SSI.php and Session Cookies Question

[MobileCS]

Does loading SSI.php in a PHP file always create an empty session cookie, even though I have the forum set to "Use database driven sessions"?

[Arantor]

So, sessions exist on the server, whether as a file or as an entry in the database (or somewhere else). This is a record of the user being logged in and local information about the user having actually being logged in.

What the cookie contains is, essentially, just the pointer to the session record. Think of it like a security guard issuing you a pass to go around the building, where the pass contains a barcode - not enough information on its own, but the barcode gets scanned at every door you go through and this is looked up when you get there to verify that it's you.

So yes it is completely normal that database driven sessions would produce a cookie.

When you say "empty session cookie", though, I'm not clear on what you mean, because "empty" can mean several different things.

Is that a PHPSESSID cookie or the actual SMF cookie? Is it zero content or fresh session?

I'm guessing the latter, that SSI is creating a new session for users - usually this suggests the setting for subdomain independent sessions should be on, but that hugely depends on what domain setup you actually have and exactly how SSI is being used, but the answer is "probably yes this is expected" except you haven't explained your setup.

[MobileCS]

I'm using SSI.php on non-forum pages to show how many forum users are online, and recent forum posts.

The session cookie in question is empty - it contains no information.

Code Select Expand

[localhost /var/tmp/]$ more sess_5243301134cddebed6ad2eefd48d88c4
sess_5243301134cddebed6ad2eefd48d88c4: No such file or directory
However, that changes under unexpected circumstances.

On one of my webpages only, I call start_session() and create a nonce-token and store it in the session cookie. Only after I store my token in the session cookie, a whole bunch of additional information gets stored. I'm assuming it's from SSI.php ..

Code Select Expand

[localhost /var/tmp/]$ more sess_5243301134cddebed6ad2eefd48d88c4
nonce-token|s:64:"53ba82650046b1e56958f3d15092a4e18cd51ab0e0c9e49fd65c90baac471221";session_value|s:32:"7f21a8f1c89c30b7230e77f9eb4a08f7";session_var|s:8:"ebe7be0a";token|a:1:{s:10:"post-login";a:4:{i:0;s:12:"c59ffe23fa08";i:1;s:32:"1dbffabbc67a7a5e9cd96a73571aae25";i:2;i:1725331805;i:3;s:32:"c29d77abf2d33d7a753839aadd1d19a3";}}mc|a:7:{s:4:"time";i:1725331805;s:2:"id";i:0;s:2:"gq";s:3:"0=1";s:2:"bq";s:3:"0=1";s:2:"ap";a:0:{}s:2:"mb";a:0:{}s:2:"mq";s:3:"0=1";}USER_AGENT|s:111:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36";log_time|i:1725331805;timeOnlineUpdated|i:1725331805;
My questions are :

Is that additional information from SSI.php? If so, why is that information only being stored AFTER I store my nonce-token?

Otherwise, that session cookie is empty the whole time you navigate my website, and that only changes when you visit the page where I store a token in the cookie.

[Arantor]

All of that stuff is the normal for SMF, that's not unique to SSI, that's literally the normal session contents in SMF.

Your manual session_start makes the file (because DB sessions are manually handled) and SSI sees the session is already open and then populates the things into it that it expects to find because it isn't going to close your existing session to open its own.

Working as intended at this point.