PHP version 5.4.41 Apache version 2.2.15 Linux version 2.6.32 CentOS 6.6
I have some code that won't redirect properly. There is a lot of code and configuration, so I'm going to try and keep it as simple as possible. My session is continuously lost after a header redirect. There are no errors and there are no warnings...the redirect proceeds fine. I session_start(); and var_dump[$_SESSION] on the page after the redirect to get NULL. If I session_start and dump right before the redirect, the session dumps fine. I'm guessing it has something to do with the htaccess mod_rewrites dropping the session between pages, but am unsure how to fix it. I keep reading to add [L, QSA] but that is not helping. Sessions work fine for simple pages on the same server that don't use the mod_rewrites.
I think the domain is the same seeing how it goes from: http://localhost:8000/web/someus/login http://localhost:8000/web/someus/home
I chmoded & chowned recursively the whole www folder so that apache had all permissions and owned everything in the site.
The .htaccess file looks like:
RewriteCond %{REQUEST_URI} !=/web/[a-z0-9]{6}/index.php RewriteCond %{REQUEST_URI} !error [NC] RewriteCond %{REQUEST_URI} !css [NC] RewriteCond %{REQUEST_URI} !images [NC] RewriteCond %{REQUEST_URI} !js [NC] RewriteRule ^([a-z0-9]{6})/(.*)$ /web/index.php?id=$1&page=$2 [L,QSA] httpd.conf has a DocumentRoot:
DocumentRoot "/var/www/html" httpd.conf has an alias set up that looks like:
Alias /web /var/www/html/website/ <Directory "/var/www/html/website/"> AllowOverride All Order allow, deny Allow from all </Directory> in php.ini output_buffering is turned on.
session.cookie_path = /var/www/html/session session.use_cookies = 1 session.use_only_cookies = 1 The header redirect looks like with the $url value containing 'home' replacing the login with home in the url:
header("Location: $url",true,302); exit(); When I curl -i on the home page
I get:
HTTP/1.1 302 Found Date: Wed, 10 Jun 2015 21:54:38 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.4.41 Set-Cookie: PHPSESSID=08079c815224b0b129d566dc274e0081; path=/web/someus; domain =127.0.0.1; secure Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=ebde43200c30ad6ac18e88b8bfb71371; path=/web/someus; domain =127.0.0.1; secure Set-Cookie: PHPSESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/web/ webdmo; domain=127.0.0.1; secure; httponly Location: login Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline' X-Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline' X-WebKit-CSP: default-src 'self' 'unsafe-eval' 'unsafe-inline' X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Strict-Transport-Security: max-age=631138519; includeSubDomains Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 When I curl -i on the login page that redirects to the home page
I get:
HTTP/1.1 200 OK Date: Wed, 10 Jun 2015 21:58:21 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.4.41 Set-Cookie: PHPSESSID=d79a57eaabb9a41e99f4e0dda202a598; path=/web/someus; domain=127.0.0.1; secure Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline' X-Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline' X-WebKit-CSP: default-src 'self' 'unsafe-eval' 'unsafe-inline' X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Strict-Transport-Security: max-age=631138519; includeSubDomains Content-Length: 2890 Connection: close Content-Type: text/html; charset=UTF-8 I think it's interesting that the 127.0.0.1 domain is secure in one and not the other--I'm not sure if that has anything to do with it.
http://localhost- that basically doesn't work without jumping through hoops. Just use a domain name.