session lost


#1

Hello and I hope that you are having a good day,

I am hoping that someone with session experience can help me please. I am new to php and I am trying to setup a registration page. I had a page working but now i seem to lose the session data at the final submission. I don’t want to write a book explaining the problem so I will try to keep this short.

I have read alot of data in the past two weeks. My logic about php has a different perspective than the authors of many documents. for example, I assume that a form submission will use the same page to process data. Thus php_self but many authors say to avoid php_self because of injections. So now I make my form submit to a different php page. I try to make sure that the page checks that the form was used. The submission of the form for processing, in my opinion, is an elevation of privilege, so I regenerate id. I had a working form yesterday until I added a new token. now the final submission carries no session variables. I am missing something here. Will someone please guide me down the right path?

registration requires that you agree to my privacy policy and use of session cookies or you cannot register. The EU law requires this agreement. Thus register.php starts with agree to policy and cookies.

======================================================
agree.php step one of the session registration process

<?php session_start(); session_regenerate_id(); // what if you return here from another page? shouldn't I regenerate? $ip = $_SERVER['REMOTE_ADDR']; //get ip but i'm not implementing this yet $tokenByte = bin2hex(random_bytes(32)); $tokenkey = bin2hex(random_bytes(32)); $token1 = hash_hmac('sha512', $tokenByte, $tokenkey); //set first form token to match it with session token $_SESSION['tokenmatch'] = hash_hmac('sha512', $tokenByte, $tokenkey); $_SESSION['currentip'] = $ip; //not checking this yet. just storing it for later comparison if (isset($_SESSION['tokenmatch']) { include_once 'formpage1.php'; session_write_close(); // isn't it better to close here? I'm not writing anymore session variables. } else { include_once 'problemtoken.php'; // a page to alert that I couldn't set a token, so stop the form //if the form is broken, then shouldn't I end the session? session_write_close(); $_SESSION = array(); //someone said that this statement erases the array (deletes the session data) session_destroy(); } ?>

form1.php just contains the input check box and submit button.
I also write the token:

======================================================

the submission works and I see the registration form. thus, agree.php successfully submites data to reg.php
my checkbox is named policyaccepted.

reg.php

<?php session_start(); session_regenerate_id(true); if ($SERVER["REQUEST_METHOD"] == "POST") { //otherwise GET out of here. If (isset($_POST['policyaccepted']) { if (hash_equals($_SESSION['tokenmatch'], $_POST['policytoken'])) { //everything seems to check out as the form loads // now I create new token and session variable match. in other words, a new token for the new form //the form just asks for name and email etc //i check if the token were set again. exactly the same as before but with new variable names if(isset($_SESSION['newtokenmatch'])) { include_once 'regform.php'; session_write_close(); //again. better not to leave it open? thus, i close it } else { include_once 'regformbroken.php'; session_write_close(); $_SESSION = array(); //someone said that this statement erases the array (deletes the session data) session_destroy(); } } else { //the agreement wasn't made, so show a page. since the agreement is broken, shouldn't we end the session? include_once 'regformbroken.php'; session_write_close(); $_SESSION = array(); //someone said that this statement erases the array (deletes the session data) session_destroy(); } } ====================================================== now I pass the form action to verify data php file. here is where the problem exists. the form submission successful or not is now a blank page. I've erased my code and just displayed all of the session variables and post data. all of the session variables are empty. I believe that I lost the session. am I supposed to store the old session id and assign it to the new id? what is wrong here? I don't know why the session variables are lost. Thank you for any help.

#2

I found an error in my code: I forgot a closing parenthesis to an if statement.

however, I still have a question about my use of session:
even though I regenerate_id(true), do I still need to manually delete the old session?

I am really asking if my session is secure or super vulnerable?

Thanks.