[Time2Burn]

I am experiencing an odd bug with one of my members of a social network I just built. He happens to be my colleague. Anyway, the bug is this:

When he logs in, he is taken to his home page, and instantly he is taken back to the login page. I feel as if his session is 'forgotten' or lost. I have verified that his cookies/session is set. I have made sure that the URLs match, and I've tried to isolate the problem line by line with no avail. This bug has only started happening to him, it doesn't not occur with me. If this is useful, his location is Pakistan.

Normally I'd paste code, but it's a lot, plus as a security precaution I cannot paste much. I can only describe as much as possible how it works should I need to.

I've had 3+ years of PHP, and I feel I'm fairly good at it.

Here are the Session Variables, in case you need them?:

Array
(
    [in] => 1
    [adm] => 1
    [user] => John C Goodman
    [user_id] => 0b25313888c462091a67dbacb78d39f3
    [lang] => en_US
    [ProfilePic] => http://www.sample.com/a/b/c/d/481d9a6a931783430c6c183ded479bd0_s.jpg
    [username] => JCG
    [whole_name] => John C Goodman
)

Here is a more detailed explanation of the login proceedure.

First user visits: https://www.sample.com/login.php

after he enters his email/password, the form is processed in login via if($_POST) detection. Once his credentials are verified a session is started with all the above variables set.

Then the login page tries to take him to his home page via the header() function, the url he's supposed to end up in is http://www.sample.com/home.php. (I use the "die()" function right after the header() function to prevent errors).

Once he touches ground on the home.php page, he is instantly redirected to the login page again. And through my line-by-line testing I have isolated the problem in the session handling script. Below is the code for that script:

<?php

	date_default_timezone_set('UTC');
	session_start();
	
	if($_SESSION['in']){
		
		//user is logged in
		
		//set cookie
		$cookie_val = md5($_SESSION['user_id']);		
		setcookie("censored", "{$cookie_val}", time()+259200);
		
	}else{
		//user is NOT logged in
		session_destroy();
		header("Location: https://www.7kins.com/login.php?");
	}

?>

I am puzzled, I find no reason for this to fail, I am even more puzzled that this only happens to him and not me. I cannot at all understand what the problem is, I cannot even recreate the problem.

[Slice]

I don't think there is enough code here for anyone to give a detailed solution.

Have you tried using exit(); after you call the header?

[Time2Burn]

Thanks for the reply. I have indeed tried using exit() instead of die().

What the code looks like is as soon as the user is verified, his variables are set and immediately after follows:

<?php
header("Location: http://www.sample.com/home.php");die();
 ?>

The code for the home page is very long, but the issue is that the execution stops really early and is redirected back to the login page. In my line-by-line tests I saw that this happened during the stage where the session script was being included near the top.

<?php 
	date_default_timezone_set('UTC');
	
	ob_start('ob_gzhandler');
	
	//SESSION SYSTEM
	require_once("system/session.php");
	
	//page execution is no longer continued, redirect
?>

I already included the code for the session scrip.

This post has been edited by Time2Burn: 26 May 2012 - 06:11 AM

[Atli]

This is happening only for this one user, and not any of the other users?

Based on your description, I'm guessing that this is the line that is failing, in your session script:

if($_SESSION['in'])

Have you tried to var_dump($_SESSION); in the else clause before the session_destroy(), just to see what is in there?

[CTphpnwb]

You're missing an exit:

<?php

	date_default_timezone_set('UTC');
	session_start();
	
	if($_SESSION['in']){
		
		//user is logged in
		
		//set cookie
		$cookie_val = md5($_SESSION['user_id']);		
		setcookie("censored", "{$cookie_val}", time()+259200);
		
	}else{
		//user is NOT logged in
		session_destroy();
		header("Location: https://www.7kins.com/login.php?");
		exit; // <-- because this is missing the server keeps running the code below
	}
	// If the code below shows the user's page they might see that for a second or two before the redirect takes full effect.
?>

[Time2Burn]

Atli, on 26 May 2012 - 07:22 AM, said:

This is happening only for this one user, and not any of the other users?

Based on your description, I'm guessing that this is the line that is failing, in your session script:

if($_SESSION['in'])

Have you tried to var_dump($_SESSION); in the else clause before the session_destroy(), just to see what is in there?

I've tried the var_dump and found that right before he's redirected he's still shown to be logged in, the $_SESSION['in'] contains data.

CTphpnwb, on 26 May 2012 - 09:53 AM, said:

You're missing an exit:

<?php

	date_default_timezone_set('UTC');
	session_start();
	
	if($_SESSION['in']){
		
		//user is logged in
		
		//set cookie
		$cookie_val = md5($_SESSION['user_id']);		
		setcookie("censored", "{$cookie_val}", time()+259200);
		
	}else{
		//user is NOT logged in
		session_destroy();
		header("Location: https://www.7kins.com/login.php?");
		exit; // <-- because this is missing the server keeps running the code below
	}
	// If the code below shows the user's page they might see that for a second or two before the redirect takes full effect.
?>

I don't see why that is necessary since that code block would only execute if the user is NOT logged in, but the issue here is that he is logged in. Logging in works fully. I'll try it nonetheless.

