SESSION variables not passed from page after destroying the rest

Question

I am at a total loss for words.

I allow an admin to reset their registration if reaching an error during the process. In theory, the following code should function like this:

page is reached, $adminvalidated is set based on session data. The $_SESSION array is cleared; the cookie is cleared on the consumer end; the session id is regnerated and the session is destroyed. Then the session is restarted and the previously mentioned variable is put back into Session.

the "echo" statements included below work but when I redirect to another page (commented out below), the session variables DO NOT carry over.

Yes I have started the session on the follow up page as well.

<?php
    session_start();
    ob_start();
    if( $_SERVER['SERVER_PORT'] == 80) {
        header('Location:https://'.$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"]); 
        die();
    } 

    $adminvalidated = $_SESSION['ADMINVALIDATED'];

    $_SESSION = array();

    if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
            $params["path"], $params["domain"],
            $params["secure"], $params["httponly"]
        );
    }

    session_regenerate_id(true);
    session_destroy();
    session_start();

    $_SESSION['ADMINVALIDATED'] = $adminvalidated;

    echo $_SESSION['ADMINVALIDATED'];

/*
    header("Location: ../a.php");
    exit;*/
?>

Answer 1

From the manual page of session_start:

As of PHP 4.3.3, calling session_start() after the session was previously started will result in an error of level E_NOTICE. Also, the second session start will simply be ignored.

Just clear your session with session_unset, regenerate the session id and then reset your admin var. No need to destroy then restart the session.

Answer 2

I'm really not sure why you're going through all of these steps. session_regenerate_id() is enough on it's own to regenerate the session token and the associated cookie. The function creates a new session token and creates a new session cookie for you while preserving the values you have in the current session. Since setting a new cookie with the same name overwrites an old one isn't simply calling session_regenerate_id() enough?

Feel free to clarify things if I've missed something.

Answer 3

In general it suffices to call session_regenerate_id(true) to change the session ID of the current session and invalidate the association with the previous session ID.

If you additionally want to clear any session data except $_SESSION['ADMINVALIDATED'], just do this:

session_regenerate_id(true);
$_SESSION = array(
    'ADMINVALIDATED' => $_SESSION['ADMINVALIDATED']
);