Unreliable reading of $_SESSION data

Question

I have two PHP files that I have abstracted below: FILE 1: login.php

<?
ob_start();
session_start();
$q = "SELECT user_id, user_first_name, user_priv, user_reg_date, user_pref, user_last_login FROM Users WHERE (user_email='$e' AND user_pass=SHA1('$p')) AND user_active IS NULL";       
$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));

if (mysqli_num_rows($r) == 1) { // A match was made.

   // Register the values & redirect:
   $_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC);
   session_write_close();           
   mysqli_close($dbc);
   $url = BASE_URL . '/CustomIndex.php'; // Define the URL:
   ob_end_clean(); // Delete the buffer.
   header("Location: $url");
   exit(); // Quit the script.
}
?>

FILE 2: CustomIndex.php

<?
ob_start();
session_start();
if (empty($_SESSION['user_first_name'])) {
   if(isset($_GET['custom2'])){
      $url = BASE_URL . '/index.php'; // Define the URL.
      ob_end_clean(); // Delete the buffer.
      header("Location: $url");
      exit(); // Quit the script.
   }
   sleep(5);
   $url = BASE_URL . "/CustomIndex.php?custom2=1";
   ob_end_clean(); // Delete the buffer.
   header("Location: $url");
   exit(); // Quit the script.
}

if(isset($_SESSION['user_first_name'])){
//  …program code…
}
?>

When FILE 1 (login.php) is executed, then maybe 10% of the time the "if (empty($_SESSION['user_first_name']))" statement in FILE 2 (CustomIndesx.php) is true, and instead of being executed, the client is redirected to index.php, as if the $_SESSION variables had not been set.

However, after that happens, if I run FILE 2 (CustomIndesx.php) directly, it reads the $_SESSION data and executes properly.

I added all that code after "SLEEP" to simulate running CustomIndesx.php manually, but except for delaying the redirect by 5 second, nothing changed.

Can anyone suggest a reason for this random behavior, and how to eliminate it?

[link to php session info](http://douglasgstinson.com/phpsessioninfo.rtf) — Doug Stinson, Jun 11 '17 at 17:32
Some people says ``session.auto_start`` should be on. you can use for this ``ini_set`` function if you can't change the php.ini file. Other thing is little complicated, you can change session save handler files to redis. It'll be more efficient. — Mehmet S., Jun 11 '17 at 18:43

score 0 · Answer 1 · 2017-06-11T17:38:13.453

1) An important thing is: session_start() must be the first code line in both pages. If not, the session is closed after finished running each page script.

See what happened in

2) Then, in login.php code part:

session_write_close();           
mysqli_close($dbc);
$url = BASE_URL . '/CustomIndex.php'; // Define the URL:
ob_end_clean(); // Delete the buffer.
header("Location: $url");

You are writing in session with session_write_close() and closing it. Then, in the CustomIndex.php you are trying to open it again. It seems that it's not the same session id opened. So, try to delete session_write_close(); line and test again.

Good luck!

EDIT 1:

Login.php:

<?php
session_start();
$q = "SELECT user_id, user_first_name, user_priv, user_reg_date, user_pref, user_last_login FROM Users WHERE (user_email='$e' AND user_pass=SHA1('$p')) AND user_active IS NULL";
$r = mysqli_query($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));

if (mysqli_num_rows($r) > 0) {
    $_SESSION = mysqli_fetch_array($r, MYSQLI_ASSOC);
    mysqli_close($dbc);
    $url = BASE_URL . '/CustomIndex.php';
    header("Location: $url");
    exit();
}
?>

CustomIndex.php:

<?php
session_start();

if (!isset($_SESSION['user_first_name']) || empty($_SESSION['user_first_name'])) {
    echo 'SESSION USER_FIRST_NAME IS NOT SET!';
} else {
    echo 'SESSION USER_FIRST_NAME IS OK: ' . $_SESSION['user_first_name'];
}
?>

I added "session_write_close()" in an attempt to solve the problem. So I have the same probnlwm with and without that code. — Doug Stinson, Jun 11 '17 at 17:12
@DougStinson Try again with the simplified answer of me. No `ob_...` functions needed and no redirects in `CustomIndex.php`, because you really need to narrow the "error"-prone causes. — , Jun 11 '17 at 17:37
I switched the order of ob_start() and session_start(). That may have helped, but since the problem is intermittent, only more testing will show for sure. Thanks — Doug Stinson, Jun 11 '17 at 17:50
@DougStinson You are welcome. Test my EDIT 1 version and give feedback. — , Jun 11 '17 at 17:52

Unreliable reading of $_SESSION data

1 Answers1

EDIT 1: