PHP Sessions... not "read" by IE

[theknight571]

IE 6 & 7 (only versions tested so far) seems to be ignoring the PHP session I've created.

How the "app" works:

User logs in, session is created, and misc info is stored in the session.

Info is checked in session variables and used to determine if certain fields/buttons/etc should be displayed on subsequent pages.

If I use FireFox, the "app" works as it should.

If I use IE (6 or 7), the "app" works as if there were no session variables set.

After some snooping around... I found the session files on the server, and all of the variables and data are there, IE just doesn't use it or see it.

Any ideas on what might be happening?

 

[sourceninja]

Your session cookie is not getting created on IE (Probably an IE setting to not accept those cookies). Try passing the session id in the URL string and see what happens.

 

[Crusty]

^^ What he said, make sure that the domain your cookies are being issued for is the same domain that you are accessing the site from.

 

[DaveSimmons]

You may also need a path=/ in the cookie to make it visible to all pages.

 

[theknight571]

Ok... I'm still relatively new to PHP etc., so bear with me...

I'm using "sessions" (stored on server) i.e. ( session_start(); ) not "cookies" (stored on local PC)... unless they are the same and I'm just treating them as something different.

I noticed that if I delete all session files on the server then login to my "app", two session files are created... one is blank (empty) and the other contains all the data I need to reference... is this normal? or is this where my problems lies? and why would FireFox know where to look and IE doesn't... grrrrr

From your suggestions:

- I set IE7 to accept all cookies... and got the same results.

- All my pages are in the same domain... www.aaa.com (not my real site ) but the login page is in one directory and the subsequent pages are in a subdirectory.

- I'm working on putting the session name in the URL to see if that helps and am also looking into the path=/ suggestion.

Thanks for the help.

 

[clamum]

My first thought was the security level setting in Internet Explorer. I've experienced the same thing as you and it was due to too high of a security setting.

But, you said you set IE to accept all cookies so that's probably not it (you set it in the "Privacy" tab in "Internet Options", right?).

Can you paste some code snippets of what you're working with?

All I've had to do when working with sessions was the following:

Login.php:
<?php
....session_start();
....
....// get login into from form, etc
....
....$_SESSION['username'] = $username;
?>

SomePage.php:
<?php
....session_start();
....
....if (isset($_SESSION['username'])) {
........$username = $_SESSION['username'];
........echo "<p>Your username: $username</p>";
....}
?>

 

[theknight571]

Ok... more info...

my login.php page calls it self when the form is submitted (See code snippets)

I started dumping various bits of info to the screen and watching for the session files more closely...

When I load the login.php page a session file (session1, for the sake of argument) is created and is empty.

Then after successfully logging in... a second session file (session2) is created.

Session2 contains all of the information, while session1 remains empty.

It turns out that IE is referencing session1.

Now why FireFox uses session2 but IE uses session1, I have no idea.

I also am not sure why a 2nd session file is created.

I'ma keep lookin at it, but any/all suggestions are welcome.

Thanks for the help.

Ok the attach code didn't work like I thought it would....

My "login.php"
-----------------------------------
<?PHP
session_start();
...
if(!isset($_POST['submit']))
..{
..prompt for login etc...
..}
else
..{
..process login credentials (sp?)
..if good lookup data in DB, and then set various $_SESSION variables
..redirect to page that displays proper information }
?>

My "data.php"
-------------------------------------
<?PHP
session_start();
...
HTML Code with calls to php functions passing $_SESSION variables
?>

 

[Crusty]

Well, your users need a way to tell the server which session belongs to them, so php will set a cookie for you with a session ID. If on the next page request the browser doesn't send along it's session id cookie then the server will generate a new session for them.

There's a plugin for Firefox called HTTP Live Headers. Can you install that, open it up, and save all the headers that get sent to/from the server during the login process and post it here? Make sure to sanitize any usernames/passwords/ip addresses if you don't us to see them.

 

[theknight571]

Crusty... let me look for and install that plugin...

Also... I've now noticed that each time I hit the login button a new session is created (weather login was successful or not)... which gives me an idea.... brb.

 

[theknight571]

Ok... after typing that last response and having a thought while in the middle of typing it I moved my session_start(); command to after the login processing, instead of at the top of the file...

My "login.php"
-----------------------------------
<?PHP
...
if(!isset($_POST['submit']))
...{
...prompt for login etc...
...}
else
...{
...process login credentials (sp?)
...if good
......{
......session_start();
......Lookup data in DB, and then set various $_SESSION variables
......redirect to page that displays proper information
......}
...else
......{
......display error message
......}
...}
?>

This seems to have solved the problem... but I am still checking/testing.

 

[Crusty]

session_start() needs to be the first thing that's done on a new request. If the user doesn't currently have a session on the server, it will create one. If the user DOES have a session, that is if the browser sends along the session id in a cookie, then session_start() will load all the session info into the $_SESSION variables.

 

[theknight571]

Originally posted by: Crusty
session_start() needs to be the first thing that's done on a new request. If the user doesn't currently have a session on the server, it will create one. If the user DOES have a session, that is if the browser sends along the session id in a cookie, then session_start() will load all the session info into the $_SESSION variables.

session_start(); doesn't need to be the first command in the PHP file does it? Because that's what the book I have made it sound like, which it why I had it where it was.

I just moved it on a whim... to see if it would work.

A user doesn't need a session until they've successfully logged in anyway.

 

[Crusty]

Originally posted by: theknight571

Originally posted by: Crusty
session_start() needs to be the first thing that's done on a new request. If the user doesn't currently have a session on the server, it will create one. If the user DOES have a session, that is if the browser sends along the session id in a cookie, then session_start() will load all the session info into the $_SESSION variables.

session_start(); doesn't need to be the first command in the PHP file does it? Because that's what the book I have made it sound like, which it why I had it where it was.

I just moved it on a whim... to see if it would work.

A user doesn't need a session until they've successfully logged in anyway.

No, but if you are wanting to redirect a user to login form if they don't have credentials then you'll want to have a session made for them already. They goto page X, they don't have credentials, so you store teh current page in their session, redirect them to the login page, and then after they login you check the session for the page that they were trying to access and you redirect them there.

It's also useful to enable/disable stuff like a welcome message. First time they goto your homepage you show a welcome message, and then set a field in their session saying they've seen the message so the next time they view the homepage you don't show them the message. This would be independent of whether they are logged in or not.

Think of sessions as a way to store data about a user, so that you have access to it across all pages in your site. It's not just tied down to the login system you are using.