PHP Session Issue

[virendra maloo]

Hi,

 

I have developed an (PHP)application which has been tested on different development servers.

 

So when I login to the app and navigate to a specific page just after loggin-in, the app logs-out and I have to re-enter the user credentials. But after loggin-in again, it works fine(and doesn't shows the log-in screen until we log-out). I wonder why it works in such an unpredictable way.!!

 

I have used session for security reasons and am quite eager to know if this is something to do with cache.

 

I am using the below code on almost all the pages of the app.(so that the user just can't enter the URL of the page and start accessing the application)

 

---------------------

 

session_start();

 

header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");

header("Cache-Control: no-store, no-cache, must-revalidate");

header("Cache-Control: post-check=0, pre-check=0", false);

header("Pragma: no-cache");

 

/*

The app matches the current session-ID with the session ID which previous page has sent and if it doesn't matches, LOG-Out.

*/

 

try {

if(($_GET['session'])==(session_id())){

// do nothing

}else{

echo '<script type="text/javascript">parent.location="../index.php";</script>';

}

}catch(Exception $e){

echo '<script type="text/javascript">parent.location="../index.php";</script>';

}

 

 

---------------

I strongly feel that if the app performs well on one server then it shud work perfectly fine on the other system.

 

I, however have no idea of the php.ini file on the server which throws this issue of loggin-out. but I can certainly find out the details if it is something to do with php.ini file.

 

If there's any modification I need to do in the cache setting, lemme know.

 

 

Any help/suggestion would be appreciated.

Virendra Maloo.

[DEVILofDARKNESS]

try to declare the session_cache_limiter before declaring session_start()

 

P.S.: use php/code tags

[virendra maloo]

session_cache_limiter didnt helped!!

 

"When I log-in for the first time and redirect the user to a certain page, the page expires and subsequent login-redirection works fine."

This is because the session-id I pass through the link is different than the session-id on the redirected page(only for the first time access!!!).

(I checked it by echo-ing it on screen)

 

Any clue on this?KUAHDC

[PFMaBiSmAd]

The symptom seems like you are changing either the hostname (subdomain) or the path when you redirect and the session cookie is not set up to match a hostname or path that is different than where the session cookie was set.

 

What does a phpinfo() statement show for the session.cookie_domain and session.cookie_path on both the system where this works and on the system where it does not work?

 

P.S. You need to put exit; statements after each of your javascript redirects. Without the exit, the remainder of the code on the 'protected' pages is still being executed. All a hacker needs to do is ignore the redirect (or simply have javascript turned off) and he can access the 'protected' content on your pages.