473,320 Members | 1,841 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

sending session cookie before redirect

Hi!

I have a function in a lot of pages, which redirects to a new page, if
a form has been submitted:

if (!(defined("DEBUG_INSERT") && DEBUG_INSERT) &&
!(defined("DEBUG_UPDATE") && DEBUG_UPDATE) &&
!(defined("DEBUG_SELECT") && DEBUG_SELECT)){
if ($_POST){
$_SESSION["postvalue"] = $_POST;
header("HTTP/1.1 302 Moved Temporarily");
header ("Location: ".BASE_URL.$sess->assemble(),true, 302);
header("Connection: close");
exit();
}else{
if (isset($_SESSION["postvalue"])){
$_POST = $_SESSION["postvalue"];
}
}
}

In conjunction with a login form and a browser that accepts cookies
for the session handling, this leads to everyone having to enter his
login and pasword twice.

i believe this is, because the cookie do not get sent before the
header ("Location:
Has anyone an idea how to force this or send them by hand?

Cheers, Jochen
--
Jochen Daum - CANS Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/
Jul 16 '05 #1
16 8921
A Martian named "Jochen Daum" <jo*********@cans.co.nz> telepathically
imparted message <pn********************************@4ax.com> to us on
Thu, 04 Sep 2003 23:57:35 -0500:
Hi!

I have a function in a lot of pages, which redirects to a new page, if a
form has been submitted:

if (!(defined("DEBUG_INSERT") && DEBUG_INSERT) &&
!(defined("DEBUG_UPDATE") && DEBUG_UPDATE) &&
!(defined("DEBUG_SELECT") && DEBUG_SELECT)){
if ($_POST){
$_SESSION["postvalue"] = $_POST;
header("HTTP/1.1 302 Moved Temporarily");
header ("Location: ".BASE_URL.$sess->assemble(),true, 302);
header("Connection: close");
exit();
}else{
if (isset($_SESSION["postvalue"])){
$_POST = $_SESSION["postvalue"];
}
}
}
}
In conjunction with a login form and a browser that accepts cookies for
the session handling, this leads to everyone having to enter his login
and pasword twice.

i believe this is, because the cookie do not get sent before the header
("Location:
Has anyone an idea how to force this or send them by hand?

Cheers, Jochen


Keep it simple:

session_start();
if (!isset($_SESSION['postvalue'])):
header ("HTTP/1.1 302 Moved Temporarily to Singapore");
header ("Location: http://myhost.com/login.php");
exit();
endif;
$_POST = $_SESSION['postvalue'];
// show the page
BTW, is there any reason that you just *have* to
use $_POST for all the pages? $_POST is only needed to
retrieve the variables from the (login?) form. After that,
you are free to do everything in $_SESSION['postvalue'].

The "to Singapore" part is just a jest. Don't include it :D
Jul 16 '05 #2
HI Gary!

On Sun, 07 Sep 2003 09:31:51 GMT, Gary Petersen
<ga*******@REMOVE.MEearthlink.INVALID> wrote:
A Martian named "Jochen Daum" <jo*********@cans.co.nz> telepathically
imparted message <pn********************************@4ax.com> to us on
Thu, 04 Sep 2003 23:57:35 -0500:
Hi!

I have a function in a lot of pages, which redirects to a new page, if a
form has been submitted:

if (!(defined("DEBUG_INSERT") && DEBUG_INSERT) &&
!(defined("DEBUG_UPDATE") && DEBUG_UPDATE) &&
!(defined("DEBUG_SELECT") && DEBUG_SELECT)){
if ($_POST){
$_SESSION["postvalue"] = $_POST;
header("HTTP/1.1 302 Moved Temporarily");
header ("Location: ".BASE_URL.$sess->assemble(),true, 302);
header("Connection: close");
exit();
}else{
if (isset($_SESSION["postvalue"])){
$_POST = $_SESSION["postvalue"];
}
}
}
}
In conjunction with a login form and a browser that accepts cookies for
the session handling, this leads to everyone having to enter his login
and pasword twice.

i believe this is, because the cookie do not get sent before the header
("Location:
Has anyone an idea how to force this or send them by hand?

Cheers, Jochen
Keep it simple:

session_start();
if (!isset($_SESSION['postvalue'])):
header ("HTTP/1.1 302 Moved Temporarily to Singapore");
header ("Location: http://myhost.com/login.php");
exit();
endif;
$_POST = $_SESSION['postvalue'];
// show the page


How does the value of all form fields get into $_SESSION?
BTW, is there any reason that you just *have* to
use $_POST for all the pages? $_POST is only needed to
retrieve the variables from the (login?) form.


