I have set up a local webserver and put in a project I've been working on (the code was already working).
The problem I see is that session_start()
ignores the already created sessions and keeps creating new ones (I can see a new file every time I click a link or refresh the page), even though the session variables get written into the file.
The sessions folder is owned by the http user (the default one in the php-fpm config).
This is the session config from php.ini:
session.save_handler = files
session.save_path = "/srv/http/sessions"
session.use_strict_mode = 1
session.use_cookies = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly = 1
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
Anyone knows what's going on?
This is the function that starts the session:
public static function sec_session_start() {
if (ini_set('session.use_only_cookies', 1) === FALSE) {
$session_error = 'Error: Cannot create new user session.';
return $session_error;
}
else {
$session_name = 'session_id';
$domain = 'domain.com';
$secure = TRUE;
$httpOnly = TRUE; // prevents cookie theft
// Get the current cookies params.
$cookieParams = session_get_cookie_params();
// Set the current cookies params.
session_set_cookie_params($cookieParams['lifetime'], $cookieParams['path'], $domain, $secure, $httpOnly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
if (!isset($_SESSION['CREATED'])) {
$_SESSION['CREATED'] = time();
} else if ((time() - $_SESSION['CREATED']) > 1800) {
// session started more than 30 minutes ago
session_regenerate_id(TRUE); // change session ID for the current session and invalidate old session ID
$_SESSION['CREATED'] = time(); // update creation time
}
/*
$hasExpired = FALSE;
if (isset($_SESSION['staff_id'], $_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY']) > 9999) { // 300 (5 mins)
// last request was more than 5 minutes ago
$_SESSION = array(); // unset $_SESSION variable for the run-time
$params = session_get_cookie_params(); // Get session parameters
setcookie(session_name(), // Delete the actual cookie
'',
time() - 3600,
$params["path"],
$params["domain"],
$params["secure"],
$params["httponly"]);
session_destroy(); // destroy session data in storage
$hasExpired = TRUE; // now we know the user has lost his session for inactivity
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp*/
}
//return $hasExpired;
}