PHP session variables not carrying over to the logged in page, but session ID is


I'm using PHP 4.3.9, Apache/2.0.52

I'm trying to get a login system working that registers DB values in a session where they're available once logged in. I'm losing the session variables once I'm redirected.

I'm using the following code to print the session ID/values on my login form page and the redirected page:

echo '<font color="red">session id:</font> ' . session_id() . '<br>';
echo '<font color="red">session first name:</font> ' . $_SESSION['first_name'] . '<br>';
echo '<font color="red">session user id:</font> ' . $_SESSION['user_id'] . '<br>';
echo '<font color="red">session user level:</font> ' . $_SESSION['user_level'] . '<br><br>';

This is what's printed in my browser from my login page (I just comment out the header redirect to the logged in page). This is the correct info coming from my DB as well, so all is fine at this point.

session id: 1ce7ca8e7102b6fa4cf5b61722aecfbc
session first name: elvis
session user id: 2
session user level: 1

This is what's printed on my redirected/logged in page (when I uncomment the header/redirect). Session ID is the same, but I get no values for the individual session variables.

session id: 1ce7ca8e7102b6fa4cf5b61722aecfbc
session first name:
session user id:
session user level:

I get the following errors:

Undefined index: first_name
Undefined index: user_id
Undefined index: user_level

I have a global header.php file which my loggedIN.php does NOT call, though loggedOUT.php does – to toast the session):



//if NOT on loggedout.php, check for cookie. if exists, they haven't explicity logged out so take user to loggedin.php
if (!strpos($_SERVER['PHP_SELF'], 'loggedout.php')) {
    /*if (isset($_COOKIE['access'])) {
} else {
    //if on loggedout.php delete cookie
    //setcookie('access', '', time()-3600);

    //destroy session
    $_SESSION = array();
    setcookie(session_name(), '', time()-3600);

//defines constants and sets up custom error handler

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "">

some page layout stuff

Login portion is eventually called via include

footer stuff

My loggedIN.php does nothing but start the session

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "">

The logic of my login script, the key part being I'm fetching the DB results right into $_SESSION (about half way down):

if (isset($_POST['login'])) {
        //access db

        //initialize an errors array for non-filled out form fields
        $errors = array();

        //setup $_POST aliases, clean for db and trim any whitespace
        $email  = mysql_real_escape_string(trim($_POST['email']), $dbc);
        $pass   = mysql_real_escape_string(trim($_POST['pass']), $dbc);

        if (empty($email)) {
            $errors[] = 'Please enter your e-mail address.';

        if (empty($pass)) {
            $errors[] = 'Please enter your password.';

        //if all fields filled out and everything is OK
        if (empty($errors)) {
            //check db for a match
            $query = "SELECT user_id, first_name, user_level 
                    FROM the rest of my sql here, blah blah blah";

            $result = @mysql_query($query, $dbc) 
                OR trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error($dbc));

            if (@mysql_num_rows($result) == 1) { //a match was made, OK to login

                //register the retrieved values into $_SESSION
                $_SESSION = mysql_fetch_array($result);
                setcookie('access'); //if "remember me" not checked, session cookie, expires when browser closes
                                     //in FF you must close the tab before quitting/relaunching, otherwise cookie persists

                //"remember me" checked?
                if(isset($_POST['remember'])){ //expire in 1 hour (3600 = 60 seconds * 60 minutes)
                    setcookie('access', md5(uniqid(rand())), time()+60); //EXPIRES IN ONE MINUTE FOR TESTING

echo '<font color="red">cookie:</font> ' . print_r($_COOKIE) . '<br><br>';
echo '<font color="red">session id:</font> ' . session_id() . '<br>';
echo '<font color="red">session first name:</font> ' . $_SESSION['first_name'] . '<br>';
echo '<font color="red">session user id:</font> ' . $_SESSION['user_id'] . '<br>';
echo '<font color="red">session user level:</font> ' . $_SESSION['user_level'] . '<br><br>';


                $url = BASE_URL . 'loggedin_test2.php';
                header("Location: $url");
            } else {
            //wrong username/password combo
            echo '<div id="errors"><span>Either the e-mail address or password entered is incorrect or you have not activated your account. Please try again.</span></div>';

            //clear $_POST so the form isn't sticky
            $_POST = array();
        } else { 
        //report the errors
        echo '<div id="errors"><span>The following error(s) occurred:</span>';

            echo '<ul>';
            foreach($errors as $error) {
                echo "<li>$error</li>";
            echo '</ul></div>';

    } // end isset($_POST['login'])

if I comment out the header redirect on the login page, I can echo out the $_SESSION variables with the right info from the DB. Once redirected to the login page, however, they're gone/unset.

Anyone have any ideas? I've spent nearly all day on this and can't say I'm any closer to figuring it out.

BTW, I recently made 2 simple test pages, one started a session, set some variables on it, had a form submit which redirected to a second page which did nothing but read/output the session vars. It all seems to work fine, I'm just having issues with something I'm doing in my main app.

Best Solution

I don't see a session_start() in your login script. If you aren't starting the session I don't think php will save any data you place in the $_SESSION array. Also to be safe I'd explicitly place variables into the $_SESSION array instead of just overwriting the whole thing with $_SESSION = mysql_fetch_array($result);.

Related Question