Losing session variables after redirect

Question

1. User fills in username and password.
2. If it's correct, the page loads some information such as user_id to a session variable.
3. The script makes a header('Location') redirect.
4. Somehow the next page doesn't recognize the session... how come?

The redirection is to the same domain, and all pages have session_start();

And I found it more likely to happen in IE than in FF... strange.

Answer 1

Is it possible that cookies aren't enabled?

In order to be able to associate session variables with a specific client instance (ie. how session variables can be used on your browser and my browser at the same time without getting into a conflict), a "session ID" (or "SID") is generated per session. This ID is stored on the server, as well as on the client, usually in the form of a cookie. However, if cookies are not enabled, the session ID is passed along as part of the query string of the URL in each request so that the server can know what session ID belongs to the client.

When you redirect by a header() call, PHP does not automatically insert the SID into the new request, so you will need to append it yourself, in the form of:

header("Location: my_url.com/my_page.php?" . SID)

where SID is a constant defined by PHP that contains the necessary part of the query string (equivalent to session_name() . '=' . session_id() , if a session ID exists).

See Passing the Session ID for more details.

Answer 2

I just had a similar issue, the solution was to simply add an exit(); instruction under the header(..) redirection.

Answer 3

Two thoughts:

1. Is session_start() located at the top of the scripts, before anything is sent to the browser?
2. Is the domain exactly the same? www.mydomain.com re-directing to mydomain.com would lead to the problem you describe.

Answer 4

header("Location: my_url.com/my_page.php?" . SID)
exit();

It only worked after I added exit() below the header();

Answer 5

The WordPress documentation states that cookies will be cleared if the user's password is changed. That will kill the session, regardless of whether a redirect happens. So long as you can prevent the cookies from being cleared (and an exit() may do that, as suggested in other answers) than the session should remain.

Note: If current user's password is being updated, then the cookies will be cleared!

http://codex.wordpress.org/Function_Reference/wp_update_user

Answer 6

I had this problem today and have been searching for a way to fix it. I already had what everyone else has mentioned and could not find an answer anywhere.

Eventually I found the answer after watching my session variables with Firebug . I noticed that on the pages that the variables were being lost, the session Parameter:secure was being set to true for some reason unknown to me.

The fix was to set the secure parameter to false before the session was created.

I accomplished this using session_set_cookie_params . Something like this:

session_set_cookie_params([lifetime], [path], [domain], false, true);