[RESOLVED] $_Session vars not saved on header() redirect
Page 1 of 2 12 LastLast
Results 1 to 15 of 21

Thread: [RESOLVED] $_Session vars not saved on header() redirect

  1. #1
    Member
    Join Date
    Jun 2012
    Posts
    70

    resolved [RESOLVED] $_Session vars not saved on header() redirect

    Hi all,

    I'm converting a log in process from $_COOKIES to $_SESSION.

    There is a signin.html page that has input for user id and password and action to a dosignin.html page. Both are on https.

    The dosignin.html page has this code, after successful authentication:

    PHP Code:
    session_start(); //<-- very first thing on page

    ... //other code to verify user

    //checking if there is a user id already present
    if (!isset($_SESSION['UserID'])) {
        
    $_SESSION['UserID'] = $userid;
    } else {
        unset(
    $_SESSION['UserID']);
        
    $_SESSION['UserID'] = $userid;
    }

    ...

    session_write_close();
    header("Location: http://somesite.com/somepage.html?" SID);
    //echo "<META http-equiv=\"refresh\" content=\"0;URL=http://somesite.com/somepage.html\">";
    exit; 
    However, with session_start at the top of somepage.html, and I try to echo out $_SESSION['UserID'], it's empty. Apparently not being set.

    How do I:

    1) Set the $_SESSION vars that I want
    and
    2) Have those $_SESSION vars available on the page that is "redirected" to?

    If I use the META refresh instead, same thing, the $_SESSION['UserID'] is empty.

    How to transfer/access those session vars i set on subsequent pages after the header() redirect?

    Thanks.

  2. #2
    Pna lbh ernq guvf¿
    Join Date
    Jul 2004
    Location
    Kansas City area
    Posts
    19,429
    Are you sending the users to a different domain? For example, your header() call above references http://somesite.com - are you sure the users aren't visiting the page via http://www.somesite.com instead?

  3. #3
    Member
    Join Date
    Jun 2012
    Posts
    70

    Question

    Thanks for the reply. The user's are not being sent to a different domain and are accessing the page as described.

    Due to the security issues surrounding putting the SID in the URL, I've removed that and put these lines in my php.ini file:
    session.use_cookies = 1
    session.use_only_cookies = 1
    session.use_trans_sid = 0
    The dosignin.html page now is this:
    PHP Code:
     session_start(); //first line 

    //code to verify user, if verified... 

    if (!isset($_SESSION['UserID'])) {  
        
    $_SESSION['UserID'] = $userid;  
    } else {  
        unset(
    $_SESSION['UserID']);  
        
    $_SESSION['UserID'] = $userid;  
    }  


    session_write_close();  
    header("Location: http://somesite.com/somepage.html"); //without SID  
    //echo "<META http-equiv=\"refresh\" content=\"0;URL=http://somesite.com/somepage.html\">";
      
    exit; 
    When I echo out $_SESSION['UserID'] on the redirected to somepage.html...it's still not there. Note: session_start(); is also on the first line of somepage.html

    When I put this as the first lines in somepage.html:
    PHP Code:
    session_start();
    foreach (
    $_SESSION as $key=>$val) {
        echo 
    "key: ".$key." val: ".$val;
    }
    exit; 
    I get nothing. Not even the litteral "key" and "val."

    If I try this in somepage.html:
    PHP Code:
    session_start();
    print_r($_SESSION);
    exit; 
    I get this:
    Array ( )
    When I try this in somepage.html:
    PHP Code:
    session_start();
    var_dump($_SESSION);
    exit; 
    I get this:
    array(0) { }
    Any other ideas?

  4. #4
    Pna lbh ernq guvf¿
    Join Date
    Jul 2004
    Location
    Kansas City area
    Posts
    19,429
    For a little simplification, note that this:
    PHP Code:
    if (!isset($_SESSION['UserID'])) {   
        
    $_SESSION['UserID'] = $userid;   
    } else {   
        unset(
    $_SESSION['UserID']);   
        
    $_SESSION['UserID'] = $userid;   

    could be written as:
    PHP Code:
    $_SESSION['UserID'] = $userid
    Have you looked at a phpinfo() page to verify that your changes to your php.ini config file are having any effect?

