Session info is lost in Chrome (but works in other browsers)

Question

This is perhaps the same question as Session data lost in Chrome only and related to Randomly Losing Session Variables Only In Google Chrome & URL Rewriting

There are no solutions there that will work for me, I was hoping someone has some new input into this.

These are the steps I follow:

1. I initialize a session (not a cookie) with <?php session_start();?> then set the variable later on in the same php file with $_SESSION['nu'] = $userName;

2. Then I redirect to a new php with window.location.href = "foo.php". That php file starts the session (first thing, same as above) and then uses $_SESSION['nu']. So far all works fine in all browsers.

3. On the second php page (the one in step 2) on Chrome (31.0.1650.26 beta):

   • I can use $_SESSION['nu'] in a php file accessed through an AJAX call.
   • If I reload the page, $_SESSION['nu'] is not set anymore. Right after the first load, it's not set.
   • If I go to another page that also needs $_SESSION['nu'], it cannot access it either.

4. On Safari (5.1.9 and 5.1.7) and Firefox (24.0 and 18.0) I can reload and go to another page, $_SESSION['nu'] is set and all works fine.

5. When I test this on my home environment (MAMP 1.9.6) it works fine also on Chrome.

6. In both php.ini files (home and online) session.use_only_cookies is On (Local and Master).

Since I can access it via AJAX (no change of page) it would seem Chrome has a problem with the session when going to a new page. But why does it then work the first time? I do change pages...

I've tried the favicon.ico solution (I placed an icon-file called favicon.ico in the web root) but it didn't change anything.

Any suggestions? Thanks!

Update

• All php files trying to access $_SESSION['nu'] sit in the root ('my' root, since I'm using a web hotel).
  • Looking in Chrome's console, into 'Resources -> Cookies', I can see the cookie is present all the time (as I move from the php file that starts the session to foo.php).
  • What's boggling my mind is that it works in FF and Safari...

Update2

Images from Console. This is what I see when I'm in foo.php (the second page):

Chrome:

Safari:

SOLUTION (hopefully): I'm not sure why it's working now, which leaves me not wholly comfortable but, for the time being... To explain what happened I need to give some more details:

• index.php calls start_session(). Sets variable $_SESSION['nu'] = Null. Then the page waits for login button to be clicked.

• Login button has a script, which via AJAX calls singIn.php, which calls start_session() and sets $_SESSION['nu'] = "bar". in the done() function of the AJAX call, the script calls window.location.href = "foo.php".

• foo.php calls session_start() and retrieves $_SESSION['nu'].

In my try-anything-mode I tested removing the start_session() from index.php. I also removed the assignment $_SESSION['nu'] = Null. I wanted them in place to ensure that visiting index.php would clean the session and de facto logout the user. But the site does have a proper logout option, so I can stick to that.

Without those lines in index.php, it seems to work in Chrome. That is, the value of $_SESSION['nu'] is not lost when user navigates through other pages in the site, or reloads foo.php.

As I said earlier, this was working all the time in FF and Safari. Now also in Chrome. I'd sure appreciate if someone can find an explanation!

Answer 1

I had similar issue: cookies has been cleared (sometimes, not always) short time after page rendered. Reason was multiply calling internal API during page rendering, which had session_start(); inside.

Removing session_start() from API solved problem.

Problem has been with Chrome and Firefox, Safari worked without problem.

Answer 2

It could be a cross domain issue. try to use sameSite option config for the cookie on the append :

   var cookieOptions = new CookieOptions
            {
                HttpOnly = true,
                Secure = true,
                Expires = DateTime.UtcNow.AddDays(7),
                SameSite = SameSiteMode.None
            };
            Response.Cookies.Append("refreshToken", token, cookieOptions);