How to redirect after setting session?

deko <de**@hotmail.com> wrote:

I have a login page that is supposed to redirect the user to his private
page after login. But header("Location: $url") does not work after I set
the $_SESSION variable - I get "Warning: Cannot modify header information -
headers already sent by ...
Argghhh, yet another "Headers already sent" question.

This error has nothing to do with setting session. The error tells you
where the problem is: line 4
<?php
session_start();
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
[etc, etc]
[login form]
<?
if (credentials are valid)
{
session_start();
$_SESSION['username'] = $uid;
header("Location: $url");
}
?>

One option I've heard about is using ob_start() at the top of the page - but
that seems to screw up my session. I could also use Javascript like this:

Fix your script flow is the better one:

<?php
session_start();

if(credentials are valid)
{
//set session and redirect
die();
}
?>
<html>
....

I agree with Daniel Tryba: "Fix your script flow is the better one:"

At the moment you are calling session_start(); twice on the check
credentials section. Once at the start of the page and once in "if
(credentials"
This can't be done after the head of the html.
You only every need to start the session once in a page.
Follow Daniel Tryba instructions for the layout and you'll be fine.
Brent Palmer.


"deko" <de**@hotmail.com> wrote in message
news:E4******************@newssvr21.news.prodigy.c om...

I have a login page that is supposed to redirect the user to his private
page after login. But header("Location: $url") does not work after I set
the $_SESSION variable - I get "Warning: Cannot modify header
information -
headers already sent by ...

The abbreviated code on the login page looks like this:

<?php
session_start();
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
[etc, etc]
[login form]
<?
if (credentials are valid)
{
session_start();
$_SESSION['username'] = $uid;
header("Location: $url");
}
?>

One option I've heard about is using ob_start() at the top of the page -
but
that seems to screw up my session. I could also use Javascript like this:

<script language="javascript">
window.location.href=("<?php echo $url; ?>");
</script>

but then folks without Javascript won't get redirected.

Are there any other alternatives?

Thanks in advance.

> <?php

session_start();

if(credentials are valid)
{
//set session and redirect
die();
}
?>

Thanks for the help.

So I moved the code to the top of the page, and the redirect works now. But
there are a couple of problems:

Before, when I hit my browser's back button, I would get "Warning... page
has expired" - which was nice - so the user could not log in again. Now I
don't get that error - it just goes back to the login page. Is there a way
to have that error appear?

The other thing, which is more of a problem, is that when the the session
expires, the "private page" has this code:

echo "Your session has timed out. You must <a href= '".$url."'>log in
again</a> to view this page.";
session_destroy();

When the user clicks on the link to go back to the login page, and re-enters
credentials, then clicks submit, the redirect fails with "Cannot find
page..." - apparently the header is getting screwed up the second time
around. What appears in the address window of my browser is something like
this:

https://hostname.myisp.com/~acctname/<?php%20echo%20http://www.mysite.com/login.php;%20?>

Is there a way to clear out the header first? Other suggestions?

Here is the revised code:

session_start();
if ($username && $password)
{
$uid = trim($username);
$pas = trim($password);
if (credentials are valid)
{
$_SESSION['user'] = $uid;
$_SESSION['timeout'] = time();
$url="https://hostname.myisp.com/~acctname/privatePage.php";
header("Location: $url");
unset($em);
unset($pw);
die();
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
[html code...]
<?php
//if we are here then user enter bad credentials
if ($username && $password)
{
echo "Login Failed";
}
?>
[more html code...]

> When the user clicks on the link to go back to the login page, and
re-enters

credentials, then clicks submit, the redirect fails with "Cannot find
page..." - apparently the header is getting screwed up the second time
around. What appears in the address window of my browser is something like this:

https://hostname.myisp.com/~acctname/<?php%20echo%20http://www.mysite.com/login.php;%20?>

I've noticed this behavior occurs in Firefox every time - even the first
time. Is there some bug in Firefox that prevents PHP from setting the
header? Or is my code not setting the header correctly?

deko <de**@hotmail.com> wrote:

Before, when I hit my browser's back button, I would get "Warning... page
has expired" - which was nice - so the user could not log in again. Now I
don't get that error - it just goes back to the login page. Is there a way
to have that error appear?
You are the first person I see that actually wants that warning, most
people want to get rid of it (by using a redirect) :)

The only way I know to actually get the warning is to not do a
redirection after a post. You could make your login script like this:

<?php

if($user && $passwd)
{
if(valid())
{
?>
<html><body>
Login success <a href='next.php'>click here to continue.</a>
</body></html>
<?php
die();
}
}
else
{
$user='';
$passwd='';
}
?>
<html>
<?php
if($user)
echo "Login failed!";
?>
<form>
</form>
</html>

But that is getting very ugly very fast, I would suggest using a
template engine (like smarty) to truly seperate output and logic (do a
bunch of checks, determine template to show and set variables
accordingly to that tempalte).
The other thing, which is more of a problem, is that when the the session
expires, the "private page" has this code:

echo "Your session has timed out. You must <a href= '".$url."'>log in
again</a> to view this page.";
session_destroy(); https://hostname.myisp.com/~acctname/<?php%20echo%20http://www.mysite.com/login.php;%20?>

Is there a way to clear out the header first? Other suggestions?

That is scary... how is $url defined in that page?

> You are the first person I see that actually wants that warning, most

people want to get rid of it (by using a redirect) :)

I can live with it, but I'll try your suggestion.

The other thing, which is more of a problem, is that when the the session expires, the "private page" has this code:

https://hostname.myisp.com/~acctname/<?php%20echo%20http://www.mysite.com/login.php;%20?>
Is there a way to clear out the header first? Other suggestions?

That is scary... how is $url defined in that page?

Good question. In fact, I think that was my problem.

But the real barf bag is that the SESSION does not appear to get set in
Firefox. I surfed around a bit and saw that others have also had similar
probelms with Firefox and login scripts. If you have any suggestions on how
to get the script working with Firefox, that would be great...

Thanks again for the help.

> But the real barf bag is that the SESSION does not appear to get set in

Firefox. I surfed around a bit and saw that others have also had similar
probelms with Firefox and login scripts. If you have any suggestions on how to get the script working with Firefox, that would be great...

Some further testing with Firefox -

Here again is the Login page code:

session_start();
if ($username && $password)
{
$uid = trim($username);
$pas = trim($password);
if (credentials are valid)
{
$_SESSION['user'] = $uid;
$_SESSION['timeout'] = time();
$url="https://hostname.myisp.com/~acctname/privatePage.php";
header("Location: $url");
unset($em);
unset($pw);
die();
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
[html code...]
<?php
//if we are here then user enter bad credentials
if ($username && $password)
{
echo "Login Failed";
}
?>
[more html code...]
Here is all the code on the redirect page:

<?php
session_start();
echo $_SESSION['uid'];
?>

Result: Nothing is echoed on the screen. But the redirect works...

I've played around with the SSL settings in Firefox, but no luck. I'm
wondering if the problem has something about carrying sessions over an SSL
connection??