PHP服务器发送一个cookie，浏览器收到它，但未找到cookie

Question

I have searched and searched, but nothing seems to match my issue.

In my development environment, I have some PHP scripts to generate HTML to the client. I created my own custom sessions manager, and everything in my code is working (so far) until I try to send a cookie on a new session. Here is some code to give an idea:

<?php
    class Session {
        private $data = null;
        private $id = null;
        private $token = null;
        private $access = null;
        private $oldID = null;
        private static $ck_limit = 180;
        private static $ck_domain = "kiosk.local.com";
...
        public function __construct() {
            setcookie("id", $this->id, (time() + self::$ck_limit), '/', self::$ck_domain, true, true);
        }

?>

The browser gets the cookie just fine according to Firebug, but in the cookies list, it's nowhere to be found! Page refreshes don't do anything, and no cookies seem to be making it to the client storage. The links are absolute paths, over HTTPS, certs are permanently stored and trusted, and changing between any of these settings yields no cookie.

I tested cookie reception with google in the same browser, and they work.

Just in case someone asks, my machine's hostname is an FQDN of kiosk.local.com and my hosts file has it mapped to its interfaces. This isn't my first server, but it is the first time I am dealing with cookies in PHP.

I ensured that there is NOTHING being sent to the client prior to sending the cookie, and I tried sending it with nothing, an empty page, and the page I am sending it regularly, and tried without output buffering.

Is there any reason this should be happening? My error.log for apache says nothing about a cookie, and the PHP setcookie() method returns true, and Firebug reports no errors whatsoever on the page load... just no cookie in the cookies list. I can see the cookie data in the received header, but that's the only indication that the server is doing its job.

Browser is Firefox 40.0.3 for Ubuntu 12.04.3 LTS, Extensions are Firebug, FireQuery, Firefox HTTP authentication from sub-resources Hotfix, and Ubuntu Modifications.

Answer 1

I believe I found my answer this morning on a hunch. The server's code is fine. What I left out incidentally, because I didn't think it had any impact or bearing on the system, was that the client and the host are the same machine, meaning I am running the browser from a user on the machine that the apache2 server is running from. My project here is a standalone application that is web-based using PHP and MySQL. I triple-checked that the browser is in fact requesting the proper url (i sent the same url to my external client, so it's not a trivial error on this end).

I believe the issue is that somehow, if either the browser or the apache2 server determines that a cookie will be sent to a client with the same name as the server, the cookie gets eaten as it is received. Not certain which service is eating the cookie, but clearly Firefox reports receiving the cookie after it is sent, so either Apache is eating it, or Firefox is.

Regardless of which is the culprit, it is clear to me that cookies cannot be used on a server/client that are the same host/IP, at least when they are Apache2.2.22 and Firefox 40.0.3, even when using an FQDN.

So, in short, standalone applications for clients on their own server (conundrum) cannot use cookies from itself.

If someone has another reason why this is happening, and a viable workaround that does NOT involve circumventing security measures or otherwise compromising the security of the application, web content, network, or using a proxy, I am open to it. I say no proxies because this program is self-contained as a kiosk, except for admin access via a wifi AP that the host device creates (no routers). There are reasons for this that will not be discussed, just accept the fact that this setup will not change, and that all precautions are taken to ensure proper security for this particular setup.

Obviously, if cookies cannot be used on the same host that sends them in any way, I may have no other choice but to introduce another device as the client, which I will have to discuss with the project manager before it is done. No, a Virtual Machine is out of the question as the hardware specs are not high enough on the server to run a VM and a host, plus I don't think the architecture/platform combo is supported for being a VM host.

::EDIT::

I have figured out the culprit, and fixed the issue. Please excuse me for one moment whilst I slap myself for this even happening...

*SLAP*

Ok, so here is what ended up being the difference between the two browsers:

My Host machine (to the VM that the dev-server is running) browser is set to what I normally use, to remember history, accept cookies under normal circumstances, blah, blah, blah. However, due to my wanting the dev environment to emulate the production environment as closely as possible for real feedback, I set the browser to never remember history, and not accept cookies, except from the kiosk's domain. Apparently, despite the site being in the list of exceptions, and even if accept all cookies is enabled, having private browsing drops all cookies that appear in the headers, and does not report them as rejected for any reason. So, there was no way to see why the cookies weren't sticking around after the browser got them. There is a wierd bit though, my external host Firefox Browser still gets cookies even in private browsing... weird that it can do it but the internal client cannot...

So, After changing the internal host's firefox settings to normal browsing, but delete all browsing data on browser close, this issue is solved. This has the same end result, except data is being written to the disk in cases where we don't want data at all, but everything is deleted at the end of the day, which is no big deal.

So, I will say that Firefox 40.0.3 for Ubuntu x86_64 has a bug that when "always use private browsing mode" is used from the privacy tab in the settings, no cookies will make it past the header reception if they came from its own server face. You will have to use a workaround that deletes your browsing data on browser close, and be sure to close the browser regularly. Problem is now solved.