Ytukyg

I know that, by the title, this question has been answered multiple times here, but none of the posts offers me a valid solution. So here I go:

THE PROBLEM:

I have and index.php file. It's a basic html-form with user/password fields and a login button. On clic in the Login button, a function called login() generates a hash for the password. Then user+hash are verified against a database. If the access is valid, I add some values to the SESSION, returns true and then the form loads a php file called process_login.php where, all I do, is check if the user is admin or not and load a different web according to that. So far, so good.

The process_login.php loads the right website and it can see the SESSION values (I tried to print them, everything is ok).

This values are used to check if the current user has a valid session (is logged in) before loading any web.
This is how I add the variables to the SESSION btw

$user_id = preg_replace("/[^0-9]+/", "", $user_id);    

$username = preg_replace("/[^a-zA-Z0-9_-]+/", "", $user);

$_SESSION['user_id'] = $user_id;

$_SESSION['username'] = $username;

$_SESSION['login_string'] = hash('sha512', $db_password . $user_browser);

Here comes the problem:
process_login.php loads the right web, home.php. Home.php then checks if the session is valid with a function called login_check().
first line of this function is

 // Check if all session variables are set 

if (isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string'])) {

And that fails. SESSION is an empty array and I don't know why.

Readding possible causes, people always suggest to call start_session() at the beggining of every php file where we need to use SESSION. Well, I do.
I call it at index.php, process_login.php and home.php, and yet... nothing. The only place I do not call it is a functions.php I use to declare all the functions I mentioned above. it's just an included file, nothing loads there.

This is how I start the session:

function sec_session_start() {

 $session_name = 'sec_session_id';   // Set a custom session name 

 $secure = SECURE;



 // This stops JavaScript being able to access the session id.

 $httponly = true;



 // Forces sessions to only use cookies.

 if (ini_set('session.use_only_cookies', 1) === FALSE) {

     header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");

     exit();

 }        



 // Gets current cookies params.

 $cookieParams = session_get_cookie_params();

 session_set_cookie_params($cookieParams["lifetime"],  $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);



 // Sets the session name to the one set above.

 session_name($session_name);



 session_start();            // Start the PHP session 

 session_regenerate_id();    // regenerated the session, delete the old one.

}

Then, at the beggining of every file, I set this piece of code (code might vary a little because the include files might not be the same)

<?php

 include_once 'includes/db_connect.php';

 include_once 'includes/functions.php';

 sec_session_start();

?>

As you can see, at the end, I call session_regenerate_id(). I was suspicious that maybe it was deleting everything in my SESSION, so I commented it. Nothing changed. home.php keeps failing to see whatever is in SESSION.

Any help would be very much appreciated. I can provide more code if needed.
Also, worth to mention, this fails both in local (XAMPP) and online (web host).

Cheers

UPDATE:

When creating the SESSION, I'm using the session_set_cookie_params() function to set it up. The SECURE param is a defined bool that is set to true. If I change it to FALSE, everything works just fine. I get that XAMPP can't use https (unless you install a cerficate etc) but I would expect this to work in the server (it's using secured ssh conections, so https). Double checking the redirects are using https.

Problem is solved now.
I was doing everything right, by the book as they said. Problem was this:
I set the secure flag to TRUE when setting the cookie params for the Session. This enforces the cookies to be passed only through secured connections (more here session_set_cookie_params)

The problem is that everybody is accessing the website using either www. or nothing (http really), and that makes the cookies not to be passed because it's not a secure connection. But, if you access using https (or https://www), everything works just fine (I have an ssl certificate installed in the server).
The solution was to use a redirect in the .htacess file in the server to make everything be redirected to https://www to enforce secure access.
I used this code

RewriteEngine On

RewriteCond %{HTTPS} off

# First rewrite to HTTPS:

# Don't put www. here. If it is already there it will be included, if not

# the subsequent rule will catch it.

RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Now, rewrite any request to the wrong domain to use www.

# [NC] is a case-insensitive match

RewriteCond %{HTTP_HOST} !^www. [NC]

RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Thanks to everyone for your advices and suggestions.

Cheers!