Session login issue
Moderator: General Moderators
Session login issue
I'm wondering how to fix a problem I'm having with a session-based login system
Say I go to http://www.website.com
The page that processes the login then returns the now-logged-in user to http://www.website.com
If this person goes to website.com, though, the login page returns them to www.website.com and it seems to be a different session which makes it appear as though they haven't logged in. Then they login twice.
"Well just have the login page return the user to the URL that they came from"
My problem there is that I have other pages on my site which will direct a user back to http://www.website.com -such as my Error 403 page. After a certain period of time, it sends the user to http://www.website.com. If this is a logged-in user who logged in under website.com, it will appear as though they were logged out
Any suggestions?
Say I go to http://www.website.com
The page that processes the login then returns the now-logged-in user to http://www.website.com
If this person goes to website.com, though, the login page returns them to www.website.com and it seems to be a different session which makes it appear as though they haven't logged in. Then they login twice.
"Well just have the login page return the user to the URL that they came from"
My problem there is that I have other pages on my site which will direct a user back to http://www.website.com -such as my Error 403 page. After a certain period of time, it sends the user to http://www.website.com. If this is a logged-in user who logged in under website.com, it will appear as though they were logged out
Any suggestions?
-
cpetercarter
- Forum Contributor
- Posts: 474
- Joined: Sat Jul 25, 2009 2:00 am
Re: Session login issue
The user's browser thinks that http://www.website.com and website.com are two different sites. If she/he logs in to http://www.website.com, your server will send a session cookie to the browser. The browser will associate that cookie with http://www.website.com. If the user subsequently goes to website.com, the browser will have no cookie to send, so the server thinks that the user is not logged in.
I am not sure what the best solution is in your case, but perhaps this explanation of why the problem arises will prompt some ideas.
I am not sure what the best solution is in your case, but perhaps this explanation of why the problem arises will prompt some ideas.
Re: Session login issue
Are you switching between ssl and not ssl encrypted?
Does your page you are redirecting to call session_start and check to see if a logged in session exists before asking to login again?
Does your page you are redirecting to call session_start and check to see if a logged in session exists before asking to login again?
Re: Session login issue
No I am not switching between SSL and non-SSL
The page it goes back to has a session_start() , yes
but it doesn't check to see if a session exists or not because I don't have it setup where if you're not logged in, it will ask you to. If you're not logged in, it will just not have extra features on the page. And so if someone goes to website.com, they login, they get redirected to http://www.website.com, the session_start() occurs, and it will look like they haven't logged in. The URL can be changed to read website.com again, and it will show that they are logged in, though.
Is there a way for this session to cover both website.com and http://www.website.com, or something related?
The page it goes back to has a session_start() , yes
but it doesn't check to see if a session exists or not because I don't have it setup where if you're not logged in, it will ask you to. If you're not logged in, it will just not have extra features on the page. And so if someone goes to website.com, they login, they get redirected to http://www.website.com, the session_start() occurs, and it will look like they haven't logged in. The URL can be changed to read website.com again, and it will show that they are logged in, though.
Is there a way for this session to cover both website.com and http://www.website.com, or something related?
-
cpetercarter
- Forum Contributor
- Posts: 474
- Joined: Sat Jul 25, 2009 2:00 am
Re: Session login issue
Ok, well I got the login situation to work. Now, if someone logs in under website.com, they're logged in under both website.com and http://www.website.com. My issue NOW, though, is logout. In IE, it kills the session for website.com and http://www.website.com. In FF, it kills the session for whatever they were most recently at. i.e. They're at a logout URL that succeeds http://www.website.com, and once back at the main page, they're logged out of http://www.website.com. If it gets changed to website.com, they're still logged in. Any ideas?
Re: Session login issue
Are you creating two different sessions with seperate session ID's? How are you logging them in to both urls?
Re: Session login issue
There doesn't appear to be 2 separate session IDs created.
Here's where I sit now: IE doesn't declare the session for both website.com and http://www.website.com anymore. Maybe it was a fluke when I originally tested it? FF starts both sessions, though. And then I'm still having the issues with killing the session for both http://www.website.com and website.com, obviously.
Here's where I sit now: IE doesn't declare the session for both website.com and http://www.website.com anymore. Maybe it was a fluke when I originally tested it? FF starts both sessions, though. And then I'm still having the issues with killing the session for both http://www.website.com and website.com, obviously.
Re: Session login issue
Put in after calling session_start() for both cases. If the session ID is changing, you have to make sure that both session_id's either get destroyed OR make sure both sessions use the same session_id by setting it to the same ID.
Code: Select all
echo session_id();Re: Session login issue
Ok, it seems to be all working now. I think flukes have just come up. Some cache issue or something, i'm not sure.
But it seems to work now. The session IDs are the same. I checked again.
But it seems to work now. The session IDs are the same. I checked again.