We are experiencing some bizarre session behavior in PHP. First,
the details of the server:
- Red Hat 9
- Apache 2.0.40-21.11 (installed from RPM) serving up content via HTTPS
- PHP 4.2.2-17.2 (installed from RPM)
- MySQL 3.23.58-1.9 (installed from RPM)
- standard session settings for PHP; nothing changed
Now, the problem we are experiencing is this. A user logs into our
system, logs out, and then manually types in an address for a page
that should require you to log in. Instead of bouncing them back
to the login page, they see the page but with someone else's session
information.
Very puzzling as the code for determining if a person is logged
in has not been changed. We have added a new page to land on
after logging in though. Here is the flow of things:
- login at /login.php; use session_start() at top of login.php to
initialize the session
- on successful login, store some information in the session and
redirect to /partner/welcome.php
- on /partner/welcome.php, include this standard session library
code:
<?php
require $directoryLevel . 'class/User.php';
session_start();
// Set the referer session variable. If user bounced to login page,
// successful login bounces them back to this value.
if (isset($GET["url"])) {
$url = $GET["url"];
} else {
$url = $_SERVER["REQUEST_URI"];
}
// Redirect to login page if not properly logged into the system.
if ((!isset($SESSION["sid"])) || (!isset($SESSION["userName"]))) {
$_SESSION["loginError"] = "<p>Your session has expired. Please login.</p>";
header("Location: ". $directoryLevel . "login.php?url=" . urlencode($url) . "\r\n");
exit();
}
// Perform a quick check to ensure user ID matches the username.
// Redirect to login page if mis-match.
$user = new User($SESSION["userName"]);
$user->setID($SESSION["sid"]);
if (!$user->validate()) {
$_SESSION["loginError"] = "<p>Your session has expired. Please login.</p>";
header("Location: ". $directoryLevel . "login.php?url=" . urlencode($url) . "\r\n");
exit();
}
?>
and then continue on displaying the page.
- If they click the logout link, logout.php calls session_start(),
unsets/unregisters all possible session variables that may
have been set, and then destroys all possible cookies we may have
set.
So, after logout, when the user types in /partner/welcome.php I would
expect the page to redirect to the login screen as it has done for
every other post-login landing page that includes the same code.
What is even more puzzling that is if I look at the value of the
PHPSESSID cookie, it is set to "x". However, looking at the
session file sess_x on the server shows different details that
what was displayed on the page.
Live server is down because of this; only other changes made to
the system was to add a new item to the include_path in php.ini,
but there have been no major system changes other than having
a new landing page.
Any help would be greatly appreciated.
Thanks.
