19

I have this written at the very first line on every page of my website. 

include("restd.php");

and restd.php contains the following lines : 

@session_start();
if(isset($_SESSION['id']))
{
}
else
{
  header("location:index.php");
}

The problem i'm facing is that when ever i click or do something on my website. it logs me out and takes me to index.php.

im sure its something to do with the session. ive tried every single thing to avoid this problem but i ahve used restd.php because i dont want anyone to copy the url of someone and paste and get into the website.

anyone who is logged in only can view other's pages. if they arent logged in then they'll be redirected to index.php

EDIT : and guys a confusing thing is that all this is working fine on my testing server which is easyPHP-5.3.8.0 but this problem is coming up when i upload all the files to my server.

Samir
  • 411
  • 3
  • 7
  • 12
  • Can you share content of page which you including "restd.php" ? – Eray Jan 23 '12 at 18:49
  • 8
    Why do you silence session_start()? Remove the @ sign and see if there is an error being produced. You really shouldn't use the @ sign. – Martin Samson Jan 23 '12 at 18:50
  • 1
    Are you setting $_SESSION['id'] anywhere? – drew010 Jan 23 '12 at 18:50
  • 2
    get rid of the suppression operator on `session_start();` and see if there's any errors – JamesHalsall Jan 23 '12 at 18:50
  • This is unrelated, but I wanted to mention it anyway. You are not technically supposed to use relative paths on a `Location:` header. The RFCs state that it needs to be the full URL. – Brad Jan 23 '12 at 18:52
  • Where is the code where you assign a value to `$_SESSION['id']` ? Have you `echo`'d that value anywhere for debugging purposes? – jcmeloni Jan 23 '12 at 18:53
  • @eray - i have written it in the question :) – Samir Jan 23 '12 at 18:56
  • @MartinSamson - i have removed @ also. but no change in the behaviour :( – Samir Jan 23 '12 at 18:57
  • @drew010 - i make a variable $pid = $_SESSION['id']; and where ever i want to use the logged in users id i use $pid and i have no problem – Samir Jan 23 '12 at 18:58
  • @DavidNguyen - the form is submitted to logged.php and logged.php contains simple code which checks whether the user is registered or not and then gets his id from database and then that is $uid and then session_start(); and then $uid = $_SESSION['id']; and then header("location:home.php?id=$uid"); – Samir Jan 23 '12 at 19:00
  • @SyedSamirUddin , no you share your `restd.php` file , i'm wanting your `index.php` file for example :) – Eray Jan 23 '12 at 19:01
  • @jcmeloni - yea in every page i make a variable $pid = $_SESSION['id']; and then where ever i use this variable i get the correct value. – Samir Jan 23 '12 at 19:02
  • that doesn't help, where do you ever use $pid in THIS script? – David Nguyen Jan 23 '12 at 19:05
  • @DavidNguyen - in restd.php instead of using the variable i directly used $_SESSION['id']; i could do this too : $pid = $_SESSION['id']; and then if(isset($pid))......so on. – Samir Jan 23 '12 at 19:09
  • @everyone : here is my code of logged.php : http://codepad.viper-7.com/rIvRLP – Samir Jan 23 '12 at 19:15

10 Answers10

61

Your session directory (probably /tmp/) is not writable.

Check with session_save_path() if it is writable.

if (!is_writable(session_save_path())) {
    echo 'Session path "'.session_save_path().'" is not writable for PHP!'; 
}
Draco Ater
  • 20,820
  • 8
  • 62
  • 86
powtac
  • 40,542
  • 28
  • 115
  • 170
5

Do you actually set $_SESSION['id'] on a page...

What you are trying to do here is:

  1. Start a session and load the $_SESSION from the session handler
  2. Check if $_SESSION contains key 'id'
  3. Redirect to index.php if $_SESSION['id'] is not set

Do you actually do this in index.php?

session_start();
$_SESSION['id'] = something;
Mathieu Dumoulin
  • 12,126
  • 7
  • 43
  • 71
  • nope ! not in the index.php. i do it in the logged.php which contains code which checks if the username who is logging in is already registered and if he is registered then session_start(); and his id is $uid = $_SESSION['id']; and then header("location:home.php?$uid"); – Samir Jan 23 '12 at 18:55
  • Then do you session_start() in logged.php before saving $uid into $_SESSION['id']? – Mathieu Dumoulin Jan 23 '12 at 18:59
  • yes i do. infact here is my code of logged.php : http://codepad.viper-7.com/rIvRLP – Samir Jan 23 '12 at 19:16
  • Something tells me then that this is not a code issue cause your code looks fine. It's more a session handler issue like mentionned in other comments or posts... – Mathieu Dumoulin Jan 23 '12 at 19:30
  • 1
    Look at other posts, you might have issues with your session handler, when you do session_start, do you have an error message? Can you var_dump($_SESSION) on each page until you find an empty $_SESSION? At that point, the page you visited before might have killed you session, lots of possible reasons... – Mathieu Dumoulin Jan 23 '12 at 19:32
5

you need declare $_SESSION['id'] :

file1.php

session_start();

$_SESSION['id'] = '123'

file2.php

include 'file1.php'

if(isset($_SESSION['id']))
{

}
else
{
  header("location:index.php");
}
Zul
  • 3,627
  • 3
  • 21
  • 35
  • in my case file1.php is logged.php which checks whether the logging user has been registered or not and then fetches hisid from the database and assigns it to $uid and then starts session and then makes a variable $uid = $_SESSION['id']; – Samir Jan 23 '12 at 19:08
  • Tough to tell without seeing your code at all (restd.php & one file that includes restd.php), maybe you can post your code here or if your code too long, use codepad.viper-7.com – Zul Jan 23 '12 at 19:11
2

In my case I forgot that I had the PHP flag session.cookie_secure set to on, while the development environment was not TLS-secured.

