Jump to content

Recommended Posts

Hi fellow PHP coders

I have been looking everwhere on the internet for an answer, for a problem that seems to be so common I have not yet found a response, or should I say "a simple response", I am hoping that if I post it here then someone who has had this problem before (and has fixed it/or a get around) might help me.

 

before i start to explain the issue please note that everything works great apart from the SESSION VARS.

 

Ok, here goes.

 

I have a seach page (for example search.php), when you click Submit it will then load the next page (presearch.php) that next page then stores some sessions from the $_POST (pure PHP page) and then headers off to the output of the seach page from the database (generatesearch.php)

 

Intermittantly, <-- when the page headers off to the next page (generatesearch.php) it looses the session variables.

var_dump ($_SESSION["username"]); 

shows NULL.

 

How ever if I click back to the home page (or any page before the search form pahe), or do a BACK on the browser back to the search.php the session variable is back again.

 

ummm strange...

 

So again, spent some time looking into this and found that after the header, the session id is different. (why have different session id's??? grr). So it would seem that this header is refreshing everything a new.

 

But why is it intermittant??, surely if this was either going to work or not work everytime, not just sometimes. A few people have mentioned about using meta header redirection instead as this keeps sessions, but is this a right way of doing it?

 

surely I am not the only one trying to resolve this, can anyone please give some advice.

 

Do you think I need to speak to my hosting company?  :shrug:

 

Many Thanks

Cliff

assuming you have SESSION_START() at the top of every page already, just use includes rather than headers ie -

include_once "presearch.php"

at the top of generatesearch.php.

 

I thought about doing this but the reason for a intermediary page is so when the generatesearch.php page has completed and you want to press your back button (on the browser) you do not get the form submission stuff popup.

 

I use session_start() all the time... but its strange that is it intermittant.

 

Thanks, any other ideas.

 

Cliff

Any chance that your staring page is sometimes with the www. (hostname/subdomain) on the URL and sometimes without the www. on the URL but your header() redirect specifically matches only one version of the hostname/subdomain and the times it works is when the starting URL and redirect have the same hostname/subdomain and the times it does not work is when the starting URL and redirect don't have the same hostname/subdomain?

Any chance that your staring page is sometimes with the www. (hostname/subdomain) on the URL and sometimes without the www. on the URL but your header() redirect specifically matches only one version of the hostname/subdomain and the times it works is when the starting URL and redirect have the same hostname/subdomain and the times it does not work is when the starting URL and redirect don't have the same hostname/subdomain?

 

as far as I can remember (and I will check when I get home) the command is ..

 

header("location:www.[domain].co.uk/generatesearch.php?....")

 

... being some $_GET strings.

 

Cliff

Ok, :( this is getting stranger by the minute. I think I may need to speak to my hosting company re this unless it is something that you've encountered before. I think it is to do with SESSION ID's

 

After the header function to another page you get the search results (like its designed to do), like I said sometimes the session vars are gone but if you back up a little bit they are back (by pressing back button or going back to the home page).

 

So a session variable that is there on one page, then not the next and then when you go back its there.  :confused:

 

The session variable im using is $_SESSION["username"]; (because if that is populated then you are logged in). But what I noticed last night is this, from a new browser instance (so no browser sessions in use) I can log in with a username, do a search, the results come up, I echo the session ID and $_SESSION["username"]; thats Ok. If I then log out (which does a "session_destroy();" it clears all the session vars (and it seems to do this Ok) but if I then log in as a different user, and do the search again when it gets the to search results the $_SESSION["username"] is back the 1st user.

 

Any ideas?

 

Is there a way somehome (maybe my hosting company) to lock down all these extra session id's and just do it do it only creates one. Why is creating and using different session id's  :confused: :confused:

 

any help would be greatly appriciated.

 

 

Many Thanks

Cliff

That's a new one on me.  the only reason I can think of why it would possably create multiple sessions per visit would be if some of the pages didn't have the SESSION_START() at the top of them before all the other code.  This would effectivly have the result of generating a new session each time you move to a page that does have a session on it.  for example, you go : page1->page2->page3->page4->page5 : page1 has a session on it and generates the key, page2 has a "broken" session and as such the session is dropped, page3 has another working session and so generates a new key as the old one was lost on page2, page 4 has no session at all and so the session key is again dropped, page5 doing what it should makes a third session key, so you get three sessions when you only wanted one.  Here is a way to check if your sessions are being dropped :-

on your home page just after the session_start(); add

$_SESSION['test'] = 'true'

now make a new php file (name it as you wish, i'm going to use ses_test.php for the example)add the following code to ses_test.php

<?php
If($_SESSION['test'] != 'true'){
echo '<h2><center>You'r Session Has Been Lost!</center></h2><br><br>';
}
?>

Now

include_once 'ses_test.php';

the file in each of your other pages just above any output (on pages with no output stick it anywhere you like that's not in the way of other coding) and see what happens.  go through the site a few times and see if it losses session, and if it does see where it losses it - ie. is it always on the same pages? If so it may be that you code is leaking an output before the SESSION veriable initalises on that page.  if it turns out to be on  random pages you may need to look at other ways of attying your session information between pages (such as cookies or explicit headers).  anyway, let us know how you get on.

