session in iFrame loses session data

[crobinson42]

I'm sure there are some experienced php coders that have delt with this pain in the @ss topic!

I have a page index.php and within that page loads an iframe where all the content is navigated through for the site. I use sessions for a login.

This is not the typical IE6&7 problem where the session cookie does not pass to the iFrame because IE is treating the iframe as a third party 'new instance' of IE.... BECAUSE IT DOES IT IN ALL BROWSERS!

The problem: Logging in is fine. Displaying the session data/variables inside the iFrame is fine. but sometime within 5-15 minutes nomatter if the window is sitting still or your navigating through pages that are correctly calling session_start() etc etc. The code i have written at the top of all pages to send to the login screen if there is no session data, kicks in! So it's as if the session data disappears on its own in that 5-15 min time period... Like i said, it does this in firefox as well as IE.

I have a feeling it's something to do with my hosting? I have cpanel w/ h*stgat*r, and don't even know where to begin to debug this problem!

ANY help is appreciated.

[djr33]

Figuring out sessions and/or cookies can be tricky, since they seem to expire randomly (at least until you figure out exactly what is going on).


They should *not* expire if you're actively using the site. Remember that session_start() should be included on every page of your site (even if you're not using sessions), meaning that the session will be preserved each time the page loads.

So if sessions time out after 15 minutes, then all the user needs to do is load any page on your entire site every 15 minutes. Any longer than that, and the session will end.

Debugging that will be horrible because you'll need to wait 15 minutes.

So here are the three ideas I have:
1) Again, just make sure session_start() is really on every page.
2) Create some sort of auto-loader (ajax? meta refresh?) that keeps the session active. This should be able to be on any page, wherever you want. As long as one page is refreshing every few minutes, the rest should maintain the session that way also.
3) Extend the expiration time for sessions. See below.


Sessions are not controlled as "sessions" but instead by cookies. The session ID cookie (like any other cookie) has an expiration time (or can be left blank to end when the current browser session-- window-- is closed). If you want sessions to last longer, then you can configure the session cookie to have a long expiration, such as 10 years from now (unrealistic, but that will make it never expire because of the expiration time, at least).

You should be able to do that at runtime with this:
http://php.net/manual/en/function.se...kie-params.php
Or use .htacess or php.ini to make it permanent on your system.

It might be because of your host, but if they give you access to change it, it's fine.


Remember though that this is actually a potential security problem (you wouldn't want your session cookie for your bank's website to never expire), so just be careful with that. This is one reason that some websites allow the user to decide how long the login should last (15min? 1hr? never expire?) in a dropdown.


As a more specific answer to your problem, I really can't say what's going on without seeing all of the code. But one easy way to test this is to setup a new page with sessions and test that. Don't use iframes, don't use anything complex. Just refresh the page every few minutes. Then see if the session stays active. If so, maybe it's a problem with the iframes setup (not sure how, but might be).


Important note: sessions use cookies, which are locked to one domain. So if by chance your iframes are on a different subdomain (something.yoursite.com) then this will NOT work with sessions. If that's the problem, reply here and we'll see what can be done. You can also (with the info above) set the session cookie to allow subdomains, but that is NOT the default-- it must be changed.



The only other possibility for this is that your host destroys session data after some time. Regardless of the cookie on the user's computer, the session data must still be on the server. So you can set the cookie to last forever, but it will only work as long as the session data is stored on the server. I'm not actually sure how this can be configured, but it's something to look into if nothing else works at all. But again, remember that there's a downside-- you don't actually want a year's worth of session data stored on your server wasting space.


I hope that helps you get started!

[crobinson42]

Thats awesome information thanks! I've checked the code over and over, I even read through php.net looking for a solution but nothing pops up.

Here's what I noticed today, I echo the session_id(); at the top of the main page after login, when it deletes the session['user_id'] data it goes back to the login page. I log in again, and the SAME session id is at the top!? So it's hanging on to the cookie with the ssid but not the data.

[crobinson42]

It turns out that the session.save_path value in php.ini was not set. The solution was to run session_save_path() at the top of my script and set the path manually to my home directory (one level below public_html).

PHP Code:

<?php
  session_save_path('/home5/twadding/session_data/');
?>

[djr33]

Ok, great. And if you do run into any trouble with sessions expiring, you can follow the other advice above. It's especially useful to control the session cookie. One other bonus is that you can make it *.yourdomain.com so that all subdomains have the same cookie (if that happens to be useful for your site).

(That does, by the way, sound like a problem with your host: by default PHP apparently isn't configured to store sessions correctly. It should work fine now that you've corrected it.)