php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #49462 Session variables not saved after redirect, session_write_close(), die() used
Submitted: 2009-09-03 23:01 UTC Modified: 2009-09-12 01:00 UTC
Votes:9
Avg. Score:4.7 ± 0.7
Reproduced:7 of 7 (100.0%)
Same Version:1 (14.3%)
Same OS:4 (57.1%)
From: greg dot solak at profiletwist dot com Assigned:
Status: No Feedback Package: Session related
PHP Version: 5.3.0 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: greg dot solak at profiletwist dot com
New email:
PHP Version: OS:

 

 [2009-09-03 23:01 UTC] greg dot solak at profiletwist dot com 
Description:
------------
PHP SESSION variable $_SESSION['user_level'] is not saved after the page is redirected using header(location: ...). Session_write_close()is used right before redirect. After redirect die() is called. After a second attempt at login, everything works!

Reproduce code:
---------------
<?php
// If login successfully ->

// Change session properties
$_SESSION['user_level'] = 7;
// Force session to save changes before redirection
session_write_close(); // REQUIRED
// Regenerate session id for security + fix bug in which some session variables are lost during redirect
session_regenerate_id(true);
// Redirect to Access main page
header('Location: http://www.domain.com/access/main.php');
die();

?>

Expected result:
----------------
At the new page (the one the user was redirected to) the $SESSION['user_level'] should == 7. However, the session variable was not saved, as the user is redirected back to the login page. After a second attempt at logging in, everything works as expected.

Actual result:
--------------
Redirected back to login page, because when php checked if the user had the proper credentials

if ($_SESSION['user_level'] != 7) {
 // redirect back to login page
}

Other improtant information: session_start(); is called on every page.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-04 11:25 UTC] jani@php.net 
Does this happen with PHP 5.2.10 ? (hint: works just fine for me on several sites without any problems..)
 [2009-09-04 11:26 UTC] jani@php.net 
Also, your example script really can't work since it does not have session_start() called at all. It's not enough that you say it's there when it clearly isn't.
 [2009-09-12 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2009-09-20 17:26 UTC] wouter at prepaidwebhost dot nl 
Same problem, however not on the 5.3 version of PHP, but using PHP 5.2.10-2.2 on Debian Squeeze.
 [2014-10-26 22:40 UTC] webmaster at tubo-world dot de 
This is a usage problem. The given reproduction code is wrong. You have to call session_write_close() AFTER session_regenerate_id(). Otherwise the session_regenerate_id does not do anything because it not operating on an open session. The only thing php could do is throw a WARNING here, so developers can detect the error.

So I think this issue can be closed.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Oct 25 17:00:01 2025 UTC