This is the weirdest problem and I have been stuck for days on it! I am using PHP 4.4.2 with IIS 6. I have a regular login page that redirects you to a home page. It was working fine a couple of days ago. Then I installed PHPEdit, DBG, and Xdebug. PHPEdit has a known issue with redirecting running DBG, which is why I removed it and installed Xdebug.

All of a sudden now my session data is lost on the home page, which sends you back to the login page. Below are my settings and things I have tried:

My PHP directory is not read-only.
My PHP sessiondata and uploadtemp have the IUSR user added to permissions with full control.
In php.ini the session.save_path is set correctly.
I added the following to the bottom of my php.ini:

[debugger] 
;zend_extension_ts="d:\php-4.4.2\extensions\php_xdebug-2.0.0-4.4.6.dll"
zend_extension="d:\php-4.4.2\extensions\php_xdebug-2.0.0-4.4.6.dll"

; Remote settings
xdebug.remote_autostart=off
xdebug.remote_enable=on
xdebug.remote_handler=dbgp
xdebug.remote_mode=req
xdebug.remote_host=localhost
xdebug.remote_port=9000
; General
xdebug.auto_trace=off
xdebug.collect_includes=on
xdebug.collect_params=off
xdebug.collect_return=off
xdebug.default_enable=on
xdebug.extended_info=1
xdebug.enable_session_cookie=on
xdebug.manual_url=http://www.php.net
xdebug.show_local_vars=0
xdebug.show_mem_delta=0
xdebug.max_nesting_level=100
;xdebug.idekey=
; Trace options
xdebug.trace_format=0
xdebug.trace_output_dir=/tmp
xdebug.trace_options=0
xdebug.trace_output_name=crc32
; Profiling
xdebug.profiler_append=0
xdebug.profiler_enable=0
xdebug.profiler_enable_trigger=0
xdebug.profiler_output_dir=/tmp
xdebug.profiler_output_name=crc32

I have

session_start()

at the top of both pages.
I tried using

session_write_close();

before the redirect, but that didn’t work.
I have

session_start();
ob_start();

on the home page (the page being redirected to).

Please help! In the meantime I am going to uninstall PHPEdit to see if that helps (I am that desparate).

    PHPEdit really shouldn't have any affect on it at all. I have no experience with IIS servers but I know I had problems with PHP on Apache under Windows XP. Could you post up to the header() redirect in the first file and the first few lines of the second file?

      how do you know:
      All of a sudden now my session data is lost on the home page,
      which sends you back to the login page.

      Are those session files empty?
      Are they deleted?

      I also tried to disable DBG and Xdebug in my PHPEdit.
      But I really do not know how to stop DBG show up in my tray .....
      I have not found any option in preferences to disable debugging totally

        What I mean by all of a sudden is that before I installed PHPEdit I was able to log in to my site. After I installed PHPEdit and DBG my session data was empty on the page being redirected to.

        I used a print_r($_SESSION) to see what was in my session on both pages. I know the variables are set on the login page before the home page. The session is empty when I get to the home page.

        login.php

        <?php
	session_start();
	session_destroy();
	define("EP_Root", "../");
	include(EP_Root.'usercontrols/validate.php');
	$isErr = false;
print_r($_SESSION);
	if(isset($_POST['username'])){
		require_once(EP_Root.'bll/login.class.php');
		$login = new Login();
		$blReturn = $login->ReturnCheckEmployeeLogin($_POST['username'], $_POST['password'], $CompanyID);
		if ($blReturn["EmployeeID"] != NULL){
			$login->UpdateEmployeeLogin($blReturn["EmployeeID"], $CompanyID);
			$_SESSION['EmployeeSession'] = $blReturn["EmployeeNo"];
			$_SESSION["Company"] = $CompanyID;

		include(EP_Root.'config.php');
		$_SESSION["OraServerUser"] = $OSUser;
		$_SESSION["OraServerName"] = $OSName;
		$_SESSION["OraSID"] = $OSID;
		$_SESSION["OraServerPassword"] = $OSPassward;

		if(isset($_GET["ReturnURL"])){
			$path=explode("ReturnURL=",$_SERVER['QUERY_STRING']);
			header("Location:".$path[1]);
		}else{
			include(EP_Root.'bll/preference.class.php');
			$preference = new Preference();
			$result = $preference->GetTabPriviledgeInfo('Employee', 0, $CompanyID);
			header("location:".$result[0]["url"]);
		}
	}else{
		$isErr = true;
	}
}
?>
<html>
	<head>
		<title>Employee Portal - Employee Login</title>
	    <!--<meta HTTP-EQUIV="Content-Type" content="text/html; charset=ISO-8859-1"> -->
	    <link rel="icon" href="../favicon.ico">
	    <link rel="Shortcut Icon" href="../favicon.ico">
		<link rel="stylesheet" href="../includes/login.css">
		<script type="text/javascript" src="../scripts/wforms.js" ></script>
		<style>
			.errFld {border: 1px solid #F00;}
			.errMsg { color: #C33;}
			.style1 {color: #CC0000}
		</style>
	</head>
	<body class="Login" onLoad="document.f1.username.focus();" bgcolor="#FFFFFF">
		<table width="550px" align="center" border="0" cellpadding="20" cellspacing="0" bgcolor="#FFFFFF">
			<tr>
				<td width="10%"></td>
				<td width="80%">
					<br><br><br>
					<div id="Dialog">
					  <h1><center><img src="../images/security-lock.gif" style="vertical-align:middle;">&nbsp;&nbsp;<span style="vertical-align:bottom;">Login to Employee Portal</span></center></h1>
						<?php
							if ($isErr == true)
								echo '<DIV class=AlertBad>The username and/or password you entered is invalid.</DIV>';
						?>
						<form name="f1" action="login.php<?php if(isset($_SERVER['QUERY_STRING'])) echo "?".$_SERVER['QUERY_STRING'];?>" method="post">
<input type="hidden" name="DBGSESSID" value="1234@localhost:7869;d=1,p=1" />
							<dl>
								<dt>Username:</dt>
								<dd><input name="username" type="text" id="username" class="required"></dd>
								<dt>Password:</dt>
								<dd><input name="password" type="password" id="password" class="required"></dd>
							</dl>
							<p style="text-align: center;"><input type="image" src="../images/signin.gif" width="59" height="21" style="width:60px">
							<br><br>(<a href="forgot-password.php">I forgot my password</a>)</p>
						</form>
					</div>
				</td>
				<td width="10%"></td>
			</tr>
		</table>
	</body>
</html>

        home.php

        <?php
	session_start();
	ob_start();
print_r($_SESSION);
	define("EP_Root","../");
	include(EP_Root."includes/check-employee.php");
	include("../bll/home.class.php");
	$home = new Home();
?>

        check-employee.php

        <?
if(!(session_is_registered('EmployeeSession')))
{
	$Page = explode("/",$_SERVER['PHP_SELF']);
	$QString = "";
	if(isset($_SERVER['QUERY_STRING']))
		$QString = "?".$_SERVER['QUERY_STRING'];
	header("Location:login.php?ReturnURL=".$Page[count($Page)-1].$QString);
}
/*else
{
	include("../bll/login.class.php");
	$login = new Login();
	$url = explode('/', $_SERVER['PHP_SELF']);
	$result = $login->ReturnCheckMenuPriviledge('Employee', $url[count($url)-1]);
	if ($result==NULL)
	{
		header("Location:../usercontrols/404.php");
	}
}*/
?>

        I am not doing anything out of the ordinary. It use to work! I uninstalled PHPEdit but that did not help. It still doesn't work.

          Isn't there supposed to be a file created in \sessiondata every time a session is created? There are no files in mine. I have full permissions for IIS_WPG and IUSR_ on that folder.

