Search code examples
phpsessionsuperglobals

Is my custom session_start() creating an entirely new session rather than resuming the current session?

It appears that my custom session_start() is creating a new session rather than resuming the current session across pages. Here's the method:

public function sec_session_start()
        {
            $session_name = 'sec_session_id'; //set a custom session name
            $secure = false; //set to true if using https
            $httponly = true; //This stops javascript being able to access the session id

            ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies
            $cookieParams = session_get_cookie_params(); //Gets currtent cookies params
            session_set_cookie_params($cookieParams["lifetime"], $cookieParams["domain"], $secure, $httponly); 
            session_name($session_name); //Sets the session name to the one set above
            session_start(); //Start the php session
            session_regenerate_id(true); //regernates the session, delete the old one
        }

The issue that I am encountering is in regard to the superglobal variable $_SESSION. For instance, in my login page I generate a random token to prevent CSRF attacks:

$token = md5(uniqid(mt_rand(), true));
$_SESSION['token'] = $token; //Add randomly generated token to superglobal variable
...
<input type="hidden" name="siteToken" value="$token" />

I then test for the correct token value in my php processing page:

//Check Token Values (prevent CSRF attacks)
    if($passedToken != $_SESSION['token']) {
        $error = "CSRF attack detected. Please close your browser and try again."; 
        $signIn->csrfAttackLog($username);
        echo $error;
        exit();     
    }

The problem occurs in my php processing page: Notice: Undefined index: token in... Obviously, my session variable has not been carried over. I have started another sec_session_start() in the processing page - so it's not that I have neglected to continue the session. It seems that a entirely new session has been started. I have tested the first page by "printing" the $_SESSION value.

Any input is appreciated.

EDIT: $passedToken is correct. There is an intermediate step that equates the $_POST value to this variable.

Solution

  • Ok I hope I understood it right. You are trying to keep one session (with the same id, on the same cookie), just some tokens and that kind of stuff to make it more secure. But as your last paragraph mentions, you are calling sec_session_start(); on every page request to keep the session alive, right? But did you notice that you also call session_regenerate_id(true); then? That way you delete the old session files and create an entirely new session - which will be empty.