[Duckington]

Try moving the session_start above the time zone set.

[Time2Burn]

Duckington, on 26 May 2012 - 11:09 AM, said:

Try moving the session_start above the time zone set.

Thank you and the others for the suggestions, I will try these as soon as I can, the ONLY user who this happens with, lives in Pakistan, and due to a 11 hour difference I have to wait till he logs in (Tries to) again later tonight.

I will reply back with more info/results soon.

[CTphpnwb]

Time2Burn, on 26 May 2012 - 12:27 PM, said:

I don't see why that is necessary since that code block would only execute if the user is NOT logged in, but the issue here is that he is logged in. Logging in works fully. I'll try it nonetheless.

Right, so if for some reason his user name and password aren't matching what's in the database your code would send the redirect followed immediately by the user page. If there is a delay (say your server is busy sending the user page or there are several hops between your server and Pakistan) then he might see the user page momentarily and then have it replaced by the redirected page, in this case that would be the login screen. You might be able to duplicate the problem by using an incorrect user name and password, but your connection might be too fast and too close to the server to see the problem.

[Time2Burn]

Duckington, on 26 May 2012 - 11:09 AM, said:

Try moving the session_start above the time zone set.

Tried it, nothing.

CTphpnwb, on 26 May 2012 - 11:56 AM, said:

Time2Burn, on 26 May 2012 - 12:27 PM, said:

I don't see why that is necessary since that code block would only execute if the user is NOT logged in, but the issue here is that he is logged in. Logging in works fully. I'll try it nonetheless.

Right, so if for some reason his user name and password aren't matching what's in the database your code would send the redirect followed immediately by the user page. If there is a delay (say your server is busy sending the user page or there are several hops between your server and Pakistan) then he might see the user page momentarily and then have it replaced by the redirected page, in this case that would be the login screen. You might be able to duplicate the problem by using an incorrect user name and password, but your connection might be too fast and too close to the server to see the problem.

Ok, I made sure that each header(Location:) had an "exit" immediately after, and it did not work. I tried testing on a simple page where once he logged in he was redirected to, test.php.

The code for test.php is:

<?php
	//SESSION SYSTEM
	session_start();
	echo "test";
	echo "<pre>";
	print_r($_SESSION);
	var_dump($_SESSION);
	echo "</pre>";
?>

Yet it outputs int(1338055002071838100), how is that possible? I tried logging in myself and I set it so that it also redirected me to the test.php page and it did output all the proper data. It's as if the transition from login.php to any other page is what causes the session to be lost for this user in Pakistan. Pakistan has a tough network, they lose power often. His IP is not static, though that should not matter since sessions are based on cookies not IP. Could it be some whacky cookie issue? Is it possible that his browser is deleting cookies instantly? What browser would allow a cookie to be set, then erased instantly?

During his login process, RIGHT BEFORE a header redirect I var_dumped his SESSION data, and verified that he was in fact logged in and verified as a member. His session is just being lost somehow.

This post has been edited by Time2Burn: 26 May 2012 - 11:23 AM

[CTphpnwb]

It's possible his computer has cached the page, so it's trying to display the header followed by the login page even though you've changed your code. Have him empty his browser cache.

And keep the exit after the header. It should always be there if you have more code following the block it's in.

[Time2Burn]

CTphpnwb, on 26 May 2012 - 01:31 PM, said:

It's possible his computer has cached the page, so it's trying to display the header followed by the login page even though you've changed your code. Have him empty his browser cache.

And keep the exit after the header. It should always be there if you have more code following the block it's in.

Thanks I'll try that. I usually use die(), any difference in 'die' and 'exit'?

Also, he has another computer in his home, and with this other computer he can successfully log in without any errors. It wasn't until he recently bought a new laptop where he started to experience this issue.

This post has been edited by Time2Burn: 26 May 2012 - 02:15 PM

[CTphpnwb]

die is usually used for reporting errors:

die("Oops! Something that shouldn't have happened did!");

If it's as I think it is, the error might or might not show up on different versions of different browsers. With a redirect you're essentially saying: "Go to this new site." and it's up to the browser whether or not it continues listening on the current connection as it starts another one.

[Atli]

You could avoid the whole redirect issue altogether if you included the login page rather than redirecting there. The only downside is that the old URL would still show.

// Instead of the redirect, try:
include "login.php";
exit; // So nothing else is shown after the login page.

If the login page includes other pages, like a function library or something like that, make sure that is done using include_once rather than include, or you may get function/class redefinition problems.

[Time2Burn]

Thank you everyone for the suggestions and tips.

I hunted down all "die()" functions and replaced them with "exit;", and that oddly did the trick. I'm still not exactly sure why or how this was causing him to lose his session and be taken BACK to the login page. But somehow, it worked and he is no longer experiencing any problems logging in. You've made a Pakistani very happy.


Thanks again!