Hi,

(sorry if it's a stupid question but i found nothing about this)
i'm running PHP 4.3.5 on redhat 9 apache 2.
I'm testing 2 test scripts (i'm not the writer, i've just configured the server):
##########test1.php########
<?
        session_start();
        $_SESSION['toto']="TOTO";
        echo "<h1>Here test1 : ".$_SESSION['toto']."</h1>"

?>

##########test2.php########
<?
        session_start();
        echo "<h1>here test2 : ".$_SESSION['toto']."</h1>"
?>


When i use http://servername/directory/test1.php
It returns "Here test1 : toto"
When i use http://servername/directory/test2.php
It returns "Here test2 : toto" .... nothing special...

but when i use http://virtualhost/test1.php
It returns "Here test1 : toto"
and (i don't know why)http://virtualhost/test2.php
It returns "Here test2 : "

It seems to loose session variable..
Maybe i'm missing something with configuration or code.
Any idea??
Thanks for your help!

This is probably an authorisation problem. "Virtualhost" clearly doesn't have acccess to "servernames"'s cookies, but should be able to access cookies of its own.

(Of course, you should never be able to pass straight from http://servername/directory/test1.php to http://virtualhost/test2.php, or vice versa, and see sessions preserved, as that would be a serious security flaw.)

Take a look at your session cookie configuration.

thanks for your answer!
how can i look to session cookie configuration??
is that config ok? :
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /<file rwx for everyone> /<file rwx for everyone>
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid Off Off

thanks for your help!

after tests :
using ipaddress create 1 session file but virtual host 2...
i don't understand why test2.php create session file!

Well, I'm not particularly familiar with Apache 2, but I suspect you may want to look into that:

"session.cookie_domain"

setting, since I'm pretty sure that, since it's the domains that are, effectively, giving you the gyp, the fact that you have session.cookie_domain set as "no value no value", taht may be part of your problem.

i've found on many php web site that user $_session do not create cookies... it creates flat files with a randow ID and destroy it (if needed) after, i'm wrong??

I am not sure I follow you. Certainly, cookies are just _one _way_ of perpetuating a session, and PHP can be configured (and usually defaults to) using other means of perpetuating the session, if it detects that cookies aren't available (e.g. user has them disabled).

What I suspect may be happening in your case, is that a cookie is being assigned in both cases (for _both_ hostnames), but that vitualhost isn't being given access to those cookies because it isn't being recognised as the owner of the cookie. The cookie is somehow being given out as if it was the property of 'servername', and when 'virtualhost' requests it, 'virtualhost' isn't being recognised as the legitimate owner of that cookie and so PHP denies access to it, for very good security reasons.

Like I say, I haven't used Apache2 since I stopped playing around with JSP, but I'd _guess_ that the "session.cookie_domain no value no value" business you quoted above might be a good place to start looking for a cause.

it's not a seesion_cookie problem but i've find the problem :
it's an IE6 bug...
you could see it : http://support.microsoft.com/default...b;EN-US;316112

SYMPTOMS
After you install security patch MS01-055 for Microsoft Internet Explorer 5.5 or 6.0, you may encounter the following problems:
Session variables are lost.
Session state is not maintained between requests.
Cookies are not set on the client system.
Note These problems can also occur after you install a more recent patch that includes the fix that is provided in security patch MS01-055.
CAUSE
Security patch MS01-055 prevents servers with improper name syntax from setting cookies names. Domains that use cookies must use only alphanumeric characters ("-" or ".") in the domain name and the server name. Internet Explorer blocks cookies from a server if the server name contains other characters, such as an underscore character ("_").

Because ASP session state and session variables rely on cookies to function, ASP cannot maintain session state between requests if cookies cannot be set on the client.

This issue can also be caused by an incorrect name syntax in a host header.
RESOLUTION
To work around this problem, use one of the following methods:
Rename the domain name and the server name, and use only alphanumeric characters.
Browse to the server by using the Internet Protocol (IP) address rather than the domain/server name.

i've find it on : http://www.phpe.net/manual/function.session-start.php

thanks for answering!!

"Get a new domain name or use your IP address all the time".

Hm, that's some "workaround". In other words:
"The product is fine, it's your behavour, that is at fault."

Remind me: there was some point that Microsoft had in mind, when it embarked upon dominating the browser market with this broken grey rectangle of a thing, wasn't there?