PHP session doesn't work correctly maybe because of fb? please help

Question

I have a question about PHP sessions. I use a session to keep a visitor logged in. I have made a site before with this and works perfect. Now I am making a Facebook app.

When logging in (checking if user is registered in database), I register id. After that I use:

if(session_is_registered("id"))
{
echo "Logged in";
}

So if it shows "Logged in" in the browser, I am absolutely sure that the session is registered. But when I go to the next page (which has session_start(); at the top of the page), there's no session anymore. But if I go to the logout page (with session_destroy();), and then proceed to the login, the session is registered correctly. Also if I close all the browser windows and then go to login, it won't register correctly.

I tried destroying the session right before registering the 'id', but that also doesn't work.

I'm guessing I made a basic error, so someone on here should be able to help me without wasting a lot of time.

Please help me. I have wasted days on this. Thanks in advance.

More code:

Where session is registered:

$id_query = mysql_query ("
    SELECT * FROM Tour11_deelnemers WHERE fb_id = '$user'");
    while ($record = mysql_fetch_assoc ($id_query))
        {
        $id = $record['deelnemer_id'];
        }
if($id > 0)
{
$speelid = $id;
session_register("speelid");
}

After that to check if it is registered:

if(session_is_registered("speelid"))
{
echo "Ingelogd";
}

session_is_registered() is same as isset() for $_SESSION.

So the thing I don't understand is while session_is_registered() is true after it is registered, on the next page it is false again :( unless I login immediately after going to logging out page (session_destroy();). So even if i destroy the session just before restarting it and registering again, it doesn't help.

Please post some real code, because `session_is_registered("id")` is not clear enough. Maybe you need to do `session_is_registered($_SESSION["id"])`? Tell us what does the `session_is_registered()` function take as parameter, and what does it do with it? — Shef, Jun 12 '11 at 14:01
@Shef `session_is_registered` is built-in PHP function so it doesn't need explanation of how it works :) — Karolis, Jun 12 '11 at 14:07
`session_register`, `session_unregister`, and `session_is_registered` should not be used any more. — Gumbo, Jun 12 '11 at 14:11
You are right, I was not aware of that function, BECAUSE I try to stay as far away as I can from the "global variables" land. This function seems to have been [deprecated on 5.3](http://php.net/manual/en/function.session-is-registered.php). So, it's time we all get used to staying away from the "global variables" land. — Shef, Jun 12 '11 at 14:11
I also tried the whole code with $_SESSION['id'] and isset........ but then I got the same problems, so I tried this older version with session_register(). So using newer session stuff doesn't help. — Nikhil, Jun 12 '11 at 14:15
You are not starting the session correctly, or you are destroying it prematurely. — Shef, Jun 12 '11 at 14:22

Shef · Accepted Answer · 2011-06-12T19:37:32.020

0

Here is a solution for you.

Set the session like this:

if(!isset($_SESSION['speelid'])){
   $id_query = mysql_query ("SELECT * FROM Tour11_deelnemers WHERE fb_id = '$user'");
        while ($record = mysql_fetch_assoc ($id_query)){
            $id = $record['deelnemer_id'];
        }
    if($id > 0){
        $_SESSION['speelid'] = $id;
    }
}

Check if a session is set like this:

if(isset($_SESSION['speelid'])){
    echo "Ingelogd";
}

Update

It seems like the issue is related to >= IE6 refusing to accept the session cookie generated by the php, when a .php file is referred from an .html file on a different server.

.HTML to .PHP session IE issue

When using session variables in a .php file referred by a frame (.html, or other file type) at a different server than the one serving the .php:

Under these conditions IE6 or later silently refuses the session cookie that is attempted to create (either implicitly or explicitly by invoquing session_start()).

As a consequence, your session variable will return an empty value.

According to MS kb, the workaround is to add a header that says your remote .php page will not abuse from the fact that permission has been granted.

Place this header on the .php file that will create/update the session variables you want:

Here is a full thread on this issue

Solution

The solution is to add this at the very top of the page which will SET the session.

<?php header('P3P: CP="CAO PSA OUR"'); ?>

edited Jun 12 '11 at 19:37

answered Jun 12 '11 at 14:13

Shef

44,808
15
79
90

Tried that, but also then it says Logged in, but on the next page there is no `$_SESSION['id']` anymore. Unless I went to the login page after visiting logout page. – Nikhil Jun 12 '11 at 14:19
Okay, let me understand what is going on here: 1. First you go to login page, you login, it says "Logged in", right? 2. When you navigate to another page it does not say "Logged in"? 3. But when you go to logout and go back to login, it says "Logged in"? – Shef Jun 12 '11 at 14:26
Nearly. 3 should be: But when you go to logout and go back to login, and log in, it says 'logged in' and if you go to any other page, you are still logged in. So a sollution could be redirecting the user to logout page just before logging in, but that is not a real solution of course... – Nikhil Jun 12 '11 at 14:36
hmm... smells like a `www` `non-www` issue to me. If you have access to `.htaccess` try forcing access to the site either with or without `www`. That is, if a user tries to login in to `http://site.com/login.php` and after you check the credentials and forward them to `http://www.site.com/logged.php` with `header()`. Try the `.htaccess` trick, or try setting the session domain from `.domain.com` to `domain.com`. – Shef Jun 12 '11 at 15:03
I am testing it myself with `www` everywhere... So that's not the problem :( – Nikhil Jun 12 '11 at 15:19
I updated the code which sets the session, please try that one. If it doesn't help, please post all your code related to session and authentication logic. So, we can debug further. – Shef Jun 12 '11 at 16:49
doesn't help. I tried my fake solution (redirecting to logout and returning just before logging in). I tried redirecting with top.location.href first, so outside fb iframe and it worked. then i tried with window.location.href, to keep it inside the iframe, and it didn't work. so could there be a problem with the session because of it being initiated from inside an iframe? – Nikhil Jun 12 '11 at 17:49
Is this happening on all browsers? I really, can't take any other guess, without looking at your authentication process code. – Shef Jun 12 '11 at 18:09
Ok, I was using IE all the time, now I checked with firefox and chrome and they work fine... So could there be a problem with sessions in iframe for IE? – Nikhil Jun 12 '11 at 19:06
I updated my answer with a solution, I hope it helps. Please STOP using IE, it hurts me knowing a developer is using IE other than for testing purposes... :( – Shef Jun 12 '11 at 19:40
http://stackoverflow.com/questions/306132/php-session-problem-only-in-ie-really-strange-problem I just found that too. Thanks a lot! – Nikhil Jun 12 '11 at 19:42