Posted by Tom on 04/25/06 09:35

I hope someone can help me figure out what's going on here. I've
re-read the section on sessions at php.net and Googled this high and
low but I haven't found anything that quite explains my problem.

The basic problem: session data (e.g. $_SESSION['access_level']) gets
dropped after visitor logs in and reloads the page via a form once or
twice (it seems to vary), requiring the visitor to re-login, whereupon
the problem repeats itself.

An outline of my login script:

1. a function protect_page at the beginning of the protected page's
script checks to see if the visitor is logged in by checking two
session values ($_SESSION['access_level'] and $_SESSION['login_time']).

2. if logged in with sufficient access and session not too old, show
page. if not, require_once an include file that displays a login form
(everything's buffered, so it's not a header problem)

3. post login form, check credentials; if ok, display protected page

I have a log that tracks the behavior but it's a bit too long to
include here. One peculiarity I've noted is that after logging in,
when I post the form on the protected page, it appears to successfully
load the page once with the session data. But then it reloads the page
a second time (according to the log) and the session data is lost --
thus logging me out! There's nothing in the script that should trigger
the page to be reloaded. I use session_regenerate_id to avoid session
fixation. Could this be a factor?

Another complication: this problem occurs on two development servers
(one running XAMPP on Linux, the other WAMP). But on a third running
WAMP, it doesn't happen and everything runs as designed.

Finally, I took note of the following posts describing similar problems
with session data being lost:

Initialize crucial SESSION data
(http://us2.php.net/manual/en/function.session-write-close.php#63970)

Use session_write_close after assigning crucial SESSION data
(http://us2.php.net/manual/en/ref.session.php#62486)

Turn off ZoneAlarm (http://forum.sydphp.org/index.php?a=topic&t=255#p7)

However, the suggestions offered (e.g. using session_write_close()
liberally, turning off ZA ) did not solve my problem. And my php.ini
file appears to be in order.

I hope this is clear and detailed enough. Does anyone recognize it?
Any help is appreciated.

Tom

• Next in forum: Re: Chmod
• Prev in forum: Re: noob question - integer output format, use of SUM in MySql
• Thread view: session problem with login script

[Reply to this message]