3
  1. User fills in username and password.
  2. If it's correct, the page loads some information such as user_id to a session variable.
  3. The script makes a header('Location') redirect.
  4. Somehow the next page doesn't recognize the session... how come?

The redirection is to the same domain, and all pages have session_start();

And I found it more likely to happen in IE than in FF... strange.

Shir Gans
  • 1,976
  • 3
  • 23
  • 40

6 Answers6

7

Is it possible that cookies aren't enabled?

In order to be able to associate session variables with a specific client instance (ie. how session variables can be used on your browser and my browser at the same time without getting into a conflict), a "session ID" (or "SID") is generated per session. This ID is stored on the server, as well as on the client, usually in the form of a cookie. However, if cookies are not enabled, the session ID is passed along as part of the query string of the URL in each request so that the server can know what session ID belongs to the client.

When you redirect by a header() call, PHP does not automatically insert the SID into the new request, so you will need to append it yourself, in the form of:

header("Location: my_url.com/my_page.php?" . SID)

where SID is a constant defined by PHP that contains the necessary part of the query string (equivalent to session_name() . '=' . session_id(), if a session ID exists).

See Passing the Session ID for more details.

Daniel Vandersluis
  • 91,582
  • 23
  • 169
  • 153
  • Thank you for the fast answer. Can you explain me a bit? what did meen by "propagating the SID"? If this put any more light - just found out that in the localhost it works fine, but on the server something goes wrong. – Shir Gans Dec 07 '09 at 17:23
  • you are very clear. Thank you for your help. Unfortunately it didn't help and my cookies are enabled, and as I said, on the localhost it works great. Still I can't figure what causing it to dump the session. Is there another way of making redirect in PHP without having the trouble of loosing session variables ? Thank you! – Shir Gans Dec 07 '09 at 18:46
  • I knocked my head against the wall until I checked if my cookies were enabled. Thanks for the hint1 – Peter Clause Nov 18 '15 at 08:36
5

I just had a similar issue, the solution was to simply add an exit(); instruction under the header(..) redirection.

Matthieu
  • 51
  • 1
  • 1
2

Two thoughts:

  1. Is session_start() located at the top of the scripts, before anything is sent to the browser?
  2. Is the domain exactly the same? www.mydomain.com re-directing to mydomain.com would lead to the problem you describe.
jeroen
  • 91,079
  • 21
  • 114
  • 132
1
header("Location: my_url.com/my_page.php?" . SID)
exit();

It only worked after I added exit() below the header();

irfan
  • 11
  • 1
  • hello, i may think wrong but if PHP is a line-by-line interpreter how will be executed the exit() if the url is redirected, and dont return back? – Andrewboy Sep 29 '20 at 22:26
0

The WordPress documentation states that cookies will be cleared if the user's password is changed. That will kill the session, regardless of whether a redirect happens. So long as you can prevent the cookies from being cleared (and an exit() may do that, as suggested in other answers) than the session should remain.

Note: If current user's password is being updated, then the cookies will be cleared!

http://codex.wordpress.org/Function_Reference/wp_update_user

Jason
  • 4,411
  • 7
  • 40
  • 53
0

I had this problem today and have been searching for a way to fix it. I already had what everyone else has mentioned and could not find an answer anywhere.

Eventually I found the answer after watching my session variables with Firebug. I noticed that on the pages that the variables were being lost, the session Parameter:secure was being set to true for some reason unknown to me.

The fix was to set the secure parameter to false before the session was created.

I accomplished this using session_set_cookie_params. Something like this:

session_set_cookie_params([lifetime], [path], [domain], false, true);
ChristopherStrydom
  • 7,338
  • 5
  • 21
  • 34