I am setting up an admin panel for a website, and everything was working fine on my local (MAMP) server. I uploaded the website to the server and the user authentication isn't working anymore. I am able to get a success from the server, but when I'm entering into a page, PHP can't find the required session variable, and thus redirects the user back to the sign in page.
I have tried on both PHP version 5 and 7.
I have tried echoing the session variable upon verification.
I have tried to simply store the variable on one page and reading it on another page in the same folder, and it didn't work as well.
page1.php
<?php
session_start();
$_SESSION["userid"] = 1;
?>
To Page2
page2.php
<?php
session_start();
if (!isset($_SESSION["userid"])) {
header("Location: page1.php");
die();
}
echo $_SESSION["userid"];
After I click the link in page1.php, page2.php redirects me to page1.php again without any error.
Is your website using some load balancer?
By default, PHP creates the session on server memory. So, if your website is using a different server for each request, the $_SESSION set values are lost. In this case, a good solution could be store sessions out of the server, maybe in a Redis or Memcached.
Related
I developed a web application that allows both entrepreneurs and customers to log in through two different login portals. I developed the application locally, using a XAMPP, i.e. Apache, configuration. There, it worked perfectly.
I am now trying to have it run on a Lighttpd web server which works OK. I'm running into a weird issue. If I use the customer login, everything works fine, the session gets created, and the customer keeps having access to his account data.
When I login through the entrepreneur portal, something strange happens. When I var_dump()'d the $_SESSION variable, directly after logging in shows me the session object correctly. When pressing F5, or navigating to another page in the portal, the $_SESSION variable gets destroyed and var_dump($_SESSION) shows an empty array.
I found Why PHP Session Destroyed? that proposes a solution to fix Lighttpd destroying sessions. I assume that is not the problem, as my sessions work at one login portal, while not at the other.
Does anyone have a clue why my session gets destroyed?
This is how I set my session variable:
$_SESSION["ll_oid"] = $q["id"]
(where $q["id"] is the entrepreneur ID)
And this is how I check it:
$id = $_SESSION["ll_oid"];
if($id == null) {
session_destroy();
header("Location: index.php");
die();
}
At all pages, session_start() is called before any headers are sent.
Some problem is coming when I am uploading site to online server. User authentication was working on my local computer but when I am trying to upload it to a server, it is not working. When I sign in, it redirects me back to the login page.
I have checked out and come to the point that when the page refreshes, the user info from session flush away and it redirects back to login page.
$this->setState('username', $user->username);
setState method is also not giving information on next page.
Please help me out with possible solution.
Thanks
Make sure that you session was started automatically in php.ini config "session.auto_start = 1" or it was started manually by session_start() or Yii similar function
$session=new CHttpSession;
$session->open();
And check your session status by session_status() function.
I have a login code that had been working fine for a couple years. No code was changed, and the server hosts claim that nothing was changed that would effect sessions.
Here's the basic run-down:
1. User enters login info
2. Sent to process.php
- Sets a $_SESSION['userid'] variable if validation was successful
- Redirected back to previous page (using exit after header())
3. $_SESSION['userid'] is not set.
4. Refresh Page.
5. $_SESSION['userid'] is now set properly.
All pages have session_start(). I've also tried using session_regenerate_id(true); and session_write_close(); Nothing Has changed.
Any ideas on server configuration or errors in my code would be welcome.
I'm building a simple website with few pages such as index.php, about.php etc. I've included navigation file and I want it to automatically choose current page and use different styling. It can be done with one variable. The easiest way is to use GET method but I want to have shorter URL. So is there any other way? Because as far as I know POST refers only to forms. Maybe I should use cookies?
Use a session. It will keep a set of values stored in the $_SESSION superglobal as long as the client's session cookie is still set.
Example:
page1.php
<?php
session_start();
$_SESSION['test'] = "Hello, session!";
?>
page2.php
<?php
session_start();
echo $_SESSION['test'];
?>
If you visit page2.php first, you'll get no output. Once you visit page1.php, it will set the 'test' session variable. When you view page2.php again, it will show the result. This session is server-side, and is accessed by the session ID stored in a cookie by the browser. Session cookies are usually deleted when the browsing session ends (i.e. the user closes the browser) or when the session cookie timeout expires. Most sites use this as a mechanism to handle logins, by setting session variables relating to the logged in user (e.g. user id) when a login completes successfully.
See the PHP sessions reference: http://www.php.net/manual/en/book.session.php
I have observed my php application behaving rather strangely on the server that it is running on. When a user first visits the application, and clicks on a link with an absolute path, the session data is cleared.
I have recreated the problem as simply as possible. The code can be found below.
I have solved this problem by removing all absolute links in my application, I am simply looking for an explanation of this behavior.
To recreate the problem:
click 'login'
click 'relative link' and observe that the session still has the 'logged_in' variable set
click 'absolute link' and observe that the session data appears to be missing
click your browser's back button and observe that the session data has returned
click 'absolute link' and observe that the session data is missing again
click 'home (relative link)' and observe that session data is missing this time
click 'login' to reset the session data
click 'absolute link' again and observe that the session data was not cleared this time
Some important things to note:
This is not a problem locally on my
mac running MAMP with php 5.3.2,
but is a problem on a server with
php 5.2.14 and a different server running 5.3.2
clicking the absolute link, and then the relative home link without login prevents the problem from ever occurring once you do log in.
once the problem is solved by the method just mentioned, it can only be recreated by navigating to a different domain, clearing your browser's cache and navigating back. Clearing the cache without leaving the page will not work.
this is also a problem if using a absolute path when redirecting using header('Location: ...')
index.php:
<?php
session_start();
print_r($_SESSION);
?>
<br/>Absolute link
<br/>Relative link
<br/>Log in | Log out (reset session)
page.php:
<?php
session_start();
print_r($_SESSION);
?>
<br/>Home (relative link)
login.php:
<?php
session_start();
$_SESSION['logged_in'] = true;
header('Location: index.php');
logout.php:
<?php
session_start();
$_SESSION = array();
session_destroy();
header('Location: index.php');
At least in your example the pages are switching between two domains (rhun.ithaca.edu and www.ithacahealth.org). You'll notice that if you click "Log in" on both domains, then you'll have logged_in=1 in all cases. Anyway, that's the primary cause of the problem - two different domains.
Session cookies does not differ from any other cookies (from a browser's point of view), so they are subject to the same limitations - the relevant one being that you have to be on the same domain. You can change the session cookie settings with session_set_cookie_params() (that has to be done before session_start(), but even so you cannot allow the same cookie to be read from a different domain, only from a subdomain, if you require it.
Also, I don't know if it is relevant, but keeping the webpage on a singe domain/subdomain might help a little with search engine optimization - especially in cases where there is different content between the domains/subdomains, search engines might consider them to be different webpages and split their pagerank between them.
Solved:
Thanks to Nouveau for pointing out that a cookie can only be used for one domain and The Scrum Meister for asking if I always access the site with a www.
The problem was created by starting at http://myserver.com and following the link to http://www.myserver.com
The Session was initialized for http://myserver.com and then again for http://www.myserver.com