I have moved the websites running from a standard Apache server config to a Docker container based platform with everything sat behind a (primary container) Nginx reverse proxy. Mostly this has been simple & seamless.
However, I am now troubleshooting the outlier cases. The current one is PHP sessions within another web server container...
All I have done is to create a docker container using the "php:7.2-apache" and enabling the mysqli extension. This container is pointed to the same source html/php location.
The site has a simple login function, using PHP sessions, that previously worked. The login.php page has a form that submits to itself. If user/pass variables are in the $_SESSION variable, and matches up against a database query, it should redirect the user to the actual "hidden" edit.php page. But it never gets there! Watching the log files (I have suppressed Warnings logging due to another issue to resolve...) doing the above produces a return 200 of the login.php page.
Trying to debug putting print_r($_SESSION) statements, $_SESSION is empty.
Is there something else I need to do or change to get my previous behaviour back? What else occurs / behaves differently behind an Nginx reverse proxy?
login.php code:
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Website</title>
<!-- Bootstrap -->
<link href="../css/bootstrap.css" rel="stylesheet">
<link href="../css/bootstrap-theme.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
<script src="../js/bootstrap.min.js"></script>
<script>
$(document).ready(function(){
$('[data-toggle="popover"]').popover();
});
</script>
</head>
<body>
<?php
if(empty($_SESSION)){
print("empty");
}
if(isset($_POST['submit'])){
$theuser = $_POST['username'];
$thepassword = $_POST['password'];
}
if(!empty($_POST)){
$mysqli = new mysqli('mysqlhost','user','pass','db_name');
$query = "SELECT username, password FROM users WHERE username = '$theuser'";
$results = $mysqli->query($query);
$login_ok = false;
while($row = $results->fetch_assoc()) {
if($thepassword === $row['password']){
session_start();
$_SESSION['user'] = $row;
$login_ok = true;
}
}
$results->close();
$mysqli->close();
if ($login_ok) {
header("Location: https://www.website.com/edit.php");
}
else{
print("Login Failed.");
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
?>
<div class="container">
more html stuff....
</div>
</body>
At the top of the edit.php file, I have:
<?php
session_start();
include 'functions.php';
print_r($_SESSION);
if(empty($_SESSION['user']))
{
header("Location: login.php");
die("Redirecting to login.php");
}
?>
But I don't think that I am even hitting this page, as there is nothing in the logs... All I see is the return 200 from login.php:
w.x.y.z - - [04/Aug/2018:09:09:09 +0000] "POST /login.php HTTP/1.1" 200 889 "https://www.website.com/login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15"
The IP address in the line above (w.x.y.x) is the internal Docker network range, if this matters(?). PHP's $_GET & $_POST variables work as expected and contain appropriate values.
EDIT: ADDED TROUBLESHOOTING / DIAGNOSTICS...
Following details found on other pages and threads, I have also checked some other aspects. As my session.save_path variable is set to "no value", it writes to /tmp within the container. I have connected to the console session and verified this directory exists and there are files within it. What other checks could or should I do, if there might be issues with this?
What other testing can I perform? Logging I can enable? etc.
