0

In one my environments, I have a page which sets a session variable, then redirects to another, similar to below:

ScriptA.php

session_start();
$_SESSION['foo'] = 'bar';
header("redirect: ScriptB.php");
die()

ScriptB.php

session_start();
header("HTTP/1.0 403 Forbidden");
echo $_SESSION['foo']; //will print nothing
unset($_SESSION['foo']);

If I comment our the header line in ScriptB.php, it WILL print the value. Very strange.

Any ideas? I have never seen this behavior before.

Note: This is a Win 2008 Server, Running IIS 7, and PHP 5.3

Community
  • 1
  • 1
dev.user.23
  • 37
  • 5
  • 1
    Do you send your PHP_SESSION_ID as GET parameter or via a cookie? If you are using a GET parameter, it might get lost during your redirect. It will also get lost if you change the domain during your redirct, even when using a cookie. – ToBe Jan 30 '14 at 14:55
  • There are browsers that substitute their own logic if the error message is smaller then X characters. [See also this answer](http://stackoverflow.com/questions/1674659/browser-behavior-on-403-forbidden-error). – Wrikken Jan 30 '14 at 14:57
  • 1
    You can't send output to the page after you've sent a 403 Forbidden header. – crush Jan 30 '14 at 14:57
  • Why is "If I comment our the header line in ScriptB.php, it WILL print the value. Very strange." strange? You already have your header output!!!! – pregmatch Jan 30 '14 at 15:03
  • I did not have a friendly 403, but I just did a test to a send a 403 and display my friendly 404 and it worked: `` so the comment by @crush is incorrect. (When I tried a tiny message, the browser showed it's default response though.) – TecBrat Jan 30 '14 at 15:08
  • @ToBe, thanks I tried this also with the same result. – dev.user.23 Jan 30 '14 at 18:19
  • @crush, thanks but this isn't true (at least not in my case). I can add hard coded garbage text, and it will show. – dev.user.23 Jan 30 '14 at 18:19
  • More info. If I comment out the unset($_SESSION['foo']) it works as expected. Strange since it comes after output. Also, I tried this on another server with Win2003, and IIS6, and for some reason it WORKS there. So maybe this is some IIS problem. What's the proper place to ask that question? Thanks to everyone for helping. – dev.user.23 Jan 30 '14 at 18:22
  • Any particular reason you are using `HTTP 1.0` instead of `1.1`? – crush Jan 30 '14 at 18:23
  • There must be more going on here than you are telling us about. What you are doing works fine: http://ideone.com/TMIt73 – crush Jan 30 '14 at 18:26
  • Maybe your browser calls scriptb twice for some reason and you only see the second call with session already unset? Add a counter to your session that increments on each call to debug this. – ToBe Jan 30 '14 at 18:33

2 Answers2

1

Script B should read

ob_start();
session_start();
echo $_SESSION['foo']; //This should print
unset($_SESSION['foo']);
header("HTTP/1.0 403 Forbidden"); <--- moved to bottom
ob_end_flush();
Pwner
  • 791
  • 5
  • 16
  • 1
    This will fail as you cannot send a header after you echo. http://stackoverflow.com/questions/8028957 – TecBrat Jan 30 '14 at 15:15
0

Try this:

Script B

<?php
session_start();
header("HTTP/1.0 403 Forbidden");
echo $_SESSION['foo']."<br><br>\n\n"; //This should print
unset($_SESSION['foo']);
readfile('path/to/some/friendly403message.html');

You probably just need enough text for the browser to think your information is more helpful then their default.

TecBrat
  • 3,643
  • 3
  • 28
  • 45
  • Thanks, but I was able to add garbage text and it still shows. The variable simply isn't in thre session. I confirmed by doing a print_r($_SESSION); – dev.user.23 Jan 30 '14 at 18:21