10 Replies - 3785 Views - Last Post: 16 October 2011 - 12:16 AM Rate Topic: -----

#1 wadori  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 63
  • Joined: 30-October 09

SESSION values not passing

Posted 11 October 2011 - 08:45 PM

I am having a problem with my $_SESSION values passing through. I have a script, processsignin.php, which logs a person into his/her account. This was working fine for a while, but suddenly I am having problems with the values being passed to the next page. processsignin.php assigns several values to the $_SESSION array. The script then uses a header statement to call the next page, signedin.php. The problem is that none of the values that I have added to the $_SESSION array are there when I get to the new page. I did a var_dump of the array immediately before the header statement and the values are in there. I did a var_dump at the beginning of the new page and they are not, although some values that were passed from a previous page were still in there.

A web search found other people who have had this problem when using a header statement to go to the next page. However, I tried it using an href link instead of a header statement and the same thing happens, so the problem doesn’t seem to be the header statement. (Also considering that it worked just fine with the header statement up until now.) The values just disappear when the new page is called up.

Things I have already tried/checked from doing a web search on the problem:
I have if(!isset($_SESSION)) { session_start(); } at the beginning of my pages.
session.auto_start is set to 0 in php.ini.
I tried adding session_write_close() before the header statement and exit() after it.
The session id is being set – I printed it out on the signedin.php page (and, of course, the earlier values are carrying fine, so it must be set).

Does anyone have an idea why these values might not be sticking?

Is This A Good Question/Topic? 0
  • +

Replies To: SESSION values not passing

#2 creativecoding  Icon User is offline

  • Hash != Encryption
  • member icon


Reputation: 926
  • View blog
  • Posts: 3,205
  • Joined: 19-January 10

Re: SESSION values not passing

Posted 11 October 2011 - 10:07 PM

You have to use session_start on each page where you use session variables.
Was This Post Helpful? 0
  • +
  • -

#3 wadori  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 63
  • Joined: 30-October 09

Re: SESSION values not passing

Posted 11 October 2011 - 10:47 PM

Yes, I do (as I have already stated).
Was This Post Helpful? 0
  • +
  • -

#4 wadori  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 63
  • Joined: 30-October 09

Re: SESSION values not passing

Posted 12 October 2011 - 12:12 PM

Aha! I finally decided to try a different browser. It works fine in Firefox, Opera and Chrome. The problem is only with IE. (I am using IE9.) I still don't know what to do about it, though. Does anyone know why there is a problem carrying session variables in IE, and what can be done about it?
Was This Post Helpful? 0
  • +
  • -

#5 creativecoding  Icon User is offline

  • Hash != Encryption
  • member icon


Reputation: 926
  • View blog
  • Posts: 3,205
  • Joined: 19-January 10

Re: SESSION values not passing

Posted 12 October 2011 - 12:16 PM

Possibly your browser wasn't accepting any cookies, which is vital for sessions to work.
Was This Post Helpful? 0
  • +
  • -

#6 wadori  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 63
  • Joined: 30-October 09

Re: SESSION values not passing

Posted 12 October 2011 - 02:24 PM

View Postcreativecoding, on 12 October 2011 - 01:16 PM, said:

Possibly your browser wasn't accepting any cookies, which is vital for sessions to work.


My privacy setting was set to medium to only allow some cookies. I temporarily set it to accept all cookies. It still acted the same.
Was This Post Helpful? 0
  • +
  • -

#7 wadori  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 63
  • Joined: 30-October 09

Re: SESSION values not passing

Posted 12 October 2011 - 03:21 PM

I found the problem. I have a session_regenerate_id statement in my script which was causing it to lose the values. I don't know why this never happened before, or why it doesn't happen in other browsers, but if I inactivate that statement the values carry okay.

Thanks for your efforts.
Was This Post Helpful? 0
  • +
  • -

#8 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 947
  • View blog
  • Posts: 2,355
  • Joined: 15-February 11

Re: SESSION values not passing

Posted 12 October 2011 - 03:29 PM

You can regenerate the session id and keep the session values as long as you don't pass TRUE as the parameter.
Was This Post Helpful? 1
  • +
  • -

#9 wadori  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 63
  • Joined: 30-October 09

Re: SESSION values not passing

Posted 12 October 2011 - 09:48 PM

View Postcodeprada, on 12 October 2011 - 04:29 PM, said:

You can regenerate the session id and keep the session values as long as you don't pass TRUE as the parameter.


