Page 1 of 1

Session login issue

Posted: Sun Oct 25, 2009 1:28 am
by matt1234
I'm wondering how to fix a problem I'm having with a session-based login system

Say I go to http://www.website.com
The page that processes the login then returns the now-logged-in user to http://www.website.com
If this person goes to website.com, though, the login page returns them to www.website.com and it seems to be a different session which makes it appear as though they haven't logged in. Then they login twice.

"Well just have the login page return the user to the URL that they came from"
My problem there is that I have other pages on my site which will direct a user back to http://www.website.com -such as my Error 403 page. After a certain period of time, it sends the user to http://www.website.com. If this is a logged-in user who logged in under website.com, it will appear as though they were logged out

Any suggestions?

Re: Session login issue

Posted: Sun Oct 25, 2009 1:59 am
by cpetercarter
The user's browser thinks that http://www.website.com and website.com are two different sites. If she/he logs in to http://www.website.com, your server will send a session cookie to the browser. The browser will associate that cookie with http://www.website.com. If the user subsequently goes to website.com, the browser will have no cookie to send, so the server thinks that the user is not logged in.

I am not sure what the best solution is in your case, but perhaps this explanation of why the problem arises will prompt some ideas.

Re: Session login issue

Posted: Sun Oct 25, 2009 8:28 am
by Eric!
Are you switching between ssl and not ssl encrypted?

Does your page you are redirecting to call session_start and check to see if a logged in session exists before asking to login again?

Re: Session login issue

Posted: Sun Oct 25, 2009 4:09 pm
by matt1234
No I am not switching between SSL and non-SSL

The page it goes back to has a session_start() , yes
but it doesn't check to see if a session exists or not because I don't have it setup where if you're not logged in, it will ask you to. If you're not logged in, it will just not have extra features on the page. And so if someone goes to website.com, they login, they get redirected to http://www.website.com, the session_start() occurs, and it will look like they haven't logged in. The URL can be changed to read website.com again, and it will show that they are logged in, though.

Is there a way for this session to cover both website.com and http://www.website.com, or something related?

Re: Session login issue

Posted: Mon Oct 26, 2009 2:46 am
by cpetercarter

Re: Session login issue

Posted: Wed Oct 28, 2009 1:41 am
by matt1234
Ok, well I got the login situation to work. Now, if someone logs in under website.com, they're logged in under both website.com and http://www.website.com. My issue NOW, though, is logout. In IE, it kills the session for website.com and http://www.website.com. In FF, it kills the session for whatever they were most recently at. i.e. They're at a logout URL that succeeds http://www.website.com, and once back at the main page, they're logged out of http://www.website.com. If it gets changed to website.com, they're still logged in. Any ideas?

Re: Session login issue

Posted: Wed Oct 28, 2009 11:54 pm
by matt1234
Bump

Re: Session login issue

Posted: Fri Oct 30, 2009 7:46 am
by Eric!
Are you creating two different sessions with seperate session ID's? How are you logging them in to both urls?

Re: Session login issue

Posted: Fri Oct 30, 2009 5:22 pm
by matt1234
There doesn't appear to be 2 separate session IDs created.

Here's where I sit now: IE doesn't declare the session for both website.com and http://www.website.com anymore. Maybe it was a fluke when I originally tested it? FF starts both sessions, though. And then I'm still having the issues with killing the session for both http://www.website.com and website.com, obviously.

Re: Session login issue

Posted: Fri Oct 30, 2009 7:12 pm
by Eric!
Put in

Code: Select all

echo session_id();
after calling session_start() for both cases. If the session ID is changing, you have to make sure that both session_id's either get destroyed OR make sure both sessions use the same session_id by setting it to the same ID.

Re: Session login issue

Posted: Fri Oct 30, 2009 9:36 pm
by matt1234
Ok, it seems to be all working now. I think flukes have just come up. Some cache issue or something, i'm not sure.
But it seems to work now. The session IDs are the same. I checked again.