i have found a strange issue on my server (php 5.4.0, apache) regarding session handling in php.
i have a function that start the session which contains the following code and is called always before anything else in my application:
static function startSession()
{
$httponly = true;
$secure = true;
if (ini_set('session.use_only_cookies', 1) === FALSE) {
exit();
}
session_name("my_session");
$cookieParams = session_get_cookie_params();
session_set_cookie_params(
60*60,
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly
);
session_start();
}
Then there is a login procedure which does something like that:
$_SESSION['key1] = 'some value';
session_regenerate_id(true);
And finally there is a logout function:
static function logout()
{
$_SESSION = array();
$params = session_get_cookie_params();
setcookie(
session_name(),
'',
time() - 42000,
$params["path"],
$params["domain"],
$params["secure"],
$params["httponly"]
);
return session_destroy();
}
Now to the issue: When i login the following happens:
startSession();
...
$_SESSION['key1'] = 'some_value';
...
Somehow in the future i call:
logout();
session_destroy(); returns true, $_SESSION is reset. everything fine.
I then retest the request by sending the session cookie again to request some information and the session is again alive. All the information are sill there.
On the server i can see a session file that is generated:
sess_ : 394B
i have the following session setup:
ini_set('session.hash_function', 'sha512');
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.entropy_length', 256);
ini_set('session.use_trans_sid', 0);
ini_set('session.use_only_cookies', 1);
ini_set('session.cookie_lifetime', 0);
ini_set('session.use_strict_mode', 1);
ini_set('session.cache_limiter', 'nocache');
my session_save_path() is somewhere in /var/www/html/sites/....
What am i missing or doing wrong?
Thanks in advance
Dennis
