I'm not immediately sure how to go about resolving it.
I have been building a secured login system on a HTTPS server (with a grade of "A" by SSL-labs, if that's worth anything ), and it works fine, however today it is refusing to log me in, with some debugging I have found something very odd (in my view).
I have some serious issues with session handling on the website, the different pages use the same session data (of course) and the same session /cookie settings, and they pass the information between each other correctly, BUT the behaviour of my browser appears to be as if there are two browsers visiting the same websites, using the same session data.
Symptoms - Because I have been having inconsistencies with page generated session content (unique hash token) not fitting the same data saved in the login form (as a $_POST value), I was finding that as there is only one line in the whole site that sets the value of the session, this line must be running twice. So I set a counter value in the session, on the form page as session['counter']. each time the page loads, the counter +1's. My problem is specifically with this:
Login page:
Opens page,
session hash-string is generated and saved to the post form.
session counter = counter + 1;
Form is filled in.
Login auth' page:
fails to verify the posted hash-string is the same as the session hash
string, despite there being no other cause for the session values to
change (well there must be, but I can't see it!)
But, then going back to the Login Page I see that the counter = last value + 2! Also, the counter value recorded on the session file saved on the server is always +1 to the value displayed on the login page.
Some images:
Login Form Page: Please note that this is above the HTML output and is the last place on the code where any SESSION data is edited.
Output :
Please note the number relating to the counter in image 1.
My session file, this file relates to this specific browser session and only 1 session file as I am the only browser on the site.
The string CheckDrop is the hash value to compare but the counter is at 12 rather than 11, which is displayed in image 2 above.
My site is HTTPS authed although this work is on a subdomain.
This issue has been happening for the last 3 hours but inconsistently, it magically worked for about 40 minutes earlier today (just before posting this post). but I had done nothing I could see as changing the environment.
I have previously compared phpinfo data and session setup data it all looks correct at point of browser output. It does not seem to be caused by my settings.
It happens on different browsers on my PC.
Further Work
After spending hours debugging and working through this, it appears to be a browser issue. I have renamed the pages (one page was called index while it was not defined in .htaccess as the directory listing page which may have possibly caused a browser to open it twice).
I have cleared all associated data: sessions / database records / browser history, and have come across something:
Firefox now logs in as expected, the counter is count+1 and the login works, however on Chrome the exact same log in on the same pages does not work and the browser appears to load twice, the counter = counter + 2. Chrome also leaves two records in the database at each load rather than the expected one.
Chrome version 45.0.24 Firefox version 42.0
Page double counts and runs script twice on Safari and Chrome. On Firefox, Opera and MSIE it works as intended.
Any ideas why this is occurring?
How can I go about trying to solve this problem?