    Next thing to check would be whether or not the SID changes from one page load to the next. Try echo'ing out the constant SID on the page after the redirection. For comparison, you might want to change your header() redirect to a <meta> based one again so that you can echo it out on the page that processes the login details as well.

  5. #5
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    13,943
    In reference to the earlier reply about domains, and specifically sub-domains ("example.com" vs. "www.example.com"), you might want to add this configuration option:
    Code:
    session.cookie_domain = ".example.com"
    Note the leading dot, so that the cookie will be sent regardless of whether the page is accessed via "http://example.com" or "http://www.example.com".
    Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be." ~ from Nation, by Terry Pratchett

    "But the main reason that any programmer learning any new language thinks the new language is SO much better than the old one is because he’s a better programmer now!" ~ http://www.oreillynet.com/ruby/blog/...ck_to_p_1.html


    eBookworm.us

  6. #6
    Member
    Join Date
    Jun 2012
    Posts
    70
    Thanks for the replies guys.

    When I echo "UserID Cookie: ".$_COOKIE['UserID']; (on the resulting http://somesite.com/somepage.html page) there is nothing there aside from the litteral string.

    I tried this too:
    PHP Code:
    session_start();
    var_dump($_COOKIE); 
    And this is the output:
    array(1) { ["PHPSESSID"]=> string(32) "[32 var chars]" }
    Additionally,

    phpinfo() on the resulting somepage.html page:
    session
    Session Support enabled
    [snip]

    Directive Local Value Master Value
    [snip]
    session.use_cookies On On
    session.use_only_cookies Off Off
    session.use_trans_sid 0 0
    I can't find anywhere in the phpinfo where my $_SESSION['UserID'] = $userid; is. There is nothing there with "UserID" nor is there anything there that would be equal to what $userid is coming out of the authentication on the prior dosignin.html page.

  7. #7
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    13,943
    The session data is not stored in a cookie, only the session ID gets a cookie. That session ID then lets PHP know where to look on the web server's file system to find the relevant session data for that user, which will then be in the $_SESSION array (once session_start() is successfully executed). So try...
    PHP Code:
    session_start();
    var_dump($_SESSION); 
    Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be." ~ from Nation, by Terry Pratchett

    "But the main reason that any programmer learning any new language thinks the new language is SO much better than the old one is because he’s a better programmer now!" ~ http://www.oreillynet.com/ruby/blog/...ck_to_p_1.html


    eBookworm.us

  8. #8
    Member
    Join Date
    Jun 2012
    Posts
    70
    okay, got it now with regards to understanding the relationship between the php session Id and it's connection with data on the server.

    regarding
    PHP Code:
    session_start();
    var_dump($_SESSION); 
    I get:
    array(0) { }
    (see post #3).

    from phpinfo() I see:
    session.save_path /tmp /tmp

    There are no files in the /tmp directory. Only directories that deal with web site traffic analysis.

  9. #9
    Settled 4 red convertible dalecosp's Avatar
    Join Date
    Jul 2002
    Location
    Accelerating Windows at 9.81 m/s....
    Posts
    7,715
    So, is "/tmp" writable by the web server running PHP?

    Where is "/tmp", anyway ... is the "/tmp" you're looking at the same "/tmp" that PHP is using?

    (It should be).

    I also don't see where anyone's bothered to test whether session_start() actually returns true. It could fail, I suppose?

    PHP Code:
    <?php

    $foo  
    session_start();

    if (!
    $foo) die("Can't start a session!");
    /!!\ mysql_ is deprecated --- don't use it! Tell your hosting company you will switch if they don't upgrade! /!!!\ ereg() is deprecated --- don't use it!

    dalecosp "God doesn't play dice." --- Einstein "Perl is hardly a paragon of beautiful syntax." --- Weedpacket

    Getting Help at All --- Collected Solutions to Common Problems --- Debugging 101 --- Unanswered Posts --- OMBE: Office Machines, Business Equipment

  10. #10
    Member
    Join Date
    Jun 2012
    Posts
    70
    Quote Originally Posted by we5inelgr
    from phpinfo()
    session.save_path /tmp /tmp

    There are no files in the /tmp directory. Only directories that deal with web site traffic analysis.
    okay, I think there is some progress here.