No. I have eg. a form on nearly every page to change filters of the
data displayed etc.

Jochen
--
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/
Jul 16 '05 #3
On Sun, 07 Sep 2003 21:56:31 +1200, Jochen Daum wrote:
How does the value of all form fields get into $_SESSION?


you have to put it there, by simple assignment:

$_SESSION['parameter'] = $_POST['parameter'];

or something to that effect.
Jul 16 '05 #4
Hi Gerhard!

On Sun, 07 Sep 2003 12:16:26 -0700, Gerhard Fiedler
<no****@globo.com.REMOVE> wrote:
On Sun, 07 Sep 2003 21:56:31 +1200, Jochen Daum wrote:
How does the value of all form fields get into $_SESSION?


you have to put it there, by simple assignment:

$_SESSION['parameter'] = $_POST['parameter'];

Well, I understand that. That's why I had it there in the original
post.

Any suggestions for my orginal problem?

Jochen
--
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/
Jul 16 '05 #5
A horsie named Jochen Daum demonstrated surprising intellligence and
its ability to use morse code on Sun, 07 Sep 2003 04:56:31 -0500 when
it tapped <9u********************************@4ax.com> with its hoof:
HI Gary!

Hi Jochen!
On Sun, 07 Sep 2003 09:31:51 GMT, Gary Petersen
<ga*******@REMOVE.MEearthlink.INVALID> wrote:
[...]
Keep it simple:

session_start();
if (!isset($_SESSION['postvalue'])):
header ("HTTP/1.1 302 Moved Temporarily to Singapore");
header ("Location: http://myhost.com/login.php");
exit();
endif;
$_POST = $_SESSION['postvalue'];
// show the page


How does the value of all form fields get into $_SESSION?


The login.php page should present a username/password form
to the user. When the user submits the form, the form's data
would go to a process_login.php page. If the username and
password are correct, process_login.php would put all of
the necessary data into $_SESSION['postvalue']. The password
does not need to be stored in the session.

BTW, is there any reason that you just *have* to
use $_POST for all the pages? $_POST is only needed to
retrieve the variables from the (login?) form.


No. I have eg. a form on nearly every page to change filters of the
data displayed etc.


To make my life easier, I would do this:
if (isset($_POST['somevariable'])) {
$_SESSION['displayform'] = $_POST;
$disp = & $_SESSION['displayform'];
}

Then I would use $disp for everything on the page.
"Somevariable" is just any variable that you can use
to make sure that the form variables are there.
Good luck.

PS.
Unless you are running on a dedicated server, sessions
are not all that secure.
Jul 16 '05 #6
On Mon, 08 Sep 2003 07:41:24 +1200, Jochen Daum wrote:
Well, I understand that. That's why I had it there in the original
post.
I only looked at the post I answered to... :-/
Any suggestions for my orginal problem?


It seems Gary answered. But for more, I guess some more code would be
necessary. At first sight (without actually testing it) there seems
nothing wrong with your code.

You say that you do something with cookies -- but there's no cookie
code in what you posted. You can look at the cookie (at the client),
and you can also look at the headers that get exchanged (use something
like Proxomitron) to make sure they do what you want them to do.

You can also dump your postvalue and _POST arrays at various points to
make sure they contain what you expect them to contain. That should
get you closer to the point where things start to diverge from what
you think they should do.

Jul 16 '05 #7
Hi Gary!

....
[...]
Keep it simple:

session_start();
if (!isset($_SESSION['postvalue'])):
header ("HTTP/1.1 302 Moved Temporarily to Singapore");
header ("Location: http://myhost.com/login.php");
exit();
endif;
$_POST = $_SESSION['postvalue'];
// show the page

How does the value of all form fields get into $_SESSION?


The login.php page should present a username/password form
to the user. When the user submits the form, the form's data
would go to a process_login.php page. If the username and
password are correct, process_login.php would put all of
the necessary data into $_SESSION['postvalue']. The password
does not need to be stored in the session.

Sorry, you misunderstand the problem slighly. The data stored in
postvalue is not the data from the login form, but from another form.
It should actually be all form data, that is sent by post in a whole
application (meaning a set of web pages). The problem is, that if I
run the function above (my original one) everytime there is a post
form (including the login), then the user gets prompted twice for the
password/username. This is IMO, because the cookie with the PHPSESSID
is not sent to the client browser, before the header ("Location" line.
I think it is like that, because
1.) it works fine, if I exclude the login form from the ones handled
by this function
2.) it works with browser denying all cookies.

