PHP session values not set

Question

I'm having some strange issues with PHP session variables claiming to not be set. I'm only encountering this in one particular situation:

My site has a 3-step wizard and I use sessions to store the user's selections on each step. To start the wizard, I use an init script that ensures any old wizard session data is wiped out - this init script then redirects the user to step 1. For example:

// Initialize wizard session and send user to step 1
$_SESSION['wizard'] = array();
$_SESSION['wizard']['step1'] = TRUE;
session_write_close();
header('Location: http://mysite.com/wizard/step1.php');

Then at the top of step1.php, I do a check like:

if (!isset($_SESSION['wizard']['step1'])) 
    throw new Exception('Step1 not initialized');

When the user submits the step1 form, it is posted back to itself for validation. If it passes, another redirect is done to step 2.

Most of the time, this works fine. In fact, the init script always works and the step1 form always loads without a problem. But sometimes, submitting the step 1 form, the 'Step1 not initialized' exception gets thrown.提交第 1 步表单后，会抛出“第 1 步未初始化”异常。 I don't see how the initial load could pass the check but the form post fail it moments later. Especially considering this problem happens infrequently and most of the time there are no problems at all.

I am using a database to store my session data and I don't think this is due to session timeouts or garbage collection - some related php.ini values:

session.use_cookies = 1
session.cookie_lifetime = 0
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 86400

Does anyone know what could be causing such a problem? Any insight would be greatly appreciated.

Thanks, Brian

Answer 1

Make sure that every script that uses your sessions begins with session_start()

Answer 2

Did you remember to call session_start() before interacting with $_SESSION and also before any output has be sent to the browser (including any white space or blank lines before <?php ?

Answer 3

If not the entire session is empty, but just that variable/key, you can use this to track the reason:

class foo extends ArrayObject{
    function __destruct(){
        echo 'dying:';
        debug_print_backtrace();
    }
}
session_start();
$_SESSION['wizard'] = new foo();
//array access is still possible
$_SESSION['wizard']['foz'] = 1234;
//reading it like an array also
echo $_SESSION['wizard']['foz'];
//on normal completion, it also gets called, the backtrace would be:
//dying:#0  foo->__destruct()
//^ ignore those

//on overwriting / deleting values, like for instance this by accident:
$_SESSION['wizard'] = array();
//the backtrace is something like:
//dying:#0  foo->__destruct() called at [filename:linenumber]

... and you'll have a filename+linenumber Possibly write it to a temporary file rather then echo'ing it to make sure you don't miss stuff on redirects etc.