PHP session value Changes or some time empty

I using PHP Session in my Application for some security checks , it works perfectly before using Couldflare .
with firewall some time session value changes or sometime it automatically reset to empty .

1 Like

Are you still having this issue?

1 Like

I have this question, how can I solve it?

1 Like

If you are getting this issue, you might find that the REMOTE_ADDR might be the cause. I found this quite helpful:

http://noodlecode.net/2011/09/Cloudflare-phpbb3

1 Like

I have the same issue, would really appriciate some info on how I can use _SESSION in combination with Cloudflare... At the moment I can't store any values in _SESSION for my domain…

PHP sessions and Cloudflare are unrelated. Can you precisely describe the issue? If you additionally implemented some IP checks you’d first need to restore the IP addresses of course → https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs

One of the main reasons people use Cloudflare on their sites (beside caching) is to secure them with a HTTPS connection. See the options “Always Use HTTPS” and “Automatic HTTPS Rewrites” under the “Crypto” tab.

If your PHP app performs header location redirects to other internal pages then the problem with sessions being lost may be due to the fact that the connection changes from HTTPS to HTTP and back again and this will void any session data.

To make sure you preserve session data you should set a cookie for the HTTP connection as well immediately after session_start(), just in case:

session_start();
setcookie(session_name(), session_id(), NULL, NULL, NULL, 0);

This will guarantee your session data will survive any such changes. Hope this helps.

1 Like

That is a common misconception. Cloudflare cant make an unsecure site secure.

What should be the point of this exercise? session_start already sends that cookie.

There isn’t any misconception. Cloudflare provides a free SSL certificate which saves you cash and aggravation from the hosting companies, not to mention better search engine rankings. I see added value in that!

I found this thread on Google because I experienced the same problem with _SESSION data being lost after switching my site to Cloudflare and I spent the better part of a day to find a solution. Nothing worked until I found the simple code posted above. Sometimes it’s amazing the answer could be so simple.

Please note the last parameter on the call to setcookie(), it is zero. Quoted from the PHP manual:

" secure
Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. When set to TRUE , the cookie will only be set if a secure connection exists. On the server-side, it’s on the programmer to send this kind of cookie only on secure connection (e.g. with respect to [$_SERVER[“HTTPS”]]."

You are right, the session_start() function already takes care of setting this cookie but it does it with the “secure” parameter set to TRUE! As I mentioned in my post above, if your code contains redirects in the form of header(“Location: newpage.php”) then your _SESSION data will be lost if you don’t manually set a cookie for the non-secure HTTP connection as well!

The entire explanation may be more complex than this since it wasn’t an issue until I switched my site to Cloudflare but nevertheless I’m happy that _SESSION data is preserved now and everything works correctly again!

Just in case someone is wondering this wasn’t some custom code experiencing this issue, but a well-known customer support helpdesk application, namely “osTicket”. After trying to log into the admin control panel I was endlessly redirected back to the login page even if the username and password were correct! After adding the above code after “session_start();” everything started to magically work correctly again. Hope this helps…

No, it does not. Search the forum for that “misconception”.

And that is controlled by session.cookie_secure.

No offence, but that piece of code appears to be yet another misconception. This time not about TLS, but PHP.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.