          Here is my session info from php.ini:

          [Session]
; Handler used to store/retrieve data.
session.save_handler = files

; Argument passed to save_handler.  In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this 
; variable in order to use PHP's session functions.
; As of PHP 4.0.1, you can define the path as:
;     session.save_path = "N;/path"
; where N is an integer.  Instead of storing all the session files in 
; /path, what this will do is use subdirectories N-levels deep, and 
; store the session data in those directories.  This is useful if you 
; or your OS have problems with lots of files in one directory, and is 
; a more efficient layout for servers that handle lots of sessions.
; NOTE 1: PHP will not create this directory structure automatically.
;         You can use the script in the ext/session dir for that purpose.
; NOTE 2: See the section on garbage collection below if you choose to
;         use subdirectories for session storage
session.save_path= "D:\php-4.4.2\sessiondata"

; Whether to use cookies.
session.use_cookies = 1

; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.
; session.use_only_cookies = 1

; Name of the session (used as cookie name).
session.name = PHPSESSID

; Initialize session on request startup.
session.auto_start = 0

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

; The path for which the cookie is valid.
session.cookie_path = /

; The domain for which the cookie is valid.
session.cookie_domain =

; Handler used to serialize data.  php is the standard serializer of PHP.
session.serialize_handler = php

; Define the probability that the 'garbage collection' process is started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts
; on each request.

session.gc_probability = 1
session.gc_divisor     = 100

; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 14400

; NOTE: If you are using the subdirectory option for storing session files
;       (see session.save_path above), then garbage collection does *not*
;       happen automatically.  You will need to do your own garbage 
;       collection through a shell script, cron entry, or some other method. 
;       For example, the following script would is the equivalent of
;       setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
;          cd /path/to/sessions; find -cmin +24 | xargs rm

; PHP 4.2 and less have an undocumented feature/bug that allows you to
; to initialize a session variable in the global scope, albeit register_globals
; is disabled.  PHP 4.3 and later will warn you, if this feature is used.
; You can disable the feature and the warning separately. At this time,
; the warning is only displayed, if bug_compat_42 is enabled.

session.bug_compat_42 = 1
session.bug_compat_warn = 1

; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =

; How many bytes to read from the file.
session.entropy_length = 0

; Specified here to create the session id.
session.entropy_file =

;session.entropy_length = 16

;session.entropy_file = /dev/urandom

; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
session.cache_limiter = nocache

; Document expires after n minutes.
session.cache_expire = 180

; trans sid support is disabled by default.
; Use of trans sid may risk your users security. 
; Use this option with caution.
; - User may send URL contains active session ID
;   to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
;   in publically accessible computer.
; - User may access your site with the same session ID
;   always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0

; The URL rewriter will look for URLs in a defined set of HTML tags.
; form/fieldset are special; if you include them here, the rewriter will
; add a hidden <input> field with the info which is otherwise appended
; to URLs.  If you want XHTML conformity, remove the form entry.
; Note that all valid entries require a "=", even if no value follows.
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="
session.save_path= D:\php-4.4.2\sessiondata    ; argument passed to save_handler

          Am I missing something?

            I used the following code to get more info:

            <?php 
session_start();
session_destroy();
$neg = array('off', 0, false, '', null); 
$flags = array( 
        'Register Globals' => 'register_globals', 
        'Short Tags' => 'short_open_tag', 
        'Display Errors' => 'display_errors', 
        'Magic Quotes GPC' => 'magic_quotes_gpc', 
        'Magic Quotes Runtime' => 'magic_quotes_runtime', 
        'Magic Quotes Sybase' => 'magic_quotes_sybase', 
); 
$ve = phpversion(); 
$os = PHP_OS; 
$er = intval(error_reporting()); 
foreach ($flags as $n => $v) 
{ 
        $flags[$n] = (in_array(strtolower(ini_get($v)), $neg) ? 'Off' : 'On'); 
} 
$flags['Config file'] = get_cfg_var('cfg_file_path'); 
if (empty($flags['Config file'])) 
{ 
        $flags['Config file'] = '-'; 
} 
$cli = (php_sapi_name() == 'cli'); 
$eol = "\n"; 

