Redirects and $_SESSION
Permalink
I know in the fairly distant past there have been issues with $_SESSION and redirects but they're so long ago I'd have thought them fixed by now. However I'm getting some odd behaviour on a particular site.
I put a text file log line into a controller's on_start(), the output of which is
1.2.3.4 START
1.2.3.4 response found 1, psmhjrd0gp0m551h5clb4356c1
1.2.3.4 START
1.2.3.4 response found 1, psmhjrd0gp0m551h5clb4356c1
1.2.3.4 START
1.2.3.4 response found ,
Where 1.2.3.4 if the requestor IP so I know it's all from me and START is where the controler is entered and the response line the logged items, being C5's idea of the logged in userid and the PHP session_id().
This is all one request with two redirects into the same controller to different methods, so the page is requested by the browser, then redirects twice based on variables, GET data and so on.
The session vanishes by the third request and so does the userid. Bizarrely I am still logged into C5 so there should be a userid.
I've logged other requests where the session disappear then actually comes back and still others where the session_id() changes but the user remains the same.
To throw fuel on the fire I didn't config this server which is PHP 7.3 FIPS and I'm beginning to suspect this may not be helping - I have other servers I did config which use $_SESSION with no trouble whatsoever so I'm really fishing for any bells any of this might ring for people.
There's a session_start() explicitly in the package controller as I want to be certain a session exists for all users regardless as there are some processes they can do, leave and return to without logging in or which don't create a user until they're completed so progress data is stored in the session. I'm assuming that whatever C5's idea of the session is shouldn't clash or work against $_SESSION itself.
I put a text file log line into a controller's on_start(), the output of which is
1.2.3.4 START
1.2.3.4 response found 1, psmhjrd0gp0m551h5clb4356c1
1.2.3.4 START
1.2.3.4 response found 1, psmhjrd0gp0m551h5clb4356c1
1.2.3.4 START
1.2.3.4 response found ,
Where 1.2.3.4 if the requestor IP so I know it's all from me and START is where the controler is entered and the response line the logged items, being C5's idea of the logged in userid and the PHP session_id().
This is all one request with two redirects into the same controller to different methods, so the page is requested by the browser, then redirects twice based on variables, GET data and so on.
The session vanishes by the third request and so does the userid. Bizarrely I am still logged into C5 so there should be a userid.
I've logged other requests where the session disappear then actually comes back and still others where the session_id() changes but the user remains the same.
To throw fuel on the fire I didn't config this server which is PHP 7.3 FIPS and I'm beginning to suspect this may not be helping - I have other servers I did config which use $_SESSION with no trouble whatsoever so I'm really fishing for any bells any of this might ring for people.
There's a session_start() explicitly in the package controller as I want to be certain a session exists for all users regardless as there are some processes they can do, leave and return to without logging in or which don't create a user until they're completed so progress data is stored in the session. I'm assuming that whatever C5's idea of the session is shouldn't clash or work against $_SESSION itself.
Basically when a user is logged in $_SESSION['name'] works between page redirects, however when a user is logged out and a redirect happens, it appears that the sessions are destroyed as they're not registering on the landing pages.