I have looked everywhere on the web, and the nuances of SESSION variables need some clarification for me.
I have a website that sets a session variable (I assume it also sets a cookie defining what the session id is? Not sure how that works), and all works perfectly. What I've found when roaming(using wifi) by cellphone, that whenever the phone switches wifi networks, the browser seems to be unable to access the session anymore until that window/tab is closed and reopened.
From what I've read the following apply, please clarify for me:
When browser windows are closed, the session cookie is destroyed, thus when I reopen it, a new cookie is created attached to the new session id. Thus allowing the session to work properly again?
If the network is switched, the server creates a new session id, but because the browser window wasn't closed, the old session cookie wasn't destroyed, and the browser tries to manipulate an expired session id (the old one the session cookie contains)? No idea if this is true, I have read a ridiculous number of pages on this and I can't find anything specific. But this is the impression I get. I have seen so many warning about
session_regenerate_id()
that I am very nervous about using it...
Any help on details about this, or ways to fix it would be extremely helpful. I am at my wit's end...
UPDATE
I am using a mypajamas script to facilitate logins. The sessions are created normally. However, after looking through the code, I found a place where a session variable is set for the $_SERVER['REMOTE_ADDR']
and $_SERVER['HTTP_USER_AGENT']
values. They are then cross referenced to ensure it's the same user on the same browser on the same IP. It was done to prevent multi-source attacks (make a hijack unlikely). The problem is when using mobile browsers, or dynamic IP's the IP can definitely change, and authentication fails.
I can't believe I couldn't figure this out, I spent hours looking for issues regarding session id's changing.
Hopefully it helps someone with a similar issue in the future. And a sincere appreciation to all who read this post, your guidance in the comments definitely helped me troubleshoot this.
EDITED CODE
class.mypajamas.php
From:
function check_ipau() { // user visits again... but is it really him? check values set above (by get_session())
if( $_SESSION['auth'.$this->_unique_id]['ip'] == $_SERVER['REMOTE_ADDR']
&& $_SESSION['auth'.$this->_unique_id]['ua'] == $_SERVER['HTTP_USER_AGENT']) {
// session data is correct -> user did not "change" ip-address or user agent (aka; hijack is unlikely)
return true;
}
else {
return false;
}
}
To:
function check_ipau() { // user visits again... but is it really him? check values set above (by get_session())
/*if( $_SESSION['auth'.$this->_unique_id]['ip'] == $_SERVER['REMOTE_ADDR']
&& $_SESSION['auth'.$this->_unique_id]['ua'] == $_SERVER['HTTP_USER_AGENT']) {
// session data is correct -> user did not "change" ip-address or user agent (aka; hijack is unlikely)
*/
return true;
/*
}
else {
return false;
}*/
}