Where is my session?

qwaddo

I think the things happening in my script are very strange. I've been searching the whole internet twice and couldn't find an answer yet. Maybe someone can help me.

So I got:

logon.php - things are still ok
This file basically just creates a form for a user to logon. This form posts a userid and password to access.php.

access.php - things are still ok
This file retrieves the userid and password. It checks the database for user existence and does a password check. If access is granted I create a session and forward the user to home.php. So this file looks something like:

session_start();

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");

.. some access checks ..

if ($access) {
  $_SESSION["userid"] = $userid;
  header("Location: home.php");
}

home.php - things are still ok
This file checks the session for userid, retrieves the user rights from the database and gives a welcome msg. And I create a menu to click to some interesting things. The check for a session happens like this:

session_start();

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");

$userid = $_SESSION["userid"];

if($userid=="") {
  header("Location: logon.php");
}

interesting.php - things are still ok
This file uses the exact same check for a session and does the same basic things as home.php. The only thing that changes is that instead of the welcome message a form is given to the user to select the exact interesting the user wants to see, so a form like this:

<form method=post action=interesting.php>
<input type=hidden name=iwantmyscriptto value=showsomething>
<select name=interestingid>
<option value=1>Thing 1</option>
</select>
<input type=submit>
</form>

interesting.php - things go completely wrong !!!
Again the exact same check (it's the same file) for a session is performed but now evaluates false and so the user is forwarded to the logon.php and doesn't get the interesting thingie.

So it looks like the session gets lost while posting the form. Does anyone have an idea what is happening here??

Oh, btw .. already a thanks to everybody thinking about the problem.

paulnaj

Hi qwaddo,

Nasty one.

I'm sort of surprised that the header('Location: ...') works at all since you have already sent headers prior to this 😕
To be honest, I'm not sure what the earlier calls to header() actually do, so this might not be an issue at all but you could try taking them out just to see.

Also, someone else just recently had a problem setting a session variable and then using header('Location: ...') to re-direct.

BTW, you don't necessarily need to do all those re-directs. Of course you might have a reason for them that I don't know about but there is another way to go and if you know all this stuff anyway, then well, it might help someone else anyway!! 😉

session_start();
// This is the main test to see if user is logged in
if(!isset($_SESSION['userid'])){
	// If user/password details have not both been sent
	if(!isset($_POST['user']) || !isset($_POST['password'])){
		// We're gonna have to login
		$_REQUEST['page'] == 'login';
	} else {
		// Both have been sent so test
		if(/* successful login*/){
			$_SESSION['userid'] = 'whatever';
		} else {
			// We're gonna have to login again
			$_REQUEST['page'] == 'login';
		}
	}
}

if($_REQUEST['page'] == 'login' ){
	/* 	display the login page 	*/
} else if($_REQUEST['page'] == 'interesting' ){
	/* display the interesting page */
} else if($_REQUEST['page'] == 'dull' ){
	/* display the dull page */
} else {
	/* display the home page */
}

I'm seen variations on this theme but you get the idea.

Paul

qwaddo

Hi Paul,

Thanks for your reply. I might indeed need to try a different setup of actions. I didn't try it yet since everything works fine until I get to the select form. First I had the feeling that there is some interference with cached pages, which shouldn't happen because I added all possible refresh pushes (the header lines at the beginning of the file). So I tried to put the real interesting things in a different file interestingB.php to which the action of the form was set. This should then at least solve any cached error. But I still had the same problem. So in a different setup the session might still get lost when I go past the select form. But I'm trying ..

For your information:
The

header(Location: ..)

does work because I didn't send out any headers yet. The first five header lines just empty the header to make sure that my forward works. I only need to make sure that I don't echo anything in between. But I made sure I will never do that. At the end of the php file I've always a line like

echo $mysite

THANKS for your help

qwaddo

Just to let interested people know and learn from it:

I found the problem. It was indeed a real nasty one. The thing had to do with the difference between domain and subdomain. If you enter a site within the main domain (e.g. http://mydomain.com) a session is created with a reference to that domain. But this would restrict the user's session to the domain and not allow subdomains like http://www.mydomain.com. The other way around is no problem. So if the user creates a session in http://www.mydomain.com it is also accepted in http://mydomain.com. Anyway there was a difference in the wrong way in my scripts. After I found out this problem was quickly solved for me since I defined a $httproot in one file only and could change it easily.

Thanks for any thoughts.

paulnaj

Hi qwaddo,

That's interesting ...

Just to make sure I understand you correctly, are you saying that if the the user types [http://mydomain.com] into the address bar, a different session is set up to the one when the user types in [http://www.mydomain.com]?

Gulp.

Paul.

yelvington

Session keys are passed through cookies, and have to obey all of the rules that govern cookies.

One of those rules has to do with domains.

If you read the PHP documentation carefully you'll see there is a value for session.cookie_domain. By default, it is empty.

This means that by default, the session cookie is sent without any domain data. And the browser will apply the rules appropriate for the domain where it encountered the cookie.

If you want a cookie to be available across the entire second-level domain, you have to overtly set the value in session.cookie_domain, as explained in the PHP docs. This will cause PHP to include a literal domain string in the HTTP header that sets the session cookie.

For more on cookie propagation rules, read the RFC:
http://www.faqs.org/rfcs/rfc2965.html

And by the way, there is nothing wrong with stacking multiple calls to header() in a PHP file. The data is pushed into the header buffer and nothing is actually sent until the file outputs something other than a header string, or ends.

drawmack

Originally posted by yelvington
And by the way, there is nothing wrong with stacking multiple calls to header() in a PHP file. The data is pushed into the header buffer and nothing is actually sent until the file outputs something other than a header string, or ends.

Well duh, however I have had a problem where I set a cookie and did a header redirect. On certain browsers the cookie was not set becuase it responded to the redirect before it responded to the cookie.