header() function is killing my sessions?

[Joshua4550]

Hey guys,

 

I have recently made progress on my site, but came to do something savvy with it, and something has started destroying my session vars.

 

Say I had $_SESSION['hello'] set to "true", when a user visits one page, it asks for $_POST details, and depending on what the post details are.. uses the header() function to redirect the user to a page to edit their website.

 

My only problem is that if they go to this script after having the session "hello" set, when they're redirected by the header() function, the session isn't set anymore?

 

Is there a quick solution to this, or should I just use cookies for this?

[PFMaBiSmAd]

Using cookies would likely have the same problem because by default the session id is propagated between pages using a cookie. You need to troubleshoot why your code is not working.

 

Is your header() redirect changing the hostname/subdomain (i.e. changing to/from www. and no-www.) on the URL or going to a different path on the end of the URL from where the session was started?

[Joshua4550]

Yes. They can use a subdomain, because I have set a wildcard dns record to redirect all subdomains to my one script which then checks the subdomain, puts it into a var and checks it.. then it uses header()

 

How can this be fixed so that my sessions stay the same?

[pornophobic]

Are you setting your cookie to example.com or .example.com?

 

example.com will only set a cookie for http://example.com

 

.example.com will set it for http://*.example.com

[Joshua4550]

Atm im using sessions

 

Simple $_SESSION['hello'] = "true";

[jdavidbakr]

Look in your cookies on your browser for the PHP session cookie - I'll bet it's locked to the subdomain it's been assigned from.  Look up http://us2.php.net/manual/en/function.session-set-cookie-params.php and see about changing the $domain to be the root domain so the cookie is set in example.com instead of www.example.com.

[marcus]

Do you have

session_start();

on each of your pages?

[Joshua4550]

Do you have

session_start();

on each of your pages?

Lol, yes.

 

Look in your cookies on your browser for the PHP session cookie - I'll bet it's locked to the subdomain it's been assigned from.  Look up http://us2.php.net/manual/en/function.session-set-cookie-params.php and see about changing the $domain to be the root domain so the cookie is set in example.com instead of www.example.com.

Thanks. One last thing: Would 0 enable the lifetime to ulimited?

 

session_set_cookie_params(0, '/', '.example.com');

yes?

[jdavidbakr]

Looks right to me.  0 is "until the browser closes" which is the normal setting for session cookies.

[Joshua4550]

Okay, well I now have this in each page:

 

session_start();
session_set_cookie_params(0, '/', '.example.net');

 

But after a session is set, if i go to a subdomain.. it doesn't seem to work. Or maybe I have to set the params before starting the session?

[jdavidbakr]

Reverse it, the session_set_cookie_params() needs to be before session_start()

[Joshua4550]

Still no workie. Lol

[Joshua4550]

The session is being set from www. or no subdomain, and then it can be accessed from ww. or no subdomain, but if i use a subdomain.. BOOM it wont work.

 

I do still have this on each page though:

  session_set_cookie_params(0, '/', '.example.net');
  SESSION_START();

[PFMaBiSmAd]

Any chance you are switching between http and https as well? Are these subdomains actually hosted on the same server as the main domain?

 

Post the full URL's (i.e. http://subdomain.domain.com/path/file.php) that you are using that don't work when you switch between them (xxxxx out the actual subdomain and domain if you don't want to post them, but show everything else as it actually is.)

[Joshua4550]

Session is set from:

 

http://www.example.net/login.php

 

Then the session works on:

 

http://www.example.net/site/hello

 

But does NOT work on:

 

http://hello.example.net/site/hello

 

Note: I have a wildcard dns record set which redirects all subdomains to one script on the main domain, and then the main domain asks if theres a subdomain.. if so uses header() to send them to another script.. but the sessions dont work here. If I just go to www. the sessions DO work.

[PFMaBiSmAd]

When you examine the session id cookie in your browser while at each URL, what do you get?

 

If you start a session at the http://hello.example.net/site/hello address and stay at that address, does the session work?

[Joshua4550]

I don't really know how i'd go about testing that, tbh.

 

But this is the script which all subdomains redirect to:

 

<?PHP
      session_set_cookie_params(0, '/', '.example.net');
      SESSION_START();
      $subdomain = str_replace("example.net", "", str_replace(".example.net", "", $_SERVER['HTTP_HOST']));
      // Detect whether we're on the main website or a subdomain
      if ($subdomain == "www" || empty($subdomain)) {
            // On the main website
            header("Location: /title.php");
      } else {
            // On a subdomain
            header("Location: /site/" . $subdomain );
      }
?>

 

Would this script interrupt the sessions at all?

[Joshua4550]

If this script is interrupting the sessions, then I probably have an alternative solution.

[Joshua4550]

Guess noone knows since you all left.

[PFMaBiSmAd]

Any chance of doing this -

When you examine the session id cookie in your browser while at each URL, what do you get?

Do the values match what you are putting into session_set_cookie_params()?

 

You are the only one here who can investigate what is happening on your server.

[Joshua4550]

Define examine.

 

Do you want me to print them?

[Joshua4550]

I used print_r() on the page, it printed out the value of the session when not on a subdomain, but when on a subdomain it prints NOTHING. This means that the session is EMPTY on any subdomain? Wtf is wrong?

[jdavidbakr]

In your browser you should be able to view the cookie.  I.e, in  Firefox, go to preferences->privacy->show cookies.  Find your cookie by tying in your root address in the search box and tell us what shows up under "Site."  If you're seeing all your subdomains (assuming that you're restarted the browser and thus cleared out your previous attempts) then something is not working as expected, but it may help identify what might be going on.

 

I wonder if you should leave off the leading "." in the domain so the command is:

 

session_set_cookie_params(0, '/', 'example.net');

 

I honestly don't know whether that will make a difference or not, though.

[Joshua4550]

Hmm.

 

Seems to work, after clearing all existing cookies xD Idk why, but thanks bud.