BTW, is there any reason that you just *have* to
use $_POST for all the pages? $_POST is only needed to
retrieve the variables from the (login?) form.


No. I have eg. a form on nearly every page to change filters of the
data displayed etc.


To make my life easier, I would do this:
if (isset($_POST['somevariable'])) {
$_SESSION['displayform'] = $_POST;
$disp = & $_SESSION['displayform'];
}

Then I would use $disp for everything on the page.
"Somevariable" is just any variable that you can use
to make sure that the form variables are there.


I though of marking the login form with a hidden field, so that I can
recognise it, but I actually want the functionality also for the login
form. Its basically about usability against speed. The users don't
understand, what they have to do, if the browser asks them if they
want to resubmit the data. Thats why I redirect them to a GET request
everytime, so that the message doesn't come up.
PS.
Unless you are running on a dedicated server, sessions
are not all that secure.


I do.

Jochen

--
Jochen Daum - CANS Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/
Jul 16 '05 #8
Hi Gerhard,
Any suggestions for my orginal problem?
It seems Gary answered. But for more, I guess some more code would be
necessary. At first sight (without actually testing it) there seems
nothing wrong with your code.

You say that you do something with cookies -- but there's no cookie
code in what you posted. You can look at the cookie (at the client),
and you can also look at the headers that get exchanged (use something
like Proxomitron) to make sure they do what you want them to do.


When you use PHP sessions, a unique ID is transported to the browser
by a cookie, if the browser accepts it. AFAIK on the first request
there is always a cookie sent, and if it wasn't there and a session
has been started with the SID parameter in the URL none gets sent.

This is the cookie I'm talking about. My original problem is, that if
I run the original function on all pages, the user gets prompted twice
for username/password. This is IMO, because this cookie (for
successful login) is not sent through before the header command.
You can also dump your postvalue and _POST arrays at various points to
make sure they contain what you expect them to contain. That should
get you closer to the point where things start to diverge from what
you think they should do.


They seem to look fine. I'll have a closer look soon.

Jochen
--
Jochen Daum - CANS Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/
Jul 16 '05 #9
A horsie named Jochen Daum demonstrated surprising intellligence and its
ability to use morse code on Sun, 07 Sep 2003 23:35:14 -0500 when it
tapped <o1********************************@4ax.com> with its hoof:
Hi Gary!
Hi Jochen!
[...] everytime there is a post form
(including the login), then the user gets prompted twice for the
password/username. This is IMO, because the cookie with the PHPSESSID is
not sent to the client browser, before the header ("Location" line. I
think it is like that, because
1.) it works fine, if I exclude the login form from the ones handled by
this function
2.) it works with browser denying all cookies.
[...]


Maybe you are not starting the session early enough on one
of your pages.

The session has to exist *before* the login process starts,
so if you have a login.php page that presents a login form to
the user, make sure that it starts the
session with session_start() -- right at the top of the page--
before the user gets to do anything (even log in). And then each
page in the system does the same, starting the session as
the first thing.

Separate the concept of a session from the concept of an
authenticated user. It's possible to have a session where
the user is un-authenticated, and it's possible to have a
session where the user is authenticated.

Jul 16 '05 #10
Hi Gary!
On Mon, 08 Sep 2003 07:30:59 GMT, Gary Petersen
[...] everytime there is a post form
(including the login), then the user gets prompted twice for the
password/username. This is IMO, because the cookie with the PHPSESSID is
not sent to the client browser, before the header ("Location" line. I
think it is like that, because
1.) it works fine, if I exclude the login form from the ones handled by
this function
2.) it works with browser denying all cookies.
[...]
Maybe you are not starting the session early enough on one
of your pages.

The session has to exist *before* the login process starts,
so if you have a login.php page that presents a login form to
the user, make sure that it starts the
session with session_start() -- right at the top of the page--
before the user gets to do anything (even log in). And then each
page in the system does the same, starting the session as
the first thing.


I just checked that. It always happens before anything else happens.
This is because my login class checks a parameter from my session
class, so the latter one has to be instantiated. And session_start is
in the constructor of that class.

Separate the concept of a session from the concept of an
authenticated user. It's possible to have a session where
the user is un-authenticated, and it's possible to have a
session where the user is authenticated.


yep.

