0

Excerpt from validate-login.php:

<?php 
   if(!session_id()){ session_start(); }
   if(!(isset($_SESSION['mobile']) or isset($_SESSION['email']))){
      $_SESSION['error'] = 'NOT_LOGGED_IN';
      header("location:error.php");
   }
?>

The script validate-login.php will be included in all the "restricted" pages which I want to be accessible only post login.

Excerpt from error.php:

<?php 
   if(!session_id()){ session_start(); }
   $errorCode = isset($_SESSION['error']) ? $_SESSION['error'] : '';
   print_r($_SESSION);
?>

Executing the code on localhost gives me output as:

Array ( [error] => NOT_LOGGED_IN )

Executing the code on remote/online server always gives me output as:

Array ( )

I HAVEN'T NOTICED THIS PROBLEM ANYWHERE ELSE IN MY WEBSITE.

If I change validate-login.php as:

<?php 
   if(!session_id()){ session_start(); }
   if(!(isset($_SESSION['mobile']) or isset($_SESSION['email']))){
      $_SESSION['error'] = 'NOT_LOGGED_IN';
      print_r($_SESSION);
   }
?>

The output is:

Array ( [error] => NOT_LOGGED_IN )

I have read similar questions on StackOverflow and other forums and they have suggested to remove any white spaces before session_start(); and not to output/print anything before header(location="...");, which, I suppose, I have done that.

What is wrong with my code?

Kumar Kush
  • 2,495
  • 11
  • 32
  • 42
  • `if(!(isset($_SESSION['mobile']) or isset($_SESSION['email'])))` < that seems to kind of contradict itself. First you want to check if one session isn't set or one that is set; I don't get that. – Funk Forty Niner Apr 08 '20 at 14:11
  • Should this prohibit session data from being available in next page? – Kumar Kush Apr 08 '20 at 14:15
  • If one of those doesn't meet the criteria, then I'd say "yes". – Funk Forty Niner Apr 08 '20 at 14:18
  • I got it what your point is. I need to elaborate question a bit. By the way, when a user is trying to access a 'restricted' page without logging-in after opening browser afresh, or immediately after logging out, both of these won't be available. Otherwise, if one of the two variables is set, the code wont' go the **error.php**. – Kumar Kush Apr 08 '20 at 14:22
  • Make sure that your logout page destroys all sessions. Just unsetting may not be enough and that is unknown. – Funk Forty Niner Apr 08 '20 at 14:24
  • I have done that. On logout, I have unset the session variables, then wrote `session_abort()` and `session_destroy()`. What else can I do? :) – Kumar Kush Apr 08 '20 at 14:28
  • I suggest that you try a few test pages using different session arrays. Have a look at [this Q&A](https://stackoverflow.com/q/5489365/1415724) and see if that works out well. If it doesn't work, then something on your server is causing issues. Enable error reporting to see if errors occur and use var_dump the session array(s). There isn't anything else I can think of, sorry. Edit: Try and not use `if(!session_id())` to see if that is the problem. It could be if there is a session that is still set somewhere. – Funk Forty Niner Apr 08 '20 at 14:31
  • Looks quite promising. I'll go through it. – Kumar Kush Apr 08 '20 at 16:47

0 Answers0