1

Just look at this simple example because after hours of trying, I can't get it to work. 

if(!isset($_SESSION['alien'])){
  if(!isset($_SERVER['HTTP_REFERER']) &&
      $_SERVER['HTTP_REFERER'] != 'http://www.alien-planet.com/'){
       echo 'Go AWAY';
  }else{
       $_SESSION['alien'] = 'Yes';
  }

}

the purpose is, if someone is coming from alien-planet.com, to never show the Go AWAY message. That is when he/she lands on the index page. But if that person came from that website, a session $_SESSION['alien'] = 'Yes'; will be initialized, so even if that person refreshes the page, or goes through the site links, he/she won't see the message

the problem first time you visit the page, you don't see the Go AWAY message (meaning it works, since I am coming from alien-planet.com) but, as I go to other pages, still with the same site with session_start() included to all pages, I somehow loose the message, and when I go back to index page again I see the Go AWAY message.

I don't understand what is causing this. there are no session destroy/unset in the pages.

samayo
  • 16,163
  • 12
  • 91
  • 106
  • Are you SURE that the second if is doing what you want? you're looking if you have not set the HTTP_REFERER but ALSO you must have the same HTTP_REFERER set to something, to get the "go away" message. Something's odd there. – STT LCU Nov 25 '13 at 16:29
  • Try checking like this and let know. `if(!isset($_SERVER['HTTP_REFERER']) && !strpos($_SERVER['HTTP_REFERER'],'alien-planet.com')){` – Shankar Narayana Damodaran Nov 25 '13 at 16:29
  • @ShankarDamodaran I have already done var_dump($_SERVER['HTTP_REFERER']) and it shows the acurate result – samayo Nov 25 '13 at 16:32
  • I can see 2 possible reasons (I'm sure there are more); 1) you're not starting the session on the first page, so the session data is never saved the first time. 2) You're moving from - for example - www.example.com to example.com when linking to internal pages. If the domain changes, the cookies may "vanish" (ie the session be lost) – Joachim Isaksson Nov 25 '13 at 16:32
  • Have to agree with @STTLCU `!isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != 'http://www.alien-planet.com/'` that's giving me some trouble as it basically reads `IF $_SERVER['HTTP_REFERER'] IS NOT SET AND $_SERVER['HTTP_REFERER'] IS SET BUT IS NOT EQUAL TO... ` if you see what I mean, and `||` instead of an `&&` might be better. – CD001 Nov 25 '13 at 16:33
  • @JoachimIsaksson the session is actually started on the first page. Yes, I am moving from www.example.com to example.com but what does that matter the session is stored in the server right. – samayo Nov 25 '13 at 16:34
  • 'HTTP_REFERER' - The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted – Krish R Nov 25 '13 at 16:34
  • 1
    @THOR the Session might be stored on the server - but if you're using cookies to hold the session id the domain is important. – CD001 Nov 25 '13 at 16:35
  • @THOR one other thing ... do you have a `session_start()` call (loading in any other relevant bumph) at the top of **every** page? You say it's set on the first page which sort of implies you don't have it set on every page to me? – CD001 Nov 25 '13 at 16:39
  • @THOR Check for example [this link](http://us2.php.net/manual/en/ref.session.php#100311). More info how to set it up to work across hostnames in a subdomain is [here](http://stackoverflow.com/questions/795414/why-cant-i-pass-user-sessions-between-subdomains). – Joachim Isaksson Nov 25 '13 at 16:41
  • @CD001 I have it set on every page in-fact I have a session.php page included on every page, – samayo Nov 25 '13 at 16:41

1 Answers1

1

Seems like the session is not the same for all requests. Maybe you don't tell php what the user session is. There are different ways, for example the request param PHPSESSID or session cookies.

Please ensure that you use one of the methods. You can simply test it by print out the current session id for each request:

echo session_id();
Community
  • 1
  • 1
NiMeDia
  • 995
  • 1
  • 15
  • 27