$gle = get_loaded_extensions(); 
$rows = array(); 
$le = ''; 
$wide = 4; 
$j = count($gle); 
$pad = $wide - $j % $wide; 
$len = max(array_map('strlen', $gle)); 
$func = create_function('$a', 'return str_pad($a, ' . intval($len) . ');'); 
$gle = array_map($func, $gle); 
for($i = 0; $i < $j; $i += $wide) 
{ 
        $le .= '   ' . implode('   ', array_slice($gle, $i, $wide)) . $eol; 
} 

$ec = array( 
        'E_STRICT' => 2048, 'E_ALL' => 2047, 'E_USER_NOTICE' => 1024, 
        'E_USER_WARNING' => 512, 'E_USER_ERROR' => 256, 'E_COMPILE_WARNING' => 128, 
        'E_COMPILE_ERROR' => 64, 'E_CORE_WARNING' => 32, 'E_CORE_ERROR' => 16, 
        'E_NOTICE' => 8, 'E_PARSE' => 4, 'E_WARNING' => 2, 'E_ERROR' => 1, 
); 

$e = array(); 
$t = $er; 
foreach ($ec as $n => $v) 
{ 
        if (($t & $v) == $v) 
        { 
                $e[] = $n; 
                $t ^= $v; 
        } 
} 
if (ceil(count($ec) / 2) + 1 < count($e)) 
{ 
        $e2 = array(); 
        foreach ($ec as $n => $v) 
        { 
                if (!in_array($n, $e) and $n != 'E_ALL') 
                { 
                        $e2[] = $n; 
                } 
        } 
        $er = $er . ' ((E_ALL | E_STRICT) ^ ' . implode(' ^ ', $e2) . '))'; 
} 
else 
{ 
        $er = $er . ' (' . implode(' | ', $e) . ')'; 
} 

if (!$cli) 
{ 
        echo '<html><head><title>quick info</title></head><body><pre>', $eol; 
} 

echo 'PHP Version: ', $ve, $eol; 
echo 'PHP OS: ', $os, $eol; 
echo 'Error Reporting: ', $er, $eol; 
foreach ($flags as $n => $v) 
{ 
        echo $n, ': ', $v, $eol; 
} 
echo 'Loaded Extensions:', $eol, $le, $eol; 

if (!$cli) 
{ 
        echo '</pre></body></html>', $eol; 
}

$_SESSION['test'] = "Testing Sessions";
echo "REQUEST = ";
print_r($_REQUEST);
echo "<br>SESSION = ";
print_r($_SESSION); 
session_id($_REQUEST['PHPSESSID']);
echo "<br> session file = ".session_save_path() . DIRECTORY_SEPARATOR . "sess_".session_id();
echo "<br> session file = ".session_save_path() . DIRECTORY_SEPARATOR . "sess_".$_REQUEST['PHPSESSID']."<br>";
echo file_exists(session_save_path() . DIRECTORY_SEPARATOR . $_REQUEST['PHPSESSID']) ? 'session file exists' : 'session file does not exist';
?>

            Output:

            PHP Version: 4.4.2
PHP OS: WINNT
Error Reporting: 2047 (E_ALL)
Register Globals: Off
Short Tags: On
Display Errors: On
Magic Quotes GPC: On
Magic Quotes Runtime: Off
Magic Quotes Sybase: Off
Config file: D:\php-4.4.2\php.ini
Loaded Extensions:
   standard    bcmath      calendar    ctype    
            
   com         ftp         mysql       odbc     
            
   overload    pcre        session     tokenizer
   xml         wddx        zlib        oci8     
            
   pdf      


REQUEST = Array ( [PHPSESSID] => c232b8de8c4daf11816c54864bf25164 )
SESSION = Array ( [test] => Testing Sessions )
session file = D:\php-4.4.2\sessiondata\sess_
session file = D:\php-4.4.2\sessiondata\sess_c232b8de8c4daf11816c54864bf25164
session file does not exist

            Why can't I get sessions to work? An empty sess_ file is created but as soon as I refresh it disappears.

              I got the following file to work by removing session_destroy() and adding session_write_close() at the end.

              <?php 
session_start();
$neg = array('off', 0, false, '', null); 
$flags = array( 
        'Register Globals' => 'register_globals', 
        'Short Tags' => 'short_open_tag', 
        'Display Errors' => 'display_errors', 
        'Magic Quotes GPC' => 'magic_quotes_gpc', 
        'Magic Quotes Runtime' => 'magic_quotes_runtime', 
        'Magic Quotes Sybase' => 'magic_quotes_sybase', 
); 
$ve = phpversion(); 
$os = PHP_OS; 
$er = intval(error_reporting()); 
foreach ($flags as $n => $v) 
{ 
        $flags[$n] = (in_array(strtolower(ini_get($v)), $neg) ? 'Off' : 'On'); 
} 
$flags['Config file'] = get_cfg_var('cfg_file_path'); 
if (empty($flags['Config file'])) 
{ 
        $flags['Config file'] = '-'; 
} 
$cli = (php_sapi_name() == 'cli'); 
$eol = "\n"; 

$gle = get_loaded_extensions(); 
$rows = array(); 
$le = ''; 
$wide = 4; 
$j = count($gle); 
$pad = $wide - $j % $wide; 
$len = max(array_map('strlen', $gle)); 
$func = create_function('$a', 'return str_pad($a, ' . intval($len) . ');'); 
$gle = array_map($func, $gle); 
for($i = 0; $i < $j; $i += $wide) 
{ 
        $le .= '   ' . implode('   ', array_slice($gle, $i, $wide)) . $eol; 
} 

$ec = array( 
        'E_STRICT' => 2048, 'E_ALL' => 2047, 'E_USER_NOTICE' => 1024, 
        'E_USER_WARNING' => 512, 'E_USER_ERROR' => 256, 'E_COMPILE_WARNING' => 128, 
        'E_COMPILE_ERROR' => 64, 'E_CORE_WARNING' => 32, 'E_CORE_ERROR' => 16, 
        'E_NOTICE' => 8, 'E_PARSE' => 4, 'E_WARNING' => 2, 'E_ERROR' => 1, 
); 

$e = array(); 
$t = $er; 
foreach ($ec as $n => $v) 
{ 
        if (($t & $v) == $v) 
        { 
                $e[] = $n; 
                $t ^= $v; 
        } 
} 
if (ceil(count($ec) / 2) + 1 < count($e)) 
{ 
        $e2 = array(); 
        foreach ($ec as $n => $v) 
        { 
                if (!in_array($n, $e) and $n != 'E_ALL') 
                { 
                        $e2[] = $n; 
                } 
        } 
        $er = $er . ' ((E_ALL | E_STRICT) ^ ' . implode(' ^ ', $e2) . '))'; 
} 
else 
{ 
        $er = $er . ' (' . implode(' | ', $e) . ')'; 
} 

if (!$cli) 
{ 
        echo '<html><head><title>quick info</title></head><body><pre>', $eol; 
} 

echo 'PHP Version: ', $ve, $eol; 
echo 'PHP OS: ', $os, $eol; 
echo 'Error Reporting: ', $er, $eol; 
foreach ($flags as $n => $v) 
{ 
        echo $n, ': ', $v, $eol; 
} 
echo 'Loaded Extensions:', $eol, $le, $eol; 

if (!$cli) 
{ 
        echo '</pre></body></html>', $eol; 
}

$_SESSION['test'] = "Testing Sessions";
echo "REQUEST = ";
print_r($_REQUEST);
echo "<br>SESSION = ";
print_r($_SESSION); 
session_id($_REQUEST['PHPSESSID']);
echo "<br> session file = ".session_save_path() . DIRECTORY_SEPARATOR . "sess_".session_id();
echo "<br> session file = ".session_save_path() . DIRECTORY_SEPARATOR . "sess_".$_REQUEST['PHPSESSID']."<br>";
echo file_exists(session_save_path() . DIRECTORY_SEPARATOR . "sess_".$_REQUEST['PHPSESSID']) ? 'session file exists' : 'session file does not exist';
session_write_close();
?>

              I also had to do the same in my login.php and now it works. I guess it was creating and destroying the session right away. I have seen tons of examples that use it like this. Maybe it's an IIS thing?