Thanks for passing this along, codeprada. I would like to be able to use the session_regenerate function if I can do so, however, I am not having an easy time wrapping my head around the true/false concept. If I am understanding correctly from the research I've done, setting the value to TRUE kills the previous session/session_id, whereas setting it to FALSE keeps the old id while using the new one. It doesn't make sense to me to keep the old session. The purpose of regenerating is to prevent session hijacking. If we keep the old id the hijacker can still gain access, right? Don't we need to kill the old session for security reasons?

At any rate, I had not specified any parameter for the function, simply writing it as session_regenerate_id(). I have susequently written a simple series of 4 scripts that simply regenerate the id each time, add a value to $_SESSION, and then var_dump the results at the end. The first script uses session_regenerate_id() without any parameter specified. The second script uses session_regnenerate_id(FALSE) and the third one uses session_regenerate_id(TRUE). When I var_dump the $_SESSION array at the end all three values are in the array, so it doesn't seem to matter in this case how the parameter is set as far as holding the values is concerned.

Of course, why it doesn't work that way in my real script is another question, so I would sure love some more explanation/clarification. If you wish to provide any further clarification of how these TRUE/FALSE parameters work so that I can try to figure out how to make this work, it would surely be greatly appreciated.
Was This Post Helpful? 0
  • +
  • -

#10 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 947
  • View blog
  • Posts: 2,355
  • Joined: 15-February 11

Re: SESSION values not passing

Posted 15 October 2011 - 11:06 AM

You're misunderstanding how a session works. The session ID is like an identifier that let's the server know which data belongs to which client. The session ID is stored in a cookie on the client's computer. A session can be hijacked if an attacker gets that session ID and passes it as his own.

When you pass TRUE to session_regenerate_id it deletes the data from the session. For instance if you've stored a username or items in a cart they will be deleted if TRUE is passed. This data has nothing to do with the session ID. The session ID is now regenerated and stored in a cookie.

Session ID - Stored on both Client & Server
Session Data - Stored on Server only
Was This Post Helpful? 0
  • +
  • -

#11 wadori  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 63
  • Joined: 30-October 09

Re: SESSION values not passing

Posted 16 October 2011 - 12:16 AM

Thanks again. I think I understand – the session identifier is regenerated any time you use session_regenerate_id; the data contained in the session is deleted if TRUE is passed as a parameter; otherwise, the old data is still there even though there is a new identifier for the session. However, as I mentioned before, when I ran my test scripts, one of which passed TRUE as a parameter, my data was not lost. So perhaps I am still not understanding.

At any rate, I have been playing with this and have discovered that, for some reason, if I set a session on the very initial page of my program my values get lost when I get to the page in question. If I do not set a session on the initial page, then the values carry through okay. The other factor that I don’t believe I mentioned is that I am using a secure SSL login. It is my understanding that session values are lost when the SSL is activated – although exactly the opposite seems to be happening in my case: the values added to SESSION from the initial page are carrying through, while values added after the SSL login are being lost!

There are 4 pages involved. In order:
index.php – starts a session and puts some values into the session array
myaccount.php – person is now in SSL mode (https://....), enters username/password
processsignin.php – values are added to SESSION array (if I var_dump($_SESSION) at end of script the values are in there)
signedin.php – values added in index.php are still there, but values added in processsignin.php are not there if I var_dump($_SESSION) at beginning of script (after the session_start statement)

As I said, I experimented and removed the SESSION from index.php and then the values entered on processsignin.php held when I got to signedin.php. Do you have any idea why that would be? Also, inactivating session_regenerate_id allows the values to pass through. Both the SESSION on the first page and the session id regeneration serve important purposes, though, so I wish to keep them if I can. And, as I mentioned before, this is only a problem in IE. No problem in Firefox, Opera and Chrome.

One other detail: If I add the TRUE parameter to session regeneration, then I do lose those values that were added on the first page (as would accord with your explanation).
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1