All geek questions in one place

Sessions and redirect php not working

I am doing a PHP script check.php that checks if a user is logged in. There is only one user, so the password is written directly in the PHP code. check.php enters the top line (line 1) of each corresponding page with a line <? include "check.php"; ?> <? include "check.php"; ?> <? include "check.php"; ?> .

The code

I deleted the password and domain name. Other than that, my code. The point here is that you enter the password on the login page, and then send it a POST to this script.

If the password is valid xxx, the login session will keep true .

If the password is incorrect , but set, that is, the user typed something incorrectly, any existing session ends with session_destroy() , that is, it is logged out.

If it reaches the page but is not logged in , the login session must be false or not installed, which means it will be used } elseif(!($_SESSION['login'])) { .

Finally, if he clicks the logout button, he is sent to this script with the URL: check.php?logout=true . logout=true should be caught in $_GET in the final elseif statement, and the session should end there.

 <? ob_start(); session_start(); if($_POST['password'] == 'xxx') { // Correct password $_SESSION['login'] = true; header("Location: http://www.url.com/administration/index.php"); } elseif (isset($_POST['password'])) { // Wrong password session_destroy(); header("Location: http://www.url.com/administration/login.php?true"); } elseif(!($_SESSION['login'])) { // Check at every page header("Location: http://www.url.com/administration/login.php"); } elseif($_GET['logout']) { // Log out session_destroy(); header("Location: http://www.url.com/"); } ob_flush(); ?>

Problem

In every if statement, I'm trying to redirect. I use header("Location:...) , but it does not work in any of the cases. Since the header command should be the first request to be sent to the browser according to the specifications, I used ob_start(); and ob_flush(); as described here . This does not work with or without them.

There is also a problem with a session that will not store content. I cannot keep true in the session for some reason. Is there a problem with my code that causes it to crash?

As a test, I tried to write the echo command in each if / ifelse expression. From this, I found that the script always enters the third statement - the one that has it !($_SESSION['login']) .

Question

So far so good. This tells me that the script may detect that the session is not established.
Two problems remain:

  • WHY redirection in the instruction does not work, since there is no redirection, but
  • WHY a session cannot be set in the first place.

Any advice would be appreciated.

Update 1

To make it clear what is happening (and what does not happen), I added several echo to different places. This code snippet above with extra echo s:

 ... echo "Input: " . $_POST['password']; echo "<br>Session before: " . $_SESSION['login']; if($_POST['password'] == 'xxxx') { // Correct password $_SESSION['login'] = true; header("Location: http://www.url.com/administration/index.php"); echo "<br>Session after: " . $_SESSION['login']; echo "<br>The first if works"; } ...

returns the following output:

 Input: xxxx Session before: Session after: 1 The first if works

(xxxx is the password and it is correct.)

This is the situation when you log in. You just wrote a password and were sent to check.php .

So, I see here that it refers to the first if , as expected. And the session is correctly set to true (or 1 ). When I refresh the page, the session is no longer established. Must not be?

And header redirection obviously does nothing.

Update 2

So, thanks to the answer from @EmilF below, I found that my session ID, which I can print to the screen using echo session_id(); , changes each time the page is changed or the page is updated to some new random number. It seems to me that the data stored in the session is then forgotten because the new session identifier indicates somewhere else.

Using:

 <? session_id('cutckilc16fm3h66k1amrrls96'); session_start(); ...

where cutckilc16fm3h66k1amrrls96 is just a random number, the session id is fixed, and the saved data can now be restored again after the page is refreshed. This works well; although it’s still a little strange that this is necessary.

Now I only need the header redirection to work ...

Well, it smells of something that has been disabled. Session and header settings changed. Perhaps these are some PHP settings from the host. Something that blocks the header request.

To be continued...

Update 3 - Solution

See my answer below.

Some strange characters are created at the beginning of the file when I change the file to a different encoding format, for example. from ANSI to UTF-8. Created characters  , and I do not see them in my own editor. Since they are in front of the PHP script, they impede the operation of header and session_start() . Why they are created is still a mystery to me.

