tags:

views:

42

answers:

2
Q: 

PHP Sessions not transferring after forms and redirects

I have secured pages that all check for a set session variable to determine logged in users, pretty standard stuff. Where I run into problems is when I submit form information to a backend page that will process that data and then redirect to a success/failure confirmation page. In that time the session gets lost, at least the session with the variable. The session is still around because I can manually navigate to a secured page after and it works. Just auto redirects from a backend page to a secured page or a link on one of the unsecured pages after a redirect from the backend will fail. It may or may not be related, but after visiting multiple secured pages or doing one of the operations that use the problematic backend pages, there are two session cookies on my computer from the domain-- one registered to domain.com and the other to www.domain.com. At the end of my wits about this, thanks.

+2  A: 

I see two problems here, but they're related.

The first is that you seem to be bouncing between secured (https://) and un-secured (http://) pages. Cookies aren't supposed to be shared between those, so that's why your session appears to break (PHP sets a cookie with the session ID).

The other is closely related and that is sharing between domain.com and www.domain.com. Cookies can share in one direction, but not the other. Don't worry about which: just pick one hostname and stick with it. Then check that you're setting the session's cookie domain to the correct one.

staticsan  2010-09-07 03:53:50
I should note, that I mispoke when I said secured, I did not mean to imply HTTPS secured, just that the pages are checking the user's session status on load. The issue with the two sessions is it is unclear why there are two in the first place. The calls are all the same session_start() calls, but still there end up being two different cookies.
drewster  2010-09-07 04:05:19
Perhaps one of your intermediate pages isn't actually doing the `session_start()`. Or is trying to do it after output has been emitted.
staticsan  2010-09-07 04:17:02
Taking one five page cycle for example, all pages start a session. This would be login page -> main secured page -> backside action page -> success page -> back to main page, two different sessions as mentioned get created. The domain.com without www seems to pop up around step 3, on the php page the user will never see that just processes the data. This I tested by securing step 4 with the same test for the user variables as used on the rest of the site.
drewster  2010-09-07 05:00:45
Then one of your posts or redirects is going to `domain.com` instead of to `www.domain.com`.
staticsan  2010-09-07 05:39:07
Would relative path names resolve as www.domain.com or domain.com?
drewster  2010-09-07 06:06:00
Relative paths shouldn't change the domain.
staticsan  2010-09-07 06:17:11
Beautiful suggestion about the redirects, I was not aware that my redirects were going to http://domain.com and that seems to have fixed the problem across the entire site. This problem has been haunting me for weeks during the development of this app. Also the relative paths do not seem to cause any problems with the sessions, only when I explicitly change from www.domain.com to domain.com or the other way around. Thank you!
drewster  2010-09-07 06:20:45
A: 

You must call session_start() from your PHP page before you output anything, preferably at the start of the page.

If the session has been already created, it will resume it for that page.

http://php.net/manual/en/function.session-start.php

Abhijeet Pathak  2010-09-07 08:18:33

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases