PHP session variable existing when it shouldn't and not existing when it should

Question

I'm working on my own learning project for fun, and have been banging my head against the wall for the last few weeks. I have session variables that simply don't exist when they should and vice versa.

On "example.com/dashboard" , $_SESSION['user'] exists, and then when going to "example.com/app/list" there's an if-statement testing if it does exist and is set.

<?php
session_start();
if(!isset($_SESSION['user'])) {
    $_SESSION['errorMessage'] = "You are not logged in yet!";
    header('Location: /');
    exit;
}

Even though I verified $_SESSION['user'] is set on example.com/dashboard, the if-statement returns false and throws me to the login page.

*In my case the login page is my index.php on the root of my website.

Now, on this login page you should be immediately redirected to the dashboard if $_SESSION['user'] is set.

<?php
session_start();
if(isset($_SESSION['user'])) {
    header('Location: /dashboard');
    exit();
}

Like I said before, it is set, but somehow isn't. When refreshing, it sends me to the dashboard (which is supposed to happen if $_SESSION['user'] is set.)

That is problem one.

Now on "example.com/register", whilst not being logged in (Session was destroyed on logout using session_unset, session_destroy etc.), $_SESSION['user'] does not exist. After pressing submit, somehow $_SESSION['user'] is set to what it used to be when you were logged in. Absolutely nowhere else is there a piece of code that sets $_SESSION['user'] to anything, except for the login script. There is nothing on my register page that would allow this. It is as if after logout the session is retained.

Code from my root page aka login form (index.php):

<?php
session_start();
if(isset($_SESSION['user'])) {
    header('Location: /dashboard');
    exit();
}

Code from dashboard.php:

<?php
session_start();
if(!isset($_SESSION['user'])) {
    $_SESSION['errorMessage'] = "You are not logged in yet!";
    header('Location: /');
    exit;
}

Code from my logout.php (Since it might have to do something with this):

<?php
session_start();
if(!isset($_SESSION['user'])) {
    $_SESSION['errorMessage'] = "You are not logged in yet!";
    header("Location: ../");
    die();
}
//clear session from globals
$_SESSION = array();
session_unset();
session_destroy();
unset($_SESSION);
header("Location: ../");
die;

On my register.php:

<?php
session_start();
//register stuff ^^^^^
//eventually, mail to registerer
if (mail($to, $subject, $htmlContent, $headers)) {
     $connect->query($sqlInsert);
     $_SESSION['register_success'] = true;
     header("Location: https://example.com/register-success");
     exit;
}

Then on my register-success.php:

session_start();
if(!isset($_SESSION['register_success'])) {
    $_SESSION['errorMessage'] = "An error has occured, please try again.";
    header("Location: https://example.com/register");
    exit;
}

Keep in mind that whenever I submit the registration, I do receive the email so $_SESSION['register_success'] should be set, but still throws false at the if statement on "example.com/register-success"

Things that I have tried:

session_start(); at the begin of each script.
session_destroy(), session_unset(), $_SESSION = array(), unset($_SESSION) at logout, and then a combination of all of them.
Checking if all session variable names match, which I have made sure to do.

I have absolutely no idea why this is happening.

Apologies in advance if I have explained it terribly.

Thank you for reading.

Your question + code is quite difficult to follow. Can you please edit your question, and label your code snippets with the matching text descriptions. For example, you say, "when going to "example.com/app/list"... " but I don't see which code snippet that is referring to. Another example, "it returns false and throws me to the login page..." but you haven't shown any code relating to a log in page. — waterloomatt, Oct 21 '19 at 14:10
Thank you for your comment! I have edited, i hope it's atleast a little bit more clear! — , Oct 21 '19 at 14:31
Can you please show us the session code for your `dashboard` page? Also, can you verify that `register.php` is starting the session? It might just be a copy/paste error but I don't see it in your code that you pasted. — waterloomatt, Oct 21 '19 at 14:53
Sorry about that, added! I have also verified that every page has session_start(), this was the first thing that came to mind when i was trying to fix it myself. — , Oct 21 '19 at 15:10
I can't see anything obvious that would explain this. One suggestion would be to remove the entire `if` statement in your logout script. Since you're having issues specifically with the `user` session variable in other scripts, I would eliminate that possibility in the logout script. — waterloomatt, Oct 21 '19 at 15:24
Thanks. I'll try this. Do you have anything on the `$_SESSION['register_success']` not setting? on `register.php` it gets set to true, and when checking if it is set on the next page, it isn't. — , Oct 22 '19 at 07:11
Sorry, no. Based on the code you provided it should work. Something else must be contributing to that scenario. One suggestion would be to turn on error reporting in every script - https://stackoverflow.com/a/21429652/296555. The weirdness you're experiencing is often driven by a simple typo or silly mistake that error reporting will sometimes highlight. — waterloomatt, Oct 22 '19 at 12:01
Thanks, i will try this, though the code that i have shown is the only code. there's nothing else. — , Oct 23 '19 at 07:31

user2593040 · Answer 1 · 2019-10-22T16:04:29.383

I would say on the logout page, shouldn't it check to see if the session for user IS set instead of IS NOT set? Also, I would write the session_destroy inside like this. This code checks if the user session variable exists, then it will destroy the session. Then the error message should be placed on the next page it redirects to after session_start();. I also don't think you would need anything other than session_destroy() to destroy the session.

 <?php
 session_start();
 if(isset($_SESSION['user'])) {

    //clear session from globals 
    session_destroy();

    /* Added a Parameter */
    header("Location: ../?disperror=1");

 } else {
 header("Location: ../");
 }

I am not sure if this errorMessage would set properly. You may have to have session_start(); on the ../ page when it redirects to that page, then set the errorMessage session variable after session_start. Place this on the ../ page after session_start();

    <?php 
    /* Should go on the Login page */
 session_start();

 /* Request the parameter */ 
 $disperror = $_REQUEST['disperror'];

 /* Establish Error Message */
 $errMsg = "You are not logged in yet!"; 

 /* Display this anywhere you want in PHP */
 if ($disperror == 1) {

    echo '<p>' . $errMsg . '</p>';

    /* If you want to turn that into a session variable only if the session was destroyed */
    $_SESSION['errorMessage'] = $errMsg;
 }
 ?>

I made a couple of updates. I don't think the session variable would set if you are destroying the session. That would have to be done on the next page. — user2593040, Oct 21 '19 at 13:58
Thanks for your answer! How would i decide if `$_SESSION['errorMessage']` should be displayed or not? I do this now via the condition on the logout page that checks if user exists, and if it doesn't then sets the errormessage wich is then displayed on the login page. — , Oct 21 '19 at 14:08
I made some more updates. Instead of using a session variable for the error message, I used a parameter to attach to the redirect. Then on the login page, I requested that parameter, and then you can use that to determine whether or not to display the message. — user2593040, Oct 22 '19 at 16:05
Thank you for your input, i never thought about handling the error message that way. I'll keep this in mind, i will deffinitely try this out. — , Oct 23 '19 at 08:09

PHP session variable existing when it shouldn't and not existing when it should

1 Answers1