PHP Sessions data lost when changing directory?

Question

I've got a simple login system using PHP sessions, but just recently it seems that if you visit pages not in a certain directory (/login/) you will always be flagged as not logged in, even when you are. It seems that my session data is being lost when I change directories (say, to /login/user/).

I don't think I've touched the code myself since the problem appeared, is there something my web host could have done to my PHP installation that would delete the session data, and is there a workaround?

EDIT:
Inside each file that needs authorization, it loads a loginfunctions.php file which calls session_start() and checks the login. Files which work in /login and i copy and paste into /login/user stop working, even though i update all the relevant paths and links.

EDIT2: Okay, some code.

In the actual pages that are giving me the error, this is the auth. code:

require_once("../../../includes/loginFunctions.php");

$login = new login; 
$login->checkLogin(0);

Inside loginFunctions.php is this:

class login{

    function checkLogin($requiredAccess){

            session_start();

            if($_SESSION['accesslevel'] < $requiredAccess || $_SESSION['logged_in'] != TRUE){
                die("You don't have access to this area. If you should have access, please log in again. <a href='/login/'>Login</a>");
            }

            if (isset($_SESSION['HTTP_USER_AGENT'])){
                if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])){
                    session_destroy();
                    die("Bad session. Please log in again. <a href='/login/'>Login</a> ");
                }
            } else {
                $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
            }

            if (!isset($_SESSION['initiated'])){
                session_regenerate_id();
                $_SESSION['initiated'] = true;
            }

    }

}

The $requiredAccess variable is the access level that you need to access this page, so if you have an accesslevel of 3 in the database you can view level 0, 1, 2 and 3 pages. This is specified when the function is called in the main page and is compared to the access level of the current user which is defined in $_SESSIONS when they log in.

I'm getting the error 'You don't have access to this area etc." when i try to access these pages. If i try to print the $_SESSION variables, nothing shows; they appear to be empty. However, if I move the file to the /login/ folder (one level up) and update the links, they work perfectly and all the variables print out fine. This makes me think the code is not the part that's not working, but some setting in my PHP install that has been changed without my notice.

Answer 1

maybe you aren't calling session_start() at the begging of pages not in /login/ ..?

Answer 2

It's possible that they changed the php.ini setting session.cookie_path.

You should call session-set-cookie-params before you call session_start and make sure you set the cookie path yourself. Set it to the highest level directory you want the session to be valid for. EG if you set it to /login it will be valid for /login and /login/user. If you want your session to be valid for the etire site set the path to be /

Answer 3

This is why you shouldn't use directory to make false friendly URLs...

Don't forget to call session_start() every time you need the session.

Answer 4

I had a similar problem. Check you don't have a php.ini file. Removing this sorted the problem out. Still looking ito exactly why. The php.ini file could even be blank and it would stop session data from carrying over to more than one directory...

Answer 5

i had a similar issue. you may want to use: <? setcookie("TestCookie", $value, time()+3600, "/~rasmus/", ".example.com", 1); ?>

or something similar. i know cookie and session variables are a different desired solution, but this was able to clear up my issue.

See here for documentation