Hi, For some reason if this page hangs, and then you go to page2 everything works. If page1 redirects you to page2, page two can't find any session vars. Could anyone advise me on this?

page1:

session_start();
....
if(mysql_num_rows($result) == 1) // should be == 1
{ 
	$_SESSION = array(); 
	$_SESSION['id'] = $row['c6_EXPSSN'];
	$_SESSION['time'] = time(); 
	$_SESSION['random'] = sha1(somethin); 
	$_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT']; 
	$_SESSION['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR']; 
	header("Location: https://page2.php?t=". $_SESSION['time'] ."&p=welcome");

page 2:

<?
session_start(); // Create new session instance or reestablish sessionid
print_r($_SESSION); // outputs Array()
require_once('functions.php');
checklogin();

Thanks

    I assume you have session_start() in the first page, or the first instance (when it hangs) wouldn't work. Although if page 2 "outputs Array()", that isn't "everything works"; it should be showing the entire array. Why does it hang? That could be part of the problem.

    Edit: Your code works on redirect for me.

      When page1 outputs something, _SESSION vars show up on other pages. If I just redirect after setting then the vars are lost?

      Redirecting this way on page1 seems to work:

      print '<html><body><script type="text/javascript"><!--';
      print '
      window.location="';
      echo "https://www/page2.php?t=". $_SESSION['time'] ."&p=welcome";
      print '";
      --></script></body></html>';

        Is page one using the https protocol? http://www.example.com/ and https://www.example.com count as different domains.

        If that's not the case, I'd consider throwing a [man]session_write_close[/man] in there immediately before sending the redirect (and I will put an exit() after the header("Location:") unless I have more headers to output).

          I've always recommended the session_write_close() as the first solution when SESSION data isn't showing up on subsequent pages. In fact, someone else contributed this note on the man page for [man]session_write_close/man:

          cenaculo at netcabo dot pt wrote:

          This function is essencial when you change $_SESSION[] variables and then, at some poit in the middle of the script, you send an header("Location: http://...") function to the browser, because in this case the session variables may not be saved before the browser change to the new page.

          To prevent from lossing session data, allways use session_write_close before this header function. session_write_close will force session data to be saved before the browser change to the new page.

          Hope this will help you not to loose 1 day wondering why people could not authenticate or make other changes in session vars in your site.

            Thanks for a pointer on that session function. It doesn't look like that was it though. It could be because I'm testing on an internal network and the vars are set to fast. I might check off site but will probably just go to javascript to keep from inconveniencing users. Cheers!

              Just in case... there's also this user note:

              Workaround if session_write_close() still doesn't write sessions fast enough:

              I found with one PHP login system that even session_write_close() was not setting the session variables before I transferred pages with a Location: header. So the user would log in, I would create the $_SESSION variables, call session_write_close() and then transfer to the secure page using header(Location:...). The secure page would check for the session vars, not find them, and force the user to log in again. After the second login the session would be found and they could continue.

              My workaround was to create the $SESSION variables with 0 values before writing the initial login page. Then I updated the session vars with the login results and used the header() function to switch to the secure location. Once the session vars have already been created, updated values are assigned quickly. Problem solved. Just be sure the secure page checks both that the $SESSION var exists AND that it's not 0.

              If it's a timing issue, you could always do as he suggested and use [man]usleep/man to give a brief delay (half a second or less would probably do the trick) allowing PHP to properly close the session.

              ALSO: After sending the header() redirect, make sure you use 'exit' to terminate the script. This might help PHP close the session faster as well.

                Write a Reply...