2

Little bit of a panic here, i was playing around with the php.ini file on a webserver reading the best practice of security and it said that best security is to set session.use.strict_mode to 1 which default was 0.

I tried it to see what would break and some stuff broke, like i cannot login to most of my home made projects anymore...

I simply went back to set it to 0 and restart the webserver... To my distress i now can still not login anywhere, and i've waited 1 hour in hopes of the "session garbage collection to run" on the server which should run every 30 minutes.

Whats going on here? Do i have to restore the entire server from a backup because i changed one setting once? Did it change some other switches anywhere else? I cannot understand whats going on the only idea i had was that the sessions were stored on the server, i cleared all my browser sessions too, no go. Cannot login.

Ideas?

karnehe
  • 325
  • 2
  • 12
  • Is this any help https://stackoverflow.com/questions/23529234/use-strict-mode-in-php-sessions – RiggsFolly Oct 04 '18 at 18:09
  • Yes and no, i realize that i need to update code in order for things to work, but what i did not realize is that i would be permanently locked out because i changed a setting and i do not have time to digg into the code now to fix it, which is a problem cause i did this horrible experiment on a production server and now no one can login, and i cannot figure out how to purge the session data which i believe is the culprit... i believe i need to purge /var/lib/php5 which contains sessions but even with sudo i do not have permission to do so. – karnehe Oct 04 '18 at 18:13
  • Have you tried a different browser, or deleted you browser cookies. The session is maintained by cookies. So if you poisoned your session, then delete the cookies and get new one. – ArtisticPhoenix Oct 04 '18 at 19:21
  • Yes, tried all of that, the only thing i couldn't do was clear out the /var/lib/php5 as some files were even locked to sudo, not sure how that could be since i did sudo service apache2 stop before i tried it, what could be the reason of that? I did have to change the code to use a cookie instead of a phpsession to store the login data for now, i can still not login anymore using something like $_SESSION['testuser1'] even though session.use.strict_mode is set to 0 since 2 hours back. Very scary. – karnehe Oct 04 '18 at 19:39

1 Answers1

0

Holy hell i found the issue and it was me who caused it obviously...

Editing the php.ini file most values look like this

session.use.strict_mode = 1 or session.use.strict_mode = 0

i had modified another function called session.referer_check and set it to 1, when things broke i simply went back and set it to 0 forgetting that it's default value was actually nothing. Whopsie...

karnehe
  • 325
  • 2
  • 12