I hope someone can help me figure out what's going on here. I've
re-read the section on sessions at php.net and Googled this high and
low but I haven't found anything that quite explains my problem.
The basic problem: session data (e.g. $_SESSION['access_level']) gets
dropped after visitor logs in and reloads the page via a form once or
twice (it seems to vary), requiring the visitor to re-login, whereupon
the problem repeats itself.
An outline of my login script:
1. a function protect_page at the beginning of the protected page's
script checks to see if the visitor is logged in by checking two
session values ($_SESSION['access_level'] and $_SESSION['login_time']).
2. if logged in with sufficient access and session not too old, show
page. if not, require_once an include file that displays a login form
(everything's buffered, so it's not a header problem)
3. post login form, check credentials; if ok, display protected page
I have a log that tracks the behavior but it's a bit too long to
include here. One peculiarity I've noted is that after logging in,
when I post the form on the protected page, it appears to successfully
load the page once with the session data. But then it reloads the page
a second time (according to the log) and the session data is lost --
thus logging me out! There's nothing in the script that should trigger
the page to be reloaded. I use session_regenerate_id to avoid session
fixation. Could this be a factor?
Another complication: this problem occurs on two development servers
(one running XAMPP on Linux, the other WAMP). But on a third running
WAMP, it doesn't happen and everything runs as designed.
Finally, I took note of the following posts describing similar problems
with session data being lost:
Initialize crucial SESSION data
(http://us2.php.net/manual/en/functio...lose.php#63970)
Use session_write_close after assigning crucial SESSION data
(http://us2.php.net/manual/en/ref.session.php#62486)
Turn off ZoneAlarm (http://forum.sydphp.org/index.php?a=topic&t=255#p7)
However, the suggestions offered (e.g. using session_write_close()
liberally, turning off ZA ) did not solve my problem. And my php.ini
file appears to be in order.
I hope this is clear and detailed enough. Does anyone recognize it?
Any help is appreciated.
Tom