    Turns out, the /tmp directory was a directory I didn't have access to (on a shared server).

    So I added a session.save_path in my copy of php.ini to a place I did have access to.

    Now, when I try this log in process, I'm still not seeing the session vars that I'm setting, but I do now see files being written to my new session.save_path location.

    For my one test so far, I see two files created:

    1. sess_[followed by 32 varchars] has data
    2. sess_[followed by a different 32 varchars] is empty

    In the first file, I can see all of my session vars that I created.

    In my example, I can see in this format.

    UserID|s:[the length of the user id]:"[the user id]";

    So from this, it looks like the session vars I'm setting in the dosignin.html page are in fact being set on the server.

    If I do a:
    PHP Code:
    session_start();
    var_dump($_SESSION); 
    I'm still getting:
    array(0) { }
    I wonder why I can't get access to them?

  11. #11
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    13,943
    It might be useful for now to stick the following at the very beginning of each page being accessed:
    PHP Code:
    <?php
    error_reporting
    (E_ALL);
    ini_set('display_errors'true);
    Then we can see if you're getting any of the dreaded "headers already sent" errors or such.
    Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be." ~ from Nation, by Terry Pratchett

    "But the main reason that any programmer learning any new language thinks the new language is SO much better than the old one is because he’s a better programmer now!" ~ http://www.oreillynet.com/ruby/blog/...ck_to_p_1.html


    eBookworm.us

  12. #12
    Settled 4 red convertible dalecosp's Avatar
    Join Date
    Jul 2002
    Location
    Accelerating Windows at 9.81 m/s....
    Posts
    7,715
    Quote Originally Posted by we5inelgr View Post
    Turns out, the /tmp directory was a directory I didn't have access to (on a shared server).
    Zing!

    Stupid configuration though. "/tmp", at least traditionally, is the system's scratchbox directory for all user's junk, and on some systems is cleared automagically at each reboot. I suppose your hosting company thinks that makes things more secure (and well it might), but I still don't like it.

    </rant>
    /!!\ mysql_ is deprecated --- don't use it! Tell your hosting company you will switch if they don't upgrade! /!!!\ ereg() is deprecated --- don't use it!

    dalecosp "God doesn't play dice." --- Einstein "Perl is hardly a paragon of beautiful syntax." --- Weedpacket

    Getting Help at All --- Collected Solutions to Common Problems --- Debugging 101 --- Unanswered Posts --- OMBE: Office Machines, Business Equipment

  13. #13
    Member
    Join Date
    Jun 2012
    Posts
    70
    Quote Originally Posted by NogDog View Post
    It might be useful for now to stick the following at the very beginning of each page being accessed:
    PHP Code:
    <?php
    error_reporting
    (E_ALL);
    ini_set('display_errors'true);
    Then we can see if you're getting any of the dreaded "headers already sent" errors or such.
    Thanks for the suggestion.

    Adding those two lines to the pages, display's no information/errors.

  14. #14
    Pedantic Curmudgeon Weedpacket's Avatar
    Join Date
    Aug 2002
    Location
    General Systems Vehicle "Thrilled To Be Here"
    Posts
    21,885
    I notice that you're doing the sign-in uses https://, but page you're directing to uses http://. That would make for different sessions. Is there a requirement that you drop the encrypted protocol after sign-in process, or can you use https:// throughout?
    THERE IS AS YET INSUFFICIENT DATA FOR A MEANINGFUL ANSWER
    FAQs! FAQs! FAQs! Most forums have them!
    Search - Debugging 101 - Collected Solutions - General Guidelines - Getting help at all

  15. #15
    Member
    Join Date
    Jun 2012
    Posts
    70
    Perhaps it's a permissions issues with the /tmp directory that I now have access to?

    It was originally 700. I changed it to 744, thinking perhaps Group or World needed to have "read" capability on that folder. Still doesn't work. Can't get any of my session vars data from doing any of these:
    PHP Code:
    session_start();
    echo 
    "userid:".$_SESSION['UserID']."<br>";
    print_r($_SESSION);
    var_dump($_SESSION);
    exit; 
    Need some other permissions perhaps?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •