[RESOLVED] 2 many sessions

peachP

Hi,
I have a problem with sessions that has me stumped. In short i have a page we'll call firstPage and a secondPage - the problem is:

first page uses 'session_start()' func to instigate a new session a few lines of code later there is a check to see if a session variable called, 'loginOK', issset - if not the header() function is used to redirect to a login page - the login page (secondPage) too starts with session_start() and a form on the page gets a users login detail, checks against DB blah blah. If login successful set a session variable to 'loginGood' redirect back to firstPage.

OK - all that is wotking fine, here it comes ...but: PHP keeps on starting two sessions. I thought the purpose of session_start() was a check to see if a session was already started - if so, use that session - if not, start a new session.

I've ensured that header() appears before any other read statements and session_start() is at the very top of each page (before header(). I have some identical session examples from a book that i use and tested on my installation and they work just fine, i.e. only one session variable is present in the temp folder.

So why is my login page (secondPage) starting a new session when my fistPage has already begun one. More importantly when i create other pages which need to join the session are they too going to create a seperate session?? Im using sessions without cookies using PHPSESSID - passed by URL.

any help appreciated - thanx in advanz

bePuzzled of someplace ...

halojoy

how do you know there is two session started?

Why dont you give us some Error or warning message, if there is such.

I dont know if this could be the cause of this trouble,
but there is a php.ini setting, that is TURNED OFF by default (and in most webservers)
that auto-starts session

run phpinfo() at your site
and look for
session
---> session.auto_start Off

<?php

phpinfo();

?>

peachP

Hi, sorry for dlay
I know there are two sessions started because when i check my win/temp folder i can see them -- i empty it before running my web app and keep the folder open and watch them appear at every stage. What happens is:

after page one does its session_start() thing it creates a session (it appears in the temp folder)
after redirection and loginOK on secong page another session appears in the temp folder completely different to session one hex number string.
when i look inside the sessions (sess_######) in the temp folder (right click/open-with/notepad) session one is empty, second session has the correct key/value pair i.e. loginOK=1 (true).

I have auto session start off in my php.ini file i always leave this off.

Could the problem be that the login page is reloaded using php $self to gather users form info and instigate dB query - i cant see that this is a problem though because the issue seems to be the login page does not recognise that a current session has begun if three sessions were appearing then reloadin the page would be the cause.

Also, no error messages are appearing. I'm just wondering whether this is the normal behaviour with sessions it could be a potential area for bugs and hackers especially if using SID urls.

thorpe

On each of these pages, what does...

echo session_id();

produce?

peachP

ok hi,
On each page each produces a different session id thus:

sess_f9994ab6dfc6b9d2ae628541e139f1a2
sess_eb582658cccfa28e307bd42acb2f9102

Since last posting i've discovered that this is only a problem in Netscape where i have cookies disabled to ensure that PHPSESSID is working and nothings being passed using cookies. In IE only one cookie is created between both pages. I imagine this whole issue is not really a problem since the session key/val pair created by page one is empty anyway.

thorpe

There is your problem, If your not passing the session id via the url, then sessions will not work without cookies.

peachP

Data persistence can be achieved using one of three methods:
1. cookies
2. sessions that use cookies - or
3. sessions without the need for cookies

The purpose of passing by URL PHPSESSID key/val pairs is so that cookies are NOT required in any way - site visitors can have cookies switched -off without messing up the functionality of your site.

I'm using method 3 - My application is working ok the issue is why are two sessions instigated. I'm testing in Netscape since its eaiser to turn cookies off completely to test that cookies are NOT being used.

thorpe

So... you are passing the session id through the url then?

peachP

Yes the key/val pair is visible on the address bar -i.e. PHPSESSID=xxxxxxxxxxxxxxxx - with cookies disabled completely.

I'm looking thru the php manual for references to multi-thread/multi sessions etc - may be php.ini related prob.

I've tried isolating the problem and creating two basic pages and passing session variables between them using the SID with cookies off and it works fine - i believe it could be the fact that i'm using the header() for the initial redirect to the login page in my app??

bradgrafelman

i believe it could be the fact that i'm using the header() for the initial redirect to the login page in my app??

If so, before the header() call, try calling [man]session_write_close/man so that the session data is properly saved and stored.

peachP

bradgrafelman wrote:
If so, before the header() call, try calling [man]session_write_close/man so that the session data is properly saved and stored.

it doesn't have any effect both pages are still producing two different sessions

thanks for idea though

Drakla

Are you propagating the session id in the header redirect?

bradgrafelman

What are the vollowing PHP directive values as reported by a phpinfo() ? session.use_trans_sid, session.use_only_cookies, session.use_cookies, session.name

peachP

resolved it - i kinda knew it was the way i was calling session_start and a logic rather than syntax problem. Session_start() can be called anywhere if using sessions without cookies - i've been calling it unconditionally by placing it at the top of each page rather than conditionally (within if blocks etc)

I used session_destroy() in the 'if' block on page one which checks if loginOk isset - this kills the redundant session started by page one since its page one that needs to join the session that is instigated by the login page(pageTwo), not the other way round.

In other words the reason page two (login page) was creating a seperate session is because page one's session wasn't setting any session variables. When the login page sets the loginOk session var to true/1, user links back to pageone and the session_start() on page one resumes the login page session - which logically is how it should work.

The login page should be the place where a session is instigated not the calling page -

If this doesn't make sense (i know duh) i'll send a code snippet example it just may help someone else. I knew where the prob was i just couldn't visualise it.

stupidity, like blurry-vision, is in the eyes of the beer-holder (duh)