              Either way I have it working for now. Watch it not work on Apache now!?!

              login.php

              <?php
	session_start();  //removed session_destroy() after this line
	define("EP_Root", "../");
	include(EP_Root.'usercontrols/validate.php');
	$isErr = false;

if(isset($_POST['username'])){
	require_once(EP_Root.'bll/login.class.php');
	$login = new Login();
	$blReturn = $login->ReturnCheckEmployeeLogin($_POST['username'], $_POST['password'], $CompanyID);
	if ($blReturn["EmployeeID"] != NULL){
		$login->UpdateEmployeeLogin($blReturn["EmployeeID"], $CompanyID);
		$_SESSION['EmployeeSession'] = $blReturn["EmployeeNo"];
		$_SESSION["Company"] = $CompanyID;

		include(EP_Root.'config.php');
		$_SESSION["OraServerUser"] = $OSUser;
		$_SESSION["OraServerName"] = $OSName;
		$_SESSION["OraSID"] = $OSID;
		$_SESSION["OraServerPassword"] = $OSPassward;

		if(isset($_GET["ReturnURL"])){
			$path=explode("ReturnURL=",$_SERVER['QUERY_STRING']);
			session_destroy(); //added this line here
			header("Location:".$path[1]);
		}else{
			include(EP_Root.'bll/preference.class.php');
			$preference = new Preference();
			$result = $preference->GetTabPriviledgeInfo('Employee', 0, $CompanyID);
			header("location:".$result[0]["url"]);
		}
	}else{
		$isErr = true;
	}
}
?>
<html>
	<head>
		<title>Employee Portal - Employee Login</title>
	    <!--<meta HTTP-EQUIV="Content-Type" content="text/html; charset=ISO-8859-1"> -->
	    <link rel="icon" href="../favicon.ico">
	    <link rel="Shortcut Icon" href="../favicon.ico">
		<link rel="stylesheet" href="../includes/login.css">
		<script type="text/javascript" src="../scripts/wforms.js" ></script>
		<style>
			.errFld {border: 1px solid #F00;}
			.errMsg { color: #C33;}
			.style1 {color: #CC0000}
		</style>
	</head>
	<body class="Login" onLoad="document.f1.username.focus();" bgcolor="#FFFFFF">
		<table width="550px" align="center" border="0" cellpadding="20" cellspacing="0" bgcolor="#FFFFFF">
			<tr>
				<td width="10%"></td>
				<td width="80%">
					<br><br><br>
					<div id="Dialog">
					  <h1><center><img src="../images/security-lock.gif" style="vertical-align:middle;">&nbsp;&nbsp;<span style="vertical-align:bottom;">Login to Employee Portal</span></center></h1>
						<?php
							if ($isErr == true)
								echo '<DIV class=AlertBad>The username and/or password you entered is invalid.</DIV>';
						?>
						<form name="f1" action="login.php<?php if(isset($_SERVER['QUERY_STRING'])) echo "?".$_SERVER['QUERY_STRING'];?>" method="post">
<input type="hidden" name="DBGSESSID" value="1234@localhost:7869;d=1,p=1" />
							<dl>
								<dt>Username:</dt>
								<dd><input name="username" type="text" id="username" class="required"></dd>
								<dt>Password:</dt>
								<dd><input name="password" type="password" id="password" class="required"></dd>
							</dl>
							<p style="text-align: center;"><input type="image" src="../images/signin.gif" width="59" height="21" style="width:60px">
							<br><br>(<a href="forgot-password.php">I forgot my password</a>)</p>
						</form>
					</div>
				</td>
				<td width="10%"></td>
			</tr>
		</table>
	</body>
</html>
                Write a Reply...