Jochen

--
Jochen Daum - CANS Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/
Jul 16 '05 #11
On Mon, 08 Sep 2003 16:40:00 +1200, Jochen Daum wrote:
You say that you do something with cookies -- but there's no cookie
code in what you posted. You can look at the cookie (at the client),
and you can also look at the headers that get exchanged (use something
like Proxomitron) to make sure they do what you want them to do.


When you use PHP sessions, a unique ID is transported to the browser
by a cookie, if the browser accepts it. AFAIK on the first request
there is always a cookie sent, and if it wasn't there and a session
has been started with the SID parameter in the URL none gets sent.

This is the cookie I'm talking about. My original problem is, that if
I run the original function on all pages, the user gets prompted twice
for username/password. This is IMO, because this cookie (for
successful login) is not sent through before the header command.


it is easy enough to verify on a client whether it is actually a
problem with the session cookie.

the one thing that crossed my mind is the connection:close header you
send. i'm not 100% clear on what it does, but it seems to me at least
possible that PHP adds the cookie headers after your script
terminates, and that they may get ignored if coming after this header.
Jul 16 '05 #12
Hi Gerhard!

On Mon, 08 Sep 2003 10:08:38 -0700, Gerhard Fiedler <me@privacy.net>
wrote:
On Mon, 08 Sep 2003 16:40:00 +1200, Jochen Daum wrote:
You say that you do something with cookies -- but there's no cookie
code in what you posted. You can look at the cookie (at the client),
and you can also look at the headers that get exchanged (use something
like Proxomitron) to make sure they do what you want them to do.


When you use PHP sessions, a unique ID is transported to the browser
by a cookie, if the browser accepts it. AFAIK on the first request
there is always a cookie sent, and if it wasn't there and a session
has been started with the SID parameter in the URL none gets sent.

This is the cookie I'm talking about. My original problem is, that if
I run the original function on all pages, the user gets prompted twice
for username/password. This is IMO, because this cookie (for
successful login) is not sent through before the header command.


it is easy enough to verify on a client whether it is actually a
problem with the session cookie.

the one thing that crossed my mind is the connection:close header you
send. i'm not 100% clear on what it does, but it seems to me at least
possible that PHP adds the cookie headers after your script
terminates, and that they may get ignored if coming after this header.


I added that after reading a post on www.php.net/header, which seemed
to match a bit, its the same problem without.

Jochen

--
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/
Jul 16 '05 #13
On Tue, 09 Sep 2003 07:28:03 +1200, Jochen Daum wrote:
the one thing that crossed my mind is the connection:close header you
send. i'm not 100% clear on what it does, but it seems to me at least
possible that PHP adds the cookie headers after your script
terminates, and that they may get ignored if coming after this header.


I added that after reading a post on www.php.net/header, which seemed
to match a bit, its the same problem without.


well, then the only thing that comes to my mind is to look at the
headers that you are sending and receiving, with a proxy tool like
proxomitron or so.
Jul 16 '05 #14
Jochen Daum <jo*********@cans.co.nz> wrote in message news:<pn********************************@4ax.com>. ..
Hi!

I have a function in a lot of pages, which redirects to a new page, if
a form has been submitted:

i believe this is, because the cookie do not get sent before the
header ("Location:
Has anyone an idea how to force this or send them by hand?

Cheers, Jochen


Hi,

"Set-Cookie:" and "Location:" HTTP headers don't mix well with most
web browsers. Instead of using "Location:" header, put a "Refresh:"
HTTP header, <meta http-equiv="refresh" content="0, URL=..."/> or a
JavaScript "document.replace.location(...)" to have the web-browser
accept the cookie. Best is probably a mix of all. I usually favor the
JavaScript approach because it keeps the "History" clean of the
intermediate redirection page.

To be sure of what's going on, enable "prompt for cookies" in your
web-browser settings (make sure you delete any previously "Remember my
decision" type of settings.)

I hope this helps.

-Philippe
[ 11abacus.com ]
Jul 16 '05 #15
A horsie named 11abacus demonstrated surprising intelligence and its
ability to use morse code on Tue, 09 Sep 2003 11:05:14 -0500 when it
tapped <1a**************************@posting.google.com > with its hoof:
"Set-Cookie:" and "Location:" HTTP headers don't mix well with most web
browsers [...]


The following script, which uses both setcookie() and
the location header, works with these web browsers:
Lynx, Firebird, Mozilla, Galeon, Konqueror, wget.

wget doesn't seem to like cookies that have square
brackets [] in them, but it did accept and use
the 'captain' cookie.

