Jump to content

! Session Logins And Header Redirects !


tr4nc3

Recommended Posts

I was using a system of logging on users with sessions. The login form would submit to login.php that would lookup the password in the DB and register a session if the PW matched. If it registered a session it would then preform a header redirect to the homepage of the member area.

 

Well this system worked fine ever since I implemented it 2 months ago. But just today I noticed that it was no longer working. My session variables were not being stored.

 

I ended up bugging the guys at the help desk about it because I thought it must have something to do with the server side of things. (Since my code had previously worked for the past 2 months.)

 

Turns out, it actually did have something to do with the server side of things. They updated PHP. (And before posting this thread I searched for PHP UPDATE and PHP UPDATED and only the first query came up with one result. Which was someone asking how often PHP is updated. No announcements that PHP was updated were found.)

 

I guess with this update sessions variables are not kept through a header redirect. So I am posting this message to warn everyone who might be using a similar structure of programming.

 

I was redirecting with the common..

 

>header("Location: /members/index.php");

 

But now I have updated/upgraded my code to redirect in this fashion...

 

>session_redirect('/members/index.php');

 function session_redirect ($url = "") 
  {
      function _safe_set (&$var_true, $var_false = "") 
      {
          if (!isset ($var_true))
          { $var_true = $var_false; }
      }

      $parse_url = parse_url ($url);
      _safe_set ($parse_url["scheme"], "http");
      _safe_set ($parse_url["host"], $_SERVER['HTTP_HOST']);
      _safe_set ($parse_url["path"], "");
      _safe_set ($parse_url["query"], "");
      _safe_set ($parse_url["fragment"], "");
      
      if (substr ($parse_url["path"], 0, 1) != "/")
      { 
          $parse_url["path"] = dirname ($_SERVER['PHP_SELF']) . 
                          "/" . $parse_url["path"]; 
      }
      
      if ($parse_url["query"] != "")
      { $parse_url["query"] = $parse_url["query"] . "&"; }
      $parse_url["query"] = "?" . $parse_url["query"] . 
                        session_name () . "=" . 
                      strip_tags (session_id ());
      
      if ($parse_url["fragment"] != "")
      { $parse_url["fragment"] = "#" . $parse_url["fragment"]; }
      
      $url = $parse_url["scheme"] . "://" . $parse_url["host"] .
            $parse_url["path"] . $parse_url["query"] . 
            $parse_url["fragment"];
      
      session_write_close ();
      header ("Location: " . $url);
      exit;      
  }

 

This might save somebody the hours that me, and the help-desk team had to go through trying to figure out what this problem was.

 

My apologies to the help-desk team for bringing a scripting issue in their direction.

Link to comment
Share on other sites

I'm not really sure that an update to PHP made the code invalid. I have a website that uses sessions and header redirection, and it just this moment worked...

 

>     session_register("USER_ID");

     $USER_ID = $ID;
     
     if($DB_Data[1] == 1)
     {
      session_register("STAFF");
     }
     if($DB_Data[3] == 1)
     {
      session_register("PLATINUM");
     }

     $DB_Result = db_query("select `logged_in`, `read_announcement` from `users` where `id`='$USER_ID'");
     $DB_Data = db_row($DB_Result);
     $Logged_In = $DB_Data[0];
     $Read_Announcement = $DB_Data[1];

     if($Logged_In == 0)
     {
      header("Location: firstlogin.php");
     }
     else if($Read_Announcement == 0)
     {
      header("Location: announcement.php");
     }
     else
     {
      header("Location: home.php");
     }

 

The thing is, that I startup the session at the onset of every page load.

 

I'm definitely going to look into this.

Link to comment
Share on other sites

I looked over that link. So I guess it is just a behavior of HTTP. Which is weird because I hadn't experienced this problem until just recently.

 

But it's good that I found and learned about this now because I'll know not to do the same thing in the future.

 

The code I posted works great. It just appends the PHPSESSID to the end of the URL. So once your in the members area your set.. I guess as long as you don't do anymore header redirection once your inside.

 

Which I just thought of.. and my application happens to do a header redirect after every form is submitted. I checked and I get booted once I submit the form. LOL! So I got some more work ahead of me once I wake up..

 

I'm also going to test out session_write_close().. One of the messages in the bug listing mentioned that using s_w_c() fixed the problem for them.

 

>I've also had a similar problem of session variables not being passed
following a call to header(). I am running PHP 4.0.15 on an XP m/c.

The following worked for me, by placing a session_write_close() before
the call to header, followed by and exit():

session_write_close();
header("Location: $strPage");
exit();

I hope this will be of use to some.

 

But he's running on WinXP. I'll find out if it applies to us here at TCH.

 

Thanks for the link! I've bookmarked it. I didn't even think about looking there.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...