That's a new one on me.  the only reason I can think of why it would possably create multiple sessions per visit would be if some of the pages didn't have the SESSION_START() at the top of them before all the other code.  This would effectivly have the result of generating a new session each time you move to a page that does have a session on it.  for example, you go : page1->page2->page3->page4->page5 : page1 has a session on it and generates the key, page2 has a "broken" session and as such the session is dropped, page3 has another working session and so generates a new key as the old one was lost on page2, page 4 has no session at all and so the session key is again dropped, page5 doing what it should makes a third session key, so you get three sessions when you only wanted one.  Here is a way to check if your sessions are being dropped :-

on your home page just after the session_start(); add

$_SESSION['test'] = 'true'

now make a new php file (name it as you wish, i'm going to use ses_test.php for the example)add the following code to ses_test.php

<?php
If($_SESSION['test'] != 'true'){
echo '<h2><center>You'r Session Has Been Lost!</center></h2><br><br>';
}
?>

Now

include_once 'ses_test.php';

the file in each of your other pages just above any output (on pages with no output stick it anywhere you like that's not in the way of other coding) and see what happens.  go through the site a few times and see if it losses session, and if it does see where it losses it - ie. is it always on the same pages? If so it may be that you code is leaking an output before the SESSION veriable initalises on that page.  if it turns out to be on  random pages you may need to look at other ways of attying your session information between pages (such as cookies or explicit headers).  anyway, let us know how you get on.

 

ok, thanks. Im going to check this out, im sure all the pages have got session_start(); at the start before everything but I will check again lunchtime.

 

I will get back to you Muddy :)

Woohoooo. I havent "FIXED" it BUT I have found a way around it. I dont think it is the right way of doing it but I did notice that the Natwest website does the same thing.

 

Like I said, From the search form (page1), I action to an intermediary .php file "presearch.php" (page2), this then headers to the the generatesearch.php with all the search parameters in the URL so i can $_GET on the generateseach.php (page3) page.

 

To keep the session id from changing at this point, I have put another $_GET variable on to the end of the URL with all the other parameters with the sessionid that is used before the header occurs, when you log in.

 

Then at the beginning of generatesearch.php I use this.

 

session_id($_GET["sid"]);
session_start();

 

so it forces this page (where it causes a problem before) to always use this session id, and hey presto all my session data is avaliable again.

 

I do think sometimes certain things needs relooking and changing where web technology is concerned.

 

Thanks all

Cliff  ;D

 

 

 

 

 

Edit: You did not mention that the session id IS being passed in the URL. Doing so is a problem because php will only automatically do that with relative URL's, not absolute URL's. Since your header() redirect is using an absolute URL, you must handle passing the session id in the URL yourself at that point, because php won't. Is there some reason you are not passing the session id using a cookie?

 

Original post-

 

So did you ever determine if you were switching back and forth between www. and no-www. hostnames/subdomains? If this is the case, you can set the session.cookie_domain to match all hostnames/subdomains of your domain.

 

The session ID cookie is sent by the browser when the cookie matches the URL that is being requested. The symptom you are getting is that of having multiple sessions for one visitor because different pages or different visits to the same page are using different URL's.

 

You could also have a server that is configured to add the session SID into relative URL's (but does not do so for absolute URL's.) Do any of the URL's show a value like ?PHPSESSID=82r964lhblttdauqrr9llv8575 in them?

 

Finally, use some full php error_reporting to see if it exposes some problem. Add the following two lines of code immediately after your first opening <?php tag on the relvant pages -

 

ini_set("display_startup_errors", "1");
ini_set("display_errors", "1");
error_reporting(E_ALL);

Edit: You did not mention that the session id IS being passed in the URL. Doing so is a problem because php will only automatically do that with relative URL's, not absolute URL's. Since your header() redirect is using an absolute URL, you must handle passing the session id in the URL yourself at that point, because php won't. Is there some reason you are not passing the session id using a cookie?

 

I started doing this with cookies, and then using $_COOKIE['username']; but was told on here that COOKIES are not very secure as you can create a cookie yourself if you was hacking and get in that way, so SESSIONS then seemed the best way. Before I was not passing the sessionid in the URL but found by doing so has fixed the problem (with a very small amount of coding).. I know it shows in the URL but is not really a security thing as there is not database writing really involved with it, if it gets changed. If would just the assume that the user is not logged in.

 

Original post-

 

So did you ever determine if you were switching back and forth between www. and no-www. hostnames/subdomains? If this is the case, you can set the session.cookie_domain to match all hostnames/subdomains of your domain.

 

I did check this and they are all set to "http://www...."

 

 

The session ID cookie is sent by the browser when the cookie matches the URL that is being requested. The symptom you are getting is that of having multiple sessions for one visitor because different pages or different visits to the same page are using different URL's.

 

You could also have a server that is configured to add the session SID into relative URL's (but does not do so for absolute URL's.) Do any of the URL's show a value like ?PHPSESSID=82r964lhblttdauqrr9llv8575 in them?

 

Finally, use some full php error_reporting to see if it exposes some problem. Add the following two lines of code immediately after your first opening <?php tag on the relvant pages -

 

ini_set("display_startup_errors", "1");
ini_set("display_errors", "1");
error_reporting(E_ALL);

 

Thanks for you help.

If your user information is stored in a database you can just add a field cookie_id and hash the user name into it with MD5, then post the cookie_id hash out in the cookie to valid logins.  That would make it a hastle for someone to hack your cookie with manual creation (at least it will be about as secure as posting the session in the URL).  Or take it further and SALT(MD5) the whole thing - others will fill you in better than me on that though.  Anyways, congrats on getting it working :)

I started doing this with cookies, and ...

 

If you read what I wrote, I stated "passing the session id using a cookie?", which is the default way that php passes the session id. That's not the same as passing actual information through a cookie.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.