php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49462 Session variables not saved after redirect, session_write_close(), die() used
Submitted: 2009-09-03 23:01 UTC Modified: 2009-09-12 01:00 UTC
Votes:9
Avg. Score:4.7 ± 0.7
Reproduced:7 of 7 (100.0%)
Same Version:1 (14.3%)
Same OS:4 (57.1%)
From: greg dot solak at profiletwist dot com Assigned:
Status: No Feedback Package: Session related
PHP Version: 5.3.0 OS: Linux
Private report: No CVE-ID: None
 [2009-09-03 23:01 UTC] greg dot solak at profiletwist dot com
Description:
------------
PHP SESSION variable $_SESSION['user_level'] is not saved after the page is redirected using header(location: ...). Session_write_close()is used right before redirect. After redirect die() is called. After a second attempt at login, everything works!

Reproduce code:
---------------
<?php
// If login successfully ->

// Change session properties
$_SESSION['user_level'] = 7;
// Force session to save changes before redirection
session_write_close(); // REQUIRED
// Regenerate session id for security + fix bug in which some session variables are lost during redirect
session_regenerate_id(true);
// Redirect to Access main page
header('Location: http://www.domain.com/access/main.php');
die();

?>

Expected result:
----------------
At the new page (the one the user was redirected to) the $SESSION['user_level'] should == 7. However, the session variable was not saved, as the user is redirected back to the login page. After a second attempt at logging in, everything works as expected.

Actual result:
--------------
Redirected back to login page, because when php checked if the user had the proper credentials

if ($_SESSION['user_level'] != 7) {
 // redirect back to login page
}

Other improtant information: session_start(); is called on every page.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-04 11:25 UTC] jani@php.net
Does this happen with PHP 5.2.10 ? (hint: works just fine for me on several sites without any problems..)
 [2009-09-04 11:26 UTC] jani@php.net
Also, your example script really can't work since it does not have session_start() called at all. It's not enough that you say it's there when it clearly isn't. 
 [2009-09-12 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2009-09-20 17:26 UTC] wouter at prepaidwebhost dot nl
Same problem, however not on the 5.3 version of PHP, but using PHP 5.2.10-2.2 on Debian Squeeze.
 [2014-10-26 22:40 UTC] webmaster at tubo-world dot de
This is a usage problem. The given reproduction code is wrong. You have to call session_write_close() AFTER session_regenerate_id(). Otherwise the session_regenerate_id does not do anything because it not operating on an open session. The only thing php could do is throw a WARNING here, so developers can detect the error.

So I think this issue can be closed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 03:01:28 2024 UTC