More information about Session/Cookie parameters.

Michael Bolli
  • 1,993
  • 2
  • 16
  • 19
1

I know this is an old thread, but the following helped me with the same problem after hours of despair. Found on: http://php.net/manual/de/function.session-save-path.php

I made a folder next to the public html folder and placed these lines at the very first point in index.php

Location of session folder:

/domains/account/session

location of index.php

/domains/account/public_html/index.php

What I placed in index.php at line 0:

<?php 
ini_set('session.save_path',realpath(dirname($_SERVER['DOCUMENT_ROOT']) . '/../session'));
session_start();
?>

Hopefully this will save you time.

Community
  • 1
  • 1
Dee Ell
  • 21
  • 3
1

Check maybe your session path does not exist so you can save PHP session path using:

ini_set(' session.save_path','SOME WRITABLE PATH');
Pang
  • 9,564
  • 146
  • 81
  • 122
Hamid
  • 1,493
  • 2
  • 18
  • 32
0

I had the same problem and found a work-around for it. If anybody can explain why the session is not read even when the cookie is there, please let me know.

<?php
//  logged.php
//  The PHP session system will figure out whether to use cookies or URLs to pass the SID

if(!isset($_COOKIE['PHPSESSID']) && !isset($_GET['PHPSESSID']) && authenticationRoutine(/* Returns true if succesfully authenticated */) ) {
    session_id(uniqid("User--"));
    session_start();
    $_SESSION['id']=session_id();
}

?>



<?php
//  Insecure restd.php (The user can forge a stolen SID cookie or URL GET request, but that is inherent with PHP sessions)

if(!isset($_COOKIE['PHPSESSID']) && !isset($_GET['PHPSESSID']) {header('Location: index.php')}

?>

.

[EDIT]

Even though the cookie was there and I prevented starting a new session, the session had not been read and started, so no session variables were available. In this case I check if the session has been started first (not using session_status() because it doesn't exist in PHP 3.5, which for some reason is the most widespread among hosts). If no session has been started within PHP, I check if it had been started before by testing the cookies and GET variables. If a session ID was found, the script resumes the session with that ID. If no ID is available, the user gets redirected to the index.

<?php
//  restd.php
if(empty(session_id())) {
    if(isset($_COOKIE['PHPSESSID']) && !empty($_COOKIE['PHPSESSID'])) {session_id($_COOKIE['PHPSESSID']);}
    elseif(isset($_GET['PHPSESSID']) && !empty($_GET['PHPSESSID'])) {session_id($_GET['PHPSESSID']);}
    else {header('Location: index.php'); exit(0);}
    session_start();
}
Zyox
  • 71
  • 1
  • 6
0

Adding this in case it helps others. In my case, I had a writeable session path and was correctly calling session_start() in the right place.

I was trying to store a complex object in the session, and it turns out that it wasn't serializing. The "cannot serialize" error only appeared in logs when I wrote the session manually with session_write_close(), so for a long time I couldn't see that this was the issue.

If one part of the session won't serialize, it seems that the whole session write fails. You may want to put in a session_write_close() after populating the session, and check your logs.

almcnicoll
  • 405
  • 3
  • 21
0

Couple things:

  1. your include file doesn't have the <?php ?> tags, so the content will not be evaluated as PHP

  2. Session_start must be called before you start outputting anything. Is that the case?

Sylverdrag
  • 8,898
  • 5
  • 37
  • 54
  • yea it does have the tags . its just that i dint use them here in the question :) and yea i include the file restd.php in the first line of every file :) – Samir Jan 23 '12 at 19:06
  • @SyedSamirUddin it was worth a try. What about your logout code? Any chance it might be called before you go on the next page? Looking at your logged.php (btw: fix the sql injections), what exactly happens if the login doesn't work? one possible difference between a testing server (windows?) and a linux hosting package is that mysql is case sensitive on linux but not on windows. So if your columns name were 'PassWord", your queries will work on Windows but fail on Linux. It's a tricky one because linux might show "password" in phpmyadmin and still expect PassWord. – Sylverdrag Jan 24 '12 at 19:22
  • the logout code just has session_destroy(); and then header to index.php. and regarding the case sensitive coloumns. i did not name any coloumns like that. i only use simple words like "password" not like "passWord". coz that would create confusion later on. – Samir Jan 24 '12 at 22:23
0

You still don't even answer where you SET $_SESSION['id']. $pid = $_SESSION['id'] does not set the session variable. session_start() comes before ANYTHING session related, it's not shown before your include.

David Nguyen
  • 8,368
  • 2
  • 33
  • 49
  • ive not written session_start(); because i include the file restd.php which has session_start(); in it :) – Samir Jan 23 '12 at 19:23