PHP Session Data Not Being Stored

Question

I'm making a login system, but when a user logs in, it doesn't actually store any of the data i want it to in the session. I even checked the session's file, and it was empty. I have session_start(); on all the pages. what else could i be doing wrong. Heres the code for the two main pages.

the login code:

<?
if ($DEBUG == true) {
    error_reporting(E_ALL);
}
require "header.php";

require_once "dbinterface.php";
require_once "user.class.php";
require_once "config.inc.php";

$db = new db($DB['host'], $DB['user'], $DB['pass'], $DB['database']);

$u_result = $db->run("select user_id from users where user_name = '" . $db->escape($_POST['user_name']) . "'");

if ($u_result == false) {
    $url = 'Location: error.php?id=8';
    header($url);
}

if (count($u_result) < 1) {
    $url = 'Location: error.php?id=3';
    header($url);
}

$user = new user($u_result[0]['user_id']);

if ($user->match_password($_POST['pass']) == true) {
    $_SESSION['authenticated'] = true;
    $_SESSION['user_id'] = $u_result[0]['user_id'];
    $_SESSION['user'] = $user;
} else {
    $url = 'Location: error.php?id=4';
    header($url);
}
session_write_close();
header('Location: index.php');

?>

The header that gets included in every page:

<?php
if (!session_start()) {
    $url = "Location: error.php?id=13";
    header($url);
}
?>

A little background:

• windows 7 (also tried on windows
• server 2008, but currently on 7) PHP
• 5 localy hosted problem is present
• for everyone problem exists in all
• browsers

Answer 1

Here are a couple suggestions (I don't really know what's happening and/or why ; so they are only suggestions ; maybe one will solve the problem ^^ ).

First of all, a couple of questions :
(They matter at least if none of these suggestion does the trick)

• Which version of PHP / Apache are you using ?
• Are you on Windows ? Linux ?
• If you are on your "production" server, what hosting service are you using ? Maybe there's something special about it ?
• Is the problem present for every one ?
  • Is there always a problem when you are browsing the site ?
  • Is it still present when you are accessing the site from another browser ?
  • What about from another computer ?
• If you use something like var_dump($_SESSION); die; at the end of the script that sets data in session, what does it give ?

First idea : what if you set some header to disable caching by the browser ?
Stuff like this, for instance :

session_start();
header("Cache-control: private");

Second idea (at least if you are on windows) : did you try disabling you antivirus / firewall ?
Is the session cookie correctly created in the client's browser ?
If you are using sub-domains (or not) : is the cookie's domain OK ? What about it's expiration date ?

Third idea :

• you said error_reporting is set to E_ALL, which is nice
• what about display_errors ? Is it set to On so that errors get displayed ?
• Is there anything interesting in PHP/Apache's error_log ?

Another one : Are you sure there is absolutly nothing that gets to the output before the session_start ? Not even white spaces ?

Yet another one : Are you sure about permissions on the directories / files ?

• Permission to write in a directory means you can create new files, and/or delete old ones.
  • But, if I remember correctly, not that you can modify them
• To modify files, you need write access on the files too
  • Actually, your webserver need write access to those files ^^

What are the permissions on the session's directory, and on the (empty) files that get created ?

I'm beginning to run out of ideas... With a bit of luck, maybe one of those will be the right one... Or help you find out what the right one would be !

Good luck !

Answer 2

A probable cause is that execution continues after the header('Location...') statements. However it looks like you want it to stop, so you should add 'exit;' after redirecting to error.php. E.g.:

if ($u_result == false) {
    $url = 'Location: error.php?id=8';
    header($url);
    exit;
}

This could also be part of your problem, as you never go to error.php and see the error code. The last line is always executed:

header('Location: index.php');

And since header()'s default behavior is to replace existing headers, you always go to index.php no matter what.

Answer 3

Based on a comment in the PHP header() documention, I believe you need to do the following at the bottom of your file. header('Location: x'); is a special case of using the header() function, and it can interfere with session passing if a session has not had time to write before the header() call is issued. session_write_close() should fix that.

...    
session_write_close();
header('Location: index.php');

Answer 4

The SessionID is nowhere to be found. I had this problem once, sessions were being created like crazy but nothing got stored. (also, make sure You have proper write permissions to the session folder, once had a problem of that sort as well)

What You REALLY want to do, is

$sessid = session_start(); // for the beginning of a new session, and

session_start($sessid); // at the start request for each subsequent call until session is destroyed using session_destroy()

Of course, passing the $sessid variable between webpages is up to You. I prefer to use a &sessid= link additive ;> (that way I immediately know when something's gone awry ;P)

Remember, that the only way to ENSURE proper session restoring is to pass on the session ID. I know it's optional, and on most systems it should just work out-of-the-box, but sometimes it just doesn't, and there's simply NO guarantee about session behavior on shared hosting.

Just as a protip, try wrapping Your sessions in a class with 'magic' default handlers for __set() and __get(), might make Your life a little easier later on for verifying session data (the __call() handler is esp. useful for that). And make the constructor for the class expect a session id, with 0 (or -1 or whatever) being 'start new session', and make sure it screams errors if the ID isn't set explicitly - that'll alert You to obvious problems.

---------[ Edit

And oh, did I mention - in a shared environment with lots and lots of user requests, not naming your sessions explicitly can lead to bleed-through problems (one user being logged on as another). For the most part this doesn't happen, but if You have a really screwed-up hosting configuration, not naming Your sessions and relying on 'default behavior' can lead to multiple disasters at once. ;-)