4

I use OAuth to authenticate at an external website. Everything is okay but the session variable misses after redirecting from external websites.

Summary: I store a session var in my website then go to login page of other website. After logging in and confirming, it redirects to my callback, when I check the previous session var, it misses! How to fix it?

I tried to call session_start() everywhere I use session but it doesn't work. Of course I enabled session in "php.ini" and enabled cookie in browser. :) I debugged but can't find the reason out.

enter image description here

Update: After storing my session var, I do a request like this: http://mixi.jp/connect_authorize.pl?oauth_callback=http%3A%2F%2Fmypage.com%2Fcallback.php&oauth_token=fjdklsfjlksd

Note the oauth_callback, it is the redirect URL. I don't know what mixi.jp use to redirect.

hakre
  • 193,403
  • 52
  • 435
  • 836
emeraldhieu
  • 9,380
  • 19
  • 81
  • 139
  • 1
    Does the remote page do a header redirect to your page? Is the domain that the user is redirected to 100% identical? Remember, `www.domain.com` and `domain.com` are different domains session wise – Pekka Dec 03 '11 at 09:45
  • Sorry I don't understand what you mean. :( See my update above please. – emeraldhieu Dec 05 '11 at 07:27

2 Answers2

3

Make sure your site's domain is 100% identical before and after the redirection.

Note that

www.yoursite.com

and

yoursite.com

are two different sites cookie-wise.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • ^ This is true. I set $_SERVER['REDIRECT_SCRIPT_URI'] as my redirect URI, to make sure that the 'www' is there or not. – Design by Adrian Dec 20 '12 at 11:47
  • redirect_script_URI might not work on your server, try outputting $_SERVER to see what options you have! learned from: http://stackoverflow.com/questions/189113/how-do-i-get-current-page-full-url-in-php-on-a-windows-iis-server – Design by Adrian Dec 20 '12 at 11:48
2

The session id is stored in a cookie. The cookie is send in every page of the domain you registered in. Whe you jump to another domain, your cookie with the session id is not send. You must pass the session id to your new domain and then create a new cookie in this domain with the session id.

header('Location:redirect.php?session=' . session­_id());

And then in the redirected page restore the session

<?php
  session_id($_GET['session']);
  session_start();
macjohn
  • 1,755
  • 14
  • 18
  • But he is jumping to another domain *and back*. When he comes back, the cookie should still be in place. – Pekka Dec 03 '11 at 09:53
  • cookies and redirects always causes headaches. – macjohn Dec 03 '11 at 10:07
  • 1
    I tried your solution but it doesn't work. The "other website" doesn't permit me to pass one more parameter. I mean it doesn't permit me to pass "&session=xxx" back to "mypage/callback.php", only "oauth_token" allowed. – emeraldhieu Dec 05 '11 at 07:26