Hi all, and thanks up front for any help on this.
I'm working with a basic login system of only a couple of files and I thought I understood how they worked until I moved them from a domain hosted on hostmonster to a domain on GoDaddy. This is all probably old hat for most of you folks but let me describe what I know. My index file plays double duty either displaying the login form or, if logged in, displaying a front page. This page starts the user session, checks to see if the user wanted to be "remembered," checks some cookies, etc. and if not, presents the login form. The form script of course immediately tries to log the user and, whether successful or not, it redirects back to the main index page, where this process simply starts over. But this time, if the login was successful, the front page is displayed instead of the login form.
Simple enough loop I thought. The key is the end of the form script processing, which adds some elements to the $_SESSION array which, upon redirect back to the index form, are needed to determine if the user is logged in, and hence, what to display.
On both hostmonster and GoDaddy right before the redirect back to the start page, the process looks good, the $_session array has what I expect it to have given a successful or unsuccessful login.
After the redirect back to the common starting index page,
on hostmonster, the $_session array contains these values and proceeds as expected, but
on goDaddy, the $_session array is basically empty. It does contain one element that's added when this main page is called, but the elements expected from the result of the login attempt, are simply not present.
Now I've read quite a lot about problems with dropped sessions on redirect. But I'm still unable to make sense out of this. Most notably, since it works fine on hostmonster and not on GoDaddy, I'd guess there's something in version or configuration that's at odds here but I can't find it. I've compared versions, they are slightly different, hostmonster on 5.2.9, GoDaddy on 5.2.5. I've compared all their session handling configuration switches and they all match, or those I'm seeing with phpinfo() anyway.
One issue I chased down was register_globals which is off for both hosts. But register_argc_argv is off on goDaddy, on on hostmonster. But I'm not sure that is a factor.
I realize there's a lot I don't know here. I don't fully understand how a header(location: ) redirect might be connected to or dependent upon 302 settings at the server but I found some references to this. I don't fully understand the session managment but the main index script calls session_start() initially and I've added a check on the return value on this and it's always successful. But the session management doesn't appear to be any deeper than this. And somehow, on hostmonster, after shunting over to a completely separate form script, when we loop back to the main page again, the $_session array has the data the form process script added to the array. Not sure I understand why completely but it does work, on hostmonster.
But, more importantly, I just don't know enough about session management and the nuances of different server/installation configurations issues to know which end of this to chase first. It may well be that the base script, despite working correctly on hostmonster, was itself not well devised and was simply lucky enough to have the side-effect of working on hostmonster at all, or maybe that luck was a specific php configuration, etc. But before I go changing things or taking a different approach, I need to understand why it doesn't work simply when moved to GoDaddy.
Any thoughts?
Thanks again for any help,
/jim
Dropping $_Session Elements
Moderator: General Moderators
Re: Dropping $_Session Elements
Hmm....odd.
I can think of a few reasons why this could be:
I'd also recommend you try running this script on your local machine with default php/apache settings, to see if it's some server misconfiguration.
I can think of a few reasons why this could be:
- Your old host had output buffering turned on, whereas your new one doesn't, so your session isn't initialising
- You're setting some cookie params to only work for a particular domain (if you've changed domain as well as host)
I'd also recommend you try running this script on your local machine with default php/apache settings, to see if it's some server misconfiguration.
Double 302s (WAS:Re: Dropping $_Session Elements)
What about this, using an http packet sniffer I find that on the hostmonster site, the initial request is a POST and the 302 response looks pretty much as one would expect. The response packet is 302 and the location is the index.php, the redirect back to the main page.
But on the GoDaddy site, the 302 is a POST and looks almost perfectly the same, but the 302 response gives a location back to the form processing script, so back to itself, another request is made, this time however it's a GET request, session ID matches the first request so the session management appears to be working, and this time the response is another 302 but this time the location is back to the main index.php.
NOW, why the double 302 and what is the genesis of a POST first (my html form does use method="POST") with a redirect back to the form script and another attempt with a GET?
KEEP in mind, my source files are identical for both systems, hostmonster and GoDaddy.
Lastly, I'm betting the vars I'm looking for, the $_session elements I expect to find on the redirect back to the main page, have a lot to do with pulling them from $_GET and not $_POST, as all my code does now. So it might appear that the session management is working like it should. Certainly the sniffer displays consistent session ID's for each request. But the double 302 at GoDaddy and the shift from POST to GET wasn't something I expected.
Thoughts?
TIA,
/jim
But on the GoDaddy site, the 302 is a POST and looks almost perfectly the same, but the 302 response gives a location back to the form processing script, so back to itself, another request is made, this time however it's a GET request, session ID matches the first request so the session management appears to be working, and this time the response is another 302 but this time the location is back to the main index.php.
NOW, why the double 302 and what is the genesis of a POST first (my html form does use method="POST") with a redirect back to the form script and another attempt with a GET?
KEEP in mind, my source files are identical for both systems, hostmonster and GoDaddy.
Lastly, I'm betting the vars I'm looking for, the $_session elements I expect to find on the redirect back to the main page, have a lot to do with pulling them from $_GET and not $_POST, as all my code does now. So it might appear that the session management is working like it should. Certainly the sniffer displays consistent session ID's for each request. But the double 302 at GoDaddy and the shift from POST to GET wasn't something I expected.
Thoughts?
TIA,
/jim
Re: Dropping $_Session Elements
Well, a GET request should be no different to a POST request where sessions are concerned.
If the same session ID is still being sent, then the session has been set...so it must be empty.
Like I suggested, try running var_dump() on $_SESSION on the redirected page and see what's in there.
Also, could you post your code?
If the same session ID is still being sent, then the session has been set...so it must be empty.
Like I suggested, try running var_dump() on $_SESSION on the redirected page and see what's in there.
Also, could you post your code?
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact: