PHP Session Gets Lost After Redirect

Question

I have a wordpress website hosted at wordpress.org. And also an independent PHP application deployed on the same location (sharing the same hosting).

The independent application has its own login page and home page. When a user logins, I set a session flag indicating user has logged in. However, when I redirect to user home page (after login), all the values from $_SESSION are lost.

Cookie path is set to the '/' and session.save_path is set to '/var/lib/php5'

I have checked the answer given in PHP session lost after redirect and verified all points.

Also, I have followed the steps mentioned here https://wordpress.org/support/topic/php-_session-info-gets-lost-from-an-external-login-page-to-a-wp-installation

But none of these are working.

Can anyone suggest what could be the possible issue and resolution for it? Thanks.

PHP Version: 5.5.9-1ubuntu4.19

Does the path writable by your server? The usual path for session is '/tmp/', I think. — frz3993, Aug 10 '16 at 18:30
Cross site sessions Hmmmm I hope not. Are these 2 different domains? — RiggsFolly, Aug 10 '16 at 18:30
Have you checked if your browser's cookies have changed? I know you have checked if it is enabled, but have you checked if the browser received new cookies or kept the same old cookies? — SOFe, Aug 10 '16 at 18:30
@RiggsFolly This is deployed on same domain and the redirect occurs on the same domain as well (from http :// abc.com/s/login.php to http :// abc.com/s/main.php) — Tim, Aug 10 '16 at 18:36
@frz3993 I tried setting the session_save_path to a different physical directory as well but it didn't help. — Tim, Aug 10 '16 at 18:38
@PEMapModder It kept the same cookie. I checked the `PHPSESSID` and it retained the value — Tim, Aug 10 '16 at 18:43
Did you make sure you didn't empty the value yourself? What about trying to do session_start and printing the session value at the very beginning of the triggered script (rather than other included files, if any)? — SOFe, Aug 10 '16 at 18:44
Check your session save path. Does the session file gets created there? — frz3993, Aug 10 '16 at 18:47
@PEMapModder No I didn't. I just set the session and redirected and first thing I'm doing on the next page is to check the session again. — Tim, Aug 10 '16 at 18:55
@frz3993 I just checked the session save path (the one that I overriden in my code just before session_start() there isn't any file there. The path told by phpinfo is out of my bounds as it is a shared hosting service. I can only check my home directory via FTP and hosting panel. — Tim, Aug 10 '16 at 18:57
Then, why not create the session directory in your home directory? — frz3993, Aug 10 '16 at 19:05

score 0 · Answer 1 · answered Aug 10 '16 at 20:09

You really shouldn't comment out or amend wp_unregister_globals. Checkout http://silvermapleweb.com/using-the-php-session-in-wordpress/ for examples of how to achieve sessions in Wordpress without messing with wp_unregister_globals.

I use this and it works a treat:

    add_action('init', 'myStartSession', 1);
    function myStartSession() {
        if(!session_id()) {
            session_start();
        }
    }

I would also consider storing your session data in the database rather than in files, particularly as you are in a shared server environment. Anyone else on that server could potentially access your sites session data and take over a users session.

In my most recent plugin I created a new table in the Wordpress database to store session data, then use set_session_save_handler to change the behaviour. So my start session script became something like this:

add_action('init', 'myStartSession', 1);
    function myStartSession() {
        if(!session_id()) {
session_set_save_handler('open_session', 'close_session', 'read_session', 'write_session', 'destroy_session', 'clean_session');
        session_start();
        }
    }

add_action( 'session_gc', 'session_gc'); 

if ( ! wp_next_scheduled( 'session_gc' ) )
{
    wp_schedule_event( time(), 'hourly', 'session_gc' );
}

function open_session()
{
    return true;
}

function close_session()
{
    return true;
}

function read_session($sessionid)
{
    global $wpdb;

    $session_table_name = $wpdb -> prefix . "sessions";

    $query = $wpdb->prepare(
                        "SELECT data FROM $session_table_name
                        WHERE id = %s",
                        $sessionid);

    $result = $wpdb -> get_var($query);

    if ($result)
    {
        return $result;
    } else
    {
        return '';
    }
}

function write_session($sessionid,$data)
{
    global $wpdb;

    $session_table_name = $wpdb -> prefix . "sessions";

    $rowsaffected = $wpdb->replace(
                            $session_table_name,
                            array(
                                    'id' => $sessionid,
                                    'data' => $data
                            ),
                            array(
                                    '%s',
                                    '%s'
                            ));

    return true;
}

function destroy_session($sessionid)
{
    global $wpdb;

    $session_table_name = $wpdb -> prefix . "sessions";

    $rowsaffected = $wpdb->delete($session_table_name,array('id' => $sessionid),array('%s'));

    $_SESSION = array();

    return true;
}

function clean_session($expire)
{
    global $wpdb;

    $session_table_name = $wpdb -> prefix . "sessions";

    $wpdb->query(
        $wpdb->prepare(
                "DELETE FROM $session_table_name
                WHERE DATE_ADD(last_accessed, INTERVAL %d SECOND) < NOW()",
                $expire
        )
    );

    return true;
}

function session_gc() {
    global $wpdb;

    $session_table_name = $wpdb -> prefix . "sessions";

    $query = "DELETE FROM $session_table_name WHERE last_accessed < date_sub(CURRENT_TIMESTAMP(), INTERVAL 1 DAY)";
    $wpdb->query($query);

}

See http://www.stormyfrog.com/using-wpdb-outside-wordpress/ for tips on accessing the $wpdb class from outside Wordpress. You could simply include wp-load.php, then I think you would get the session behaviour for free as I'm pretty sure the init hook comes in after wp-load.php, the downside to that of course is you put the overhead of loading Wordpress into your own pages which you may not want.

PHP Session Gets Lost After Redirect

1 Answers1