Why does the session disappear when logging in from mobile devices?

S

Staspost2022-01-24 19:58:13

iPhone

Staspost, 2022-01-24 19:58:13

There is a simple authorization script that works without problems in several browsers on a computer:

<?php
session_start();
ini_set('error_reporting', E_ALL);
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
mb_internal_encoding("UTF-8");
require 'lib/db.php';
// Создаем переменную для сбора данных от пользователя по методу POST
$data = $_POST;
// Пользователь нажимает на кнопку "Авторизоваться" и код начинает выполняться
if(isset($data['do_login'])) { 
$pass=htmlspecialchars($data['inputPassword']);
$pass=strip_tags($pass);
$pass=addslashes($pass);
$pass=trim($pass);
$mail=htmlspecialchars($data['input_Email']);
$mail=strip_tags($mail);
$mail=addslashes($mail);
$mail=trim($mail);
 // Создаем массив для сбора ошибок
 $errors = array();
 // Проводим поиск пользователей в таблице users
 	$query = "SELECT id, login, password FROM users WHERE email='" . mysqli_real_escape_string($link, $mail) . "'";
    $result = mysqli_query($link, $query);
    if (!$result) die ("Сбой при доступе к БД: " . mysqli_error($link));
    $row = $result->fetch_assoc();
  if($row != null) {
      $id = $row["id"];
      $login = $row["login"];
      if(password_verify($pass, $row["password"]))
      {
      // Все верно, пускаем пользователя
 		$_SESSION['logged_user'] = $id;
 		$_SESSION['login_user'] = $login;
 		mysqli_free_result($result); 		
 	$query = "SELECT size FROM usersSettings WHERE user=" . $_SESSION['logged_user'];
    $result = mysqli_query($link, $query);
    if (!$result) die ("Сбой при доступе к БД: " . mysqli_error($link));
    $row = $result->fetch_assoc();
    $size = $row['size'];
    mysqli_free_result($result);
 	$_SESSION['size'] = $size;	 		
               header('Location:  /');
      }
      else echo "Неверно";
    }
    else {
        
         mysqli_free_result($result);
         echo "Данные не найдены";
    }
if(!empty($errors)) {
    echo '<div style="color: red; ">' . array_shift($errors). '</div><hr>';
  }
}
?>

Those. the user enters a login and password, clicks on the "Submit" button, goes to the authorization page, where session variables are set for him, and he returns to the main page.
Everything works correctly on the computer, but at the same time, the session disappears from phones (I checked it from both Android and iPhone) after redirecting via header('Location: /');
I checked that authorization works on the authorization script page itself (displayed the session variable after it was assigned), but after redirecting this session variable is no longer on the main page - Undefined index.
Why does it disappear and how to fix it?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Staspost, 2022-01-24
@Staspost

I found the source of the problem: the header was written in the .htaccess file
Header set Set-Cookie HttpOnly;Secure
. If you remove the Secure attribute, then everything works on mobile devices. If put - stops working. Site on https.
The description of this attribute states that

The Secure attribute on cookies ensures that cookies are never accepted over HTTP. That is, the browser rejects cookies with this attribute unless the connection is via HTTPS.

What is the problem here, why does the connection suddenly stop happening through https, if the site is on it?