Page 1 of 1

Losing Session Variables

Posted: Sun Nov 15, 2009 11:27 pm
by MrMoonshiner
I'm losing session variables upon a header() redirect. I'm going nuts looking for a solution that will solve this issue, and I have applied all the fixes that I've found... no luck.I hope someone here can assist, or spot some mistake or oversight I'm making:

FILE: TEST1.PHP
----------------------

<? session_start(); ?> // a suggested fix to the issue, didn't work
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Untitled Document</title>
</head>
<body>
<form action="test2.php" method="post"
<input name="" type="submit" />
</form>
</body>
</html>

----------------------
FILE: TEST2.PHP
----------------------

<?
session_start();
$_SESSION['logged_in'] = "Hello";
session_write_close(); // a suggested fix to the issue, didn't work
header( "Location: test3.php" );
exit(); // a suggested fix to the issue, didn't work
?>

----------------------
FILE: TEST3.PHP
----------------------

<?
session_start();
echo $_SESSION['logged_in']; // Should output "Hello" into the browser window, but the variable is blank
?>

--------------------------------------------------------

This code works on multiple servers, but I've hit one server where the sessions are being lost upon header() redirect. Thoughts?
Server: PHP Version 4.4.7
System: Linux cgi0502.int.bizland.net 2.6.30.6 #1 SMP Mon Sep 14 16:36:43 EDT 2009 i686
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 Off Off
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /var/php_sessions /var/php_sessions
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid On On

Re: Losing Session Variables

Posted: Mon Nov 16, 2009 4:28 am
by cpetercarter
You have obviously done quite a lot of research already and found, first, that the problem of sessions not being carried on page redirects is widely reported, and, second, that there is no agreement on the best way of dealing with the problem.

The best solution is not to use page redirects at all. In my view, page redirects are for exceptional circumstances, not for routine navigation around a single website. A widely used structure is one which has a single script (eg index.php) for the whole site, with particular pages specified in GETs eg index.php?page=start. Schematically, index.php might look like this:

Code: Select all

 
session_start(); //if you are using sessions
if (!isset($_SESSION['logged_in'])) {
$page = 'login';
}
elseif (!isset($_GET['page'])) {
$page = 'home';
}
else {
$page = $_GET['page']; //you should incorporate a whitelist of available pages to prevent XSS attacks.
}
include $page.".php"; //put code specific to individual pages in separate include files
 
I am sorry that this does not directly answer your question, but I feel that a robust solution is one which does not use page redirects at all.

Re: Losing Session Variables

Posted: Mon Nov 16, 2009 7:03 pm
by MrMoonshiner
Hmmmm. Fair enough! That's a great way of getting around the issue altogether. Many thanks Peter!