+6
source share
4 answers

Mystery solved here: Byte order estimation

enter image description here

The best answer:

fooobar.com/questions/1277 / ...

+2
source

Okey, let's list everything that you can debug here, also mentioning what you have already done (so that other people can read it):

  • Do you have something like HTTP Header installed? You can then see if the Location: header has been sent to your browser or not.
  • I suppose you are not getting error messages, are you? Have you set error_reporting(E_ALL); ?
  • Try executing var_dump() for the $_POST array.
  • Do you have something to check cookies in your browser? I usually use the Firefox web developer toolbar plugin that has a Cookie menu → show cookie information. There you will see the cookie PHPSESSID (after logging in). If not, your URL should contain some information about the session identifier (looks like this ?PHPSESSID=514515ca274866b9f0b5b2520b6fcbb4 ). Otherwise, PHP cannot find the session because it does not know which of the sessions belongs to you.

If this does not help to check if the cookie is set:

  • Open the header plugin again, and then sign in. Check if the server sends the cookie to you. This should be done in the Set-Cookie command. It might look like this: Set-Cookie: PHPSESSID=514515ca274866b9f0b5b2520b6fcbb4; path=/ Set-Cookie: PHPSESSID=514515ca274866b9f0b5b2520b6fcbb4; path=/
  • If the server does not set cookies, check the settings in php.ini . There must be a session.use_cookies = 1 setting, which must be set to 1 or On to allow PHP to use cookies.
  • If the server has set a cookie, but your browser does not allow it, check your browser settings for cookies. Also check php.ini setting for session.use_only_cookies = 0 . If this parameter is set to 1 , you do not allow PHP to use the URL if the browser does not accept cookies. This is usually forbidden for security reasons, because people copy URLs to friends, and then these friends take over the session;) So just set it to 0 for debugging purposes.
  • var_dump() return value of session_start() . It will return false if PHP was unable to start the session correctly.
+3
source

Try printing PHPSESSID with session_id (). Do you get the same result if you keep refreshing?

If you do not try to set the identifier with: session_id ('cutckilc16fm3h66k1amrrls96')

http://php.net/manual/en/function.session-id.php

Now it should work, but with the same session for all users.

The problem might be something like this: PHP session data is not saved

+1
source

After long days and nights of testing, reading and requesting and with a lot of help from the participants on this issue - many thanks for your efforts! “I slowly reached such a rather mysterious solution to the problem.”
The solution I found, but I still didn't have an explanation ...

So, as described in Update 2, I found from the answer from @EmilF that the session ID was constantly changing. Then an idea arose to suspect a server / host problem. I contacted the host - one.com - who at first, like me, did not understand why this did not work.

But then he told me that check.php were some rather odd characters at the beginning of the check.php file. I could not see them in my own editor. They were not visible until I accessed the file through the FileManager software that one.com provides based on the browser.

Problem and Solution

The top of the file looked like this:

 <? ob_start(); session_start(); if($_POST['password'] == 'xxx') { // Correct password $_SESSION['login'] = true; ...

You can see the odd  characters at the beginning. As I said, they were not visible in my own Notepad ++ editor, as well as in the usual Notepad. I sent the file to a friend to check it, and he could not see them either in his editor or in the Code.

These characters, of course, will act as output in the browser. To do this, this is a request to the browser that appears before session_start() and header(Location:... Since these two commands must be before any request to the browser, they do not work now in this case with the characters present.

Sessions and the header command now work with remote characters.

No explanation yet ...

I have no idea why they are there, but after testing I found out how they got there:

In Notepad ++, I can change the encoding format in the menu. When I switch from fx ANSI to UTF-8, characters appeared. In a normal notebook, I can save as UTF-8 as an option in the "Save As" window. And the characters also appear in this case.

In any case, I can only see  characters when I view the code through a browser-based editor that takes files directly from the server. And to nominate the editor is always the  that are created.

I have no explanation. This might be a good topic for another SO question.

Thanks to everyone who tried to help me. I answer this question here because it is the answer. But all the help and debugging tricks were highly appreciated and very helpful.

Thank you very much and all of you are well.

0
source

Source: https://habr.com/ru/post/920492/

More articles:


All Articles