1

I made a simple sign up page and when the user's information is validated, right before redirecting, their session id is changed according to a token system I have set up. On the register page, the id is the correct on and I also have a variable UID that I set manually. Although the problem is that on the next page, The id is different, and the variable is undefined.

$_SESSION['UID'] = $id;
session_id($sessID);

session_write_close();
header("Location: /website/landing.php");
exit();

Cookies are enabled, Sessions have a directory "C:/xampp/tmp" and it is written to, I see files with the correct id from the register page there. This is running on localhost and it's an https connection. I've set up everything the way I'm told (through many other stackoverflow answers) it should be , and yet on the next page:

<?php 
  session_start();

  echo session_id()."\n";
  echo $_SESSION['UID'];

  session_unset();
  session_destroy();
?>

<!DOCTYPE html>
<html>
<head>
  <title>Logged in</title>
</head>
<body>
<h1>Congratulations, you have successfully logged in!</h1>



<a href="logout.php" title="">Log Out</a>

</body>
</html>

Here when I echo the session id, it's a new one and it stays the same everytime unless I delete it from the Firefox settings, but even then, the new one is also not the user specific one I wanted.

What is the cause of this? I feel like it has something to do with the redirection.

hsbsid
  • 301
  • 1
  • 2
  • 10
  • plus, don't set session_id() yourself, unless you have explicit need to set a specific ID. php will auto-generate an randomish/unique ID for you automatically, and if you're not very careful, you could easily start handing out DUPLICATE ids to different users. – Marc B Aug 07 '15 at 19:00
  • no I have that part covered, I know how to create unique cryptographically strong ids – hsbsid Aug 07 '15 at 19:16

1 Answers1

3

Remove the lines:

session_unset();
session_destroy();

As they destroy the session on every page load. Thus causing a new session.

I suggest reviewing the docs for session_destroy() for additional actions associated with logout.

Jason McCreary
  • 71,546
  • 23
  • 135
  • 174
  • 1
    But I only do that on the landing page, after I try to echo the id that was set on the page before. The order of it is: 1. id is set on RESIGTER page, and session is not unset or destroyed 2. redirect to LANDING 3. echo id on LANDING 4. unset and destroy Why would the correct id from step one not echo in step 3? – hsbsid Aug 07 '15 at 19:17
  • This should not affect the printing error. As op is executing the echo before destroying the session – Daryl Gill Aug 07 '15 at 19:52
  • You likely have more than one problem. Also ensure you are using `session_start()` correctly - http://stackoverflow.com/questions/2045550/php-session-id-changes-between-pages. Nonetheless, may answer is indeed part of the solution. – Jason McCreary Aug 07 '15 at 20:47