_Session stopped working after uppgrade to php 5.5.6

Hello

I have an Asustor AS5102T which recently was uppgraded and got php 5.5.6 .
This made my php based web frontend for my database (mysql) to stop working.

I think it is related to _Sessions, but are not sure. firefox debugger just gives an “internal server error” but no other clues. I do find the coockie as generated, only thing I wonder about here is the PATH which is set to “/” and nothing more. Name is PHPSESSID.

In the code below, which is the login for my database web frontend, when removing the entire php block the form appears as it should. Removing only one line at the time do not help. Even if only leaving <?php and its exit, the form will not appear The entire block has to be removed. Then strange things happens when I put the php block back in. It works apperantly. The form appears but it does not log in as it should when user creds are given

Now It start to give an error on other pages in stead.

Before doing anything more, has there been any changes in 5.5.6 since … I think it was 5.5.4.??

The following snip is the login page which fails (login.php)
[php]

<?php include '../www_includes/functions.php'; sec_session_start(); ?> [/php]

The following shows how sec_session_start() is defined.
Note: see attached file (extension renamed to txt, was php) for the entire file
[php]
function sec_session_start() {
$session_name = ‘sec_session_id’; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set(‘session.use_only_cookies’, 1) == FALSE) {
header(“Location: …/www/call.php?target=error&error=Could not initiate a safe session (ini_set)”);
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams[“lifetime”],
$cookieParams[“path”],
$cookieParams[“domain”],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}[/php]

---

functions.txt (8.61 KB)

Well, what error actually is displayed on the page? Have you set your error levels to show the errors?
If not, add these commands at the top of the page:
[php]
error_reporting(E_ALL);
ini_set(“display_errors”, 1);
[/php]
Then reopen the page and see what errors you get. Also, I found a post on one of PHP.net’s pages that says
you “MUST use session_name() first if you want to use session_set_cookie_params() to, say, change the session timeout. Otherwise it won’t work, won’t give any error, and nothing in the documentation (that I’ve seen, anyway) will explain why.” So, it might just be that you are creating a new session, but, previously are
saving the cookie. Not sure.
I read this at: http://php.net/manual/en/function.session-name.php
Not sure if this helps…

I already have session_name in a top script which includes for example login.php. This has also been working for a looong time now. The problem arised only after upgrading to 5.5.6.

However, I was not aware of the error reporting utility, i am kinde self learned in php and theres a lot of things i do not know, so I am very great-full for that.

The errors showns are all related to undefined indexes or undefined constants so I have tested a bit and got most of the code working by simply defining them. However, I do find it a bit strange that this worked earlier.

Is there a setting in php.ini that would allow for undefined indexes and constants and which I might have lost when uppgrading? I never use any of the listed undefined variables without setting them inside any function first anyway so there will never be a problem with uninitialized variables as might happen in ansi c.

The constant is defined as $SECURE=“TRUE”; but I still get the following error. Maybe this is not an constant but variable??

Notice: Use of undefined constant SECURE - assumed ‘SECURE’ in functions.php on line 11

The function.php is offcourse not my own code, it was taken from a tutorial discussing a safe way to login to an database etc… I think it was from “wikihow”.

Could it be that the old php.bin had a set of constants that 5.5.6 does not? The upgrade was out of my control as it was a part of the firmware upgrade for my asustore nas box, so I do not have any copy of the old ini.

Redefined SECURE using the following methode

define (“SECURE”, “TRUE”);

And then that warning went away.

My problems seems to be related to $_SESSION indexes that does not exist, I think it might have something to do with where sessions are stored, or rather should be stored, and that this has to do something with php ini and what is enabled and what is not. The reason for believing this is that I really do not know what I am talking about. :o

Well, thats partly true atleast. I find several threads in other forums regarding undefined index for $_POST and $_GET arrays and the solution is that you should test these by using isset(). And if not set you should not try to get their values. However, the case here is that the session should have been started and it should be perfectly valid for me to get the $_SESSION index values. This because starting the session did not return any error when starting it, and the $_SESSION array with all its indexes should therefore have been valid. And this part of the code has been working before.

I therefore believe that the sessions are not stored properly or maybe I miss some permissions, or maybe I really do not have the clue. Below is the default php.ini file. Scroll down to see session related settings.

Any help is appreciated.

[php]
[PHP]
engine = On
short_open_tag = On
asp_tags = Off
precision = 14
serialize_precision = 17
y2k_compliance = On
allow_call_time_pass_reference = Off
disable_functions =
disable_classes =
expose_php = On
memory_limit = 128M
variables_order = “GPCS”
request_order = “GP”
auto_globals_jit = On
register_argc_argv = Off
register_long_arrays = Off
post_max_size = 10M
auto_prepend_file =
auto_append_file =
default_mimetype = “text/html”
doc_root =
user_dir =
file_uploads = On
upload_max_filesize = 10M
max_file_uploads = 20
sql.safe_mode = Off
safe_mode = Off
safe_mode_gid = Off
safe_mode_include_dir =
safe_mode_exec_dir =
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
error_reporting = E_ALL & ~E_DEPRECATED
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = Off
unserialize_callback_func =
output_buffering = 4096
implicit_flush = Off
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
enable_dl = Off
max_execution_time = 60
max_input_time = 60
magic_quotes_gpc = Off
magic_quotes_runtime = Off
mail.add_x_header = On
SMTP = localhost
smtp_port = 25
define_syslog_variables = Off
upload_tmp_dir = /volume1/.@tmp

[BCMath]
bcmath.scale = 0

[Date]
date.timezone = Europe/Amsterdam

[exif]

[filter]

[iconv]

[mbstring]

[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off

[PCRE]

[Session]
session.save_handler = files
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = Off
session.bug_compat_warn = Off
session.referer_check =
session.entropy_length = 0
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
url_rewriter.tags = “a=href,area=href,frame=src,input=src,form=fakeentry”

[soap]
soap.wsdl_cache_enabled = 1
soap.wsdl_cache_dir = “/volume1/.@tmp/”
soap.wsdl_cache_ttl = 86400
soap.wsdl_cache = 1
soap.wsdl_cache_limit = 5

[ZLib]
zlib.output_compression = Off

[/php]

Ooops I misinterpreted this information and was thinking of session_start(). Never mind. In the function sec_session_start() i put session_name($session_name); before session_set_cookie_params(…) to test to see if it had any effect. It did not. As mentioned this is not my own code, it was taken from wikihow (found the url: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL) …

There is nothing wrong with your login page, if you run it just as you posted it, do you still get the internal server error issue?

IF SO,
You need to look at the server error log to find the issue. This could be many things, including but not limited to PHP.

Zain, sorry to keep you hanging on… I am sickly with a horrible cold and in bed a lot. Back somewhat now…

The $_SESSION issues are most likely due to the session being turned off. It must be started as the very first
line of PHP code. You need to have “session_start();” as the first line of code on EVERY page that uses the
session array. If it is missing from the top of the page, all session[] variables will be null and not exist.
NOTE: If the session_start() command is in the function’s included file, then you would want that at the top
of every page so that the session would be started on each page. Hope that makes sense to you.

If this is the case, a missing start command for the session, then the undeclared session variables might really
be there somewhere, but, just not showing due to the session not being valid. If you create a session variable
such as, let’s say, " $_SESSION[“username”]=$query_results[“username”]; " and the session was never
started, this variable would be NULL and would through out an error. Just an example to explain it further.
And, if this variable is needed on page#2 or page#23, the session_start(); must be on those pages as the
first command. Further reading on this: http://www.w3schools.com/php/php_sessions.asp

Check that out and let us know if it helps you out…