Losing Session Variables in Firefox and Opera

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
PastorHank
Forum Contributor
Posts: 117
Joined: Sat Jun 03, 2006 7:58 am
Location: Texas Hill Country

Losing Session Variables in Firefox and Opera

Post by PastorHank »

The following code works in IE, but not in Firefox 3.6 or Opera. both files are in the cgi-bin folder

After Checking Id

Code: Select all

 
        while ($row = mysql_fetch_array($result1)) {
                extract($row);
                // set username into session vars
                $_SESSION['logname'] = $loginname;
                $_SESSION['auth'] = 'yes';
                $_SESSION['userfname']=$fname;
                $_SESSION['userlname']=$lname;
            }   
                header("Location:https://www.todaysrancher.org/cgi-bin/mstrctrl.php");
                exit();
 
On opening of mstrctrl.php (the data is verified, all 3 browsers are going to the mstrctrl.php file

Code: Select all

 
<?php
    session_start();
    if ($_SESSION['auth']=="yes") {
    $User_first_name=$_SESSION['userfname'];
    $User_last_name=$_SESSION['userlname'];
    $user_name=$User_first_name." ".$User_last_name;
    } else{
    header("Location:https://www.todaysrancher.org/sorry2.html");
    exit();
    }
  ?>
 
At this point IE, runs the correct page and everything shows up correctly. both Firefox and Opera go to the sorry page. It appears that for some reason the _Session information is being lost. I've googled this and most answers come down to cookies but both browsers are set to 'accept cookies', so I'm lost as to what's happening.

Should I pass the original Session ID? and if so, what's the best method for doing so?

thanks
PastorHank
Forum Contributor
Posts: 117
Joined: Sat Jun 03, 2006 7:58 am
Location: Texas Hill Country

Re: Losing Session Variables in Firefox and Opera

Post by PastorHank »

Resolved:
It turns out that this

Code: Select all

 
    header("Location:https://www.todaysrancher.org/cgi-bin/mstrctrl.php")
 
had to be rewritten to

Code: Select all

 
    header("Location:mstrctrl.php")
 
Because both Firefox and Safari see the Http:// as going to a new site and thus starting a new session
Post Reply