JavaScript redirection problem with PHP sessions

Question

I set a session variable on login subdomain, and response json from another subdomain if the login was successful, the responsed json is checked by a script and the script does a location.href = "new url". On the redirected site "new url" I want to check my session variables if the user is logged in or not, but there are no session variables set. Does location.href = "" destroy my session? How to fix this problem? session.cookie_domain is set to '.mydomain.com'.

login.mydomain.com:

$.post('http://api.mydomain.com/index.php', {action: 'login', username: username, password: password}, function(response) {
            var success = $.parseJSON(response);
            if(success.success == 'true') {
                location.replace = 'http://my.mydomain.com';
            }
        });

api.mydomain.com:

session_start();
$_SESSION['active'] = true;
header('Access-Control-Allow-Origin: http://login.mydomain.com');
echo '{"success": "true"}';

my.mydomain.com:

session_start();
if(!isset($_SESSION['active']) && !$_SESSION['active']) {
    header("Location: http://login.mydomain.com");
    echo $_SESSION['access_token'].' test';
}
else {   
    echo 'Success!'; 
}

Use Firebug and/or HTTPFox in Firefox to view what's going back and forth in the headers. Usually a disappearing session is due to the session cookie being incorrect set, so you get a brand new empty session on the new page. — Marc B, Aug 04 '11 at 16:42

score 2 · Answer 1 · answered Dec 18 '13 at 17:30

2

I had the same problem and I found when I use a relative url (location.ref="index.php"), all sessions variables exists. But when I use a absolute url (location.ref="http://mydomain.com/index.php") it kills all my session variables.

answered Dec 18 '13 at 17:30

Isaac Chargoy Vivaldo

21
2

This was exactly my problem... and then I would end up with multiple sessions and couldn't tell which one would be loaded. Thank you! – Apolymoxic Dec 12 '18 at 20:03

score 1 · Answer 2 · answered Aug 04 '11 at 16:30

1

You don't seem to be calling session_start() in the second code block.

answered Aug 04 '11 at 16:30

shanethehat

15,460
11
57
87

I see you are now. Fair enough, seemed a bit too easy. – shanethehat Aug 04 '11 at 16:34

score 0 · Answer 3 · edited Nov 06 '21 at 08:21

0

From what you're saying you could have a couple of issues contributing to this problem.

PHP cookies are set by the server when the page is loaded, no page load means no cookie is set, if you're using pure JSON with no page load then you may not be able to set your session and return it to the browser.
Also remember that PHP sessions are effectively a cookie and the rules for cookies apply, so if you're setting a PHP session at api.mydomain.com and expect it to work at my.mydomain.com it probably wont work.

You can find a viable solution to handling login data and the sessions over multiple sub-domains here

edited Nov 06 '21 at 08:21

Nimantha

6,405
6
28
69

answered Aug 04 '11 at 16:40

Ryan

1,878
1
14
17

I've checked what you said, but sessions are also set when you call a page via XMLHttpRequest, the problem is that each time I call the php file via XMLHttpRequest I get an other session_id, why is this so? – Pascal Bayer Aug 04 '11 at 16:53
Please elaborate on 'another session_id'? Do you mean that the session info is stored but the session_id being used is different to what you expect it to be? You said in your question "there are no session variables set" – Ryan Aug 04 '11 at 17:06
I've added following line to api.mydomain.com: echo session_id(); Each time api.mydomain.com is called I get another session_id returned. – Pascal Bayer Aug 04 '11 at 17:13
That would be because api.mydomain.com is creating a new session each time it is called from what you're saying, you may want to add a line like `if(!isset($_SESSION['active'])) { $_SESSION['active'] = true;}`, this should stop the script creating a new PHP session each time the script is called – Ryan Aug 04 '11 at 17:20
the api-call has a Response-Header: PHPSESSID=4acb4d659b963ab4a4ceb33ae362dc50; but the cookie is not set in the browser – Pascal Bayer Aug 04 '11 at 17:36
Not knowing much about your app, assuming the XMLHttpRequest can parse the session successfully, you need to make sure the JS is picking up the new session information when the new information is parsed via the XMLHttpRequest, I would generally do this by writing a JS function that is called any time the XMLHttpRequest has been successful that would parse the information required to any other part of the app that requires it, I assume the IF statement for the session ID worked or got you on the right track? – Ryan Aug 04 '11 at 17:43
The IF statement doesn't work, on every access a new id is generated. Maybe I should try to solve the problem by rewriting the login module. – Pascal Bayer Aug 04 '11 at 17:52
Then try a variation of the IF statement such as `if($_SESSION['active'] == ""){ $_SESSION['active'] = true; }` or `if(empty($_SESSION['active'])){ $_SESSION['active] = true; }` you can also try calling the session as a variable instead like `$activeSession = $_SESSION['active']` then calling the IF statement like `if(empty($activeSession)) { $_SESSION['active'] = true; }`, I hope this helps but I need to get running now so I won't be able to help any further today. Good luck – Ryan Aug 04 '11 at 18:00

JavaScript redirection problem with PHP sessions

3 Answers3