PHP Session ID changing on every request

Question

I have just migrated my application from a local WAMP to the actual online server. This has caused trouble with the session ID not being saved as it appears.

• I

Answer 1

You should first start session to use session_* functions. So first thing you need to do is:

session_start();

then you can ask for session id like this

$id = session_id();

Note that its not recommended to save sessions in public folder that is available to public since visitors could find folder where you save sessions and list all of them. Then they could inject session cookie into their browser and take control of other visitors user accounts. If you really need to do this, limit access to your /tmp folder. For example put .htaccess file in that folder with this code

Deny from all

Or find any other way to disable users to browser your /tmp folder since this can be security problem.

If you want to change session id on every request, for security reasons, you can use session_regenerate_id function

You would do something like this:

session_start();
session_regenerate_id();
// Do other things you want with sessions.

This way, even if someone steals your session cookie, session id would be changed on every request. And this could be your problem. There is a way for PHP to regenerate new session id on every request, so this might be the thing that bothers you.

As far as setting php.ini directives, you should check if your hosting provider allowed you to change .ini directive you are trying to change. It depends on server setup if you can change .ini directive or not. And the way sessions behave can be different from hosting to hosting, depending on how their server setup. Most of the things can be changed using php functions or using ini_set with this list of directives php.ini directives