<?php
// PHP 4.0.5
error_reporting(E_ALL);

$g = & $HTTP_GET_VARS;
$c = & $HTTP_COOKIE_VARS;
$s = & $HTTP_SERVER_VARS;
$ttl = time() + 86400;

header('Cache-control: no-cache');
header('Pragma: no-cache');

if (!isset($g['show'])):
setcookie('user[cindy]', '8', $ttl, '/');
setcookie('user[mark]', '4', $ttl, '/');
setcookie('user[jarmain]', 41, $ttl, '/');
setcookie('captain', 'mark', $ttl, '/');
header("Location: http://$s[HTTP_HOST]$s[PHP_SELF]?show=1");
exit();
else:
?>
<title> A Cookie Test </title>
<p> This page sets and displays some cookies.
</p>
<?php
echo "<pre>\n";
print_r($c);
echo "</pre>\n";
endif;
?>

I don't have access to MSIE; perhaps someone can test
with that one.

Jul 16 '05 #16
Hi !

On Wed, 10 Sep 2003 05:19:58 GMT, Gary Petersen
<ga*******@remove.meearthlink.invalid> wrote:
A horsie named 11abacus demonstrated surprising intelligence and its
ability to use morse code on Tue, 09 Sep 2003 11:05:14 -0500 when it
tapped <1a**************************@posting.google.com > with its hoof:
"Set-Cookie:" and "Location:" HTTP headers don't mix well with most web
browsers [...]
The following script, which uses both setcookie() and
the location header, works with these web browsers:
Lynx, Firebird, Mozilla, Galeon, Konqueror, wget.

wget doesn't seem to like cookies that have square
brackets [] in them, but it did accept and use
the 'captain' cookie.


So I just have to find out how to set the PHPSESSID cookie, ey?
Shouldn't be to hard.

Thanks for the help.

Jochen

<?php
// PHP 4.0.5
error_reporting(E_ALL);

$g = & $HTTP_GET_VARS;
$c = & $HTTP_COOKIE_VARS;
$s = & $HTTP_SERVER_VARS;
$ttl = time() + 86400;

header('Cache-control: no-cache');
header('Pragma: no-cache');

if (!isset($g['show'])):
setcookie('user[cindy]', '8', $ttl, '/');
setcookie('user[mark]', '4', $ttl, '/');
setcookie('user[jarmain]', 41, $ttl, '/');
setcookie('captain', 'mark', $ttl, '/');
header("Location: http://$s[HTTP_HOST]$s[PHP_SELF]?show=1");
exit();
else:
?>
<title> A Cookie Test </title>
<p> This page sets and displays some cookies.
</p>
<?php
echo "<pre>\n";
print_r($c);
echo "</pre>\n";
endif;
?>

I don't have access to MSIE; perhaps someone can test
with that one.


--
Jochen Daum - CANS Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/
Jul 16 '05 #17

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

27
by: mrbog | last post by:
Tell me if my assertion is wrong here: The only way to prevent session hijacking is to NEVER store authentication information (such as name/password) in the session. Well, to never authenticate...
1
by: farooqazeem | last post by:
Hi guys, I’m facing some problem can u solve it. Problem is: I’m giving user Id and password in (Login_sess.asp) and submit it to page (sess_test.asp). I am setting session variable...
3
by: Karsten Grombach | last post by:
Hi, I'm trying the following: - Imitate a Logon using a Post with HttpWebRequest on remote Webserver (asp 3.0 page using https) - On success redirect to the page (encapsuled in an iframe)...
7
by: Seth | last post by:
I have noticed that the id of my session object changes when I switch from a non-secure to a secure connection. What I'm trying to do: I have a cookie that is built on the non-secure side of...
3
by: William | last post by:
Hi I have an ASP.NET application that connects to an Access database. Everything works fine except for the Session object. Data in the session object is lost after I've made a call to the...
0
by: Bill Borg | last post by:
Hello all, Not sure I can describe this adequately, but I am creating an endless loop when an authenticated user signs out. When the user signs out, I want to remove authentication, abandon...
0
by: briand | last post by:
I have the following code in my base page to redirect to a session timeout page. override protected void OnInit(EventArgs e) { base.OnInit(e); //It appears from testing that the Request...
4
by: mike.biang | last post by:
I have an ASP page that is using an XMLHTTP object to request various pages from my server. I keep a single session throughout the XMLHTTP requests by bassing the ASPSESSIONID cookie through the...
9
by: Josh | last post by:
I run a Joomla website and am familiar with php in some but not all aspects. Currently I am trying to find some solutions related to session handling. Am I correct in saying that "login" is kept...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.