Multi step form using PHP and sessions

Question

I have an administration form which consists of multiple steps, with the possibility to go back and forth. I decided to use sessions because if someone goes back and forth I don't have to worry about sending all the variables, because they are saved in the session.

In the first step, I delete the session if any is available. I do this, because if someone has signed up before and wants to sign up again for somebody else, then all the previous input would be present in the input boxes. So this is the starting page step1.php:

<?php isset($_SESSION))session_destroy(); ?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
       "http://www.w3.org/TR/html4/strict.dtd">
<html>
    <head> ... </head>
    <body>
    <form  action='step2.php' enctype="multipart/form-data" method='post'> 
    ...
    </form>
    </body>
</html>    

Then, I save all input in the $_SESSION array in step2.php:

<?php 
    $_SESSION['var1']=$_POST['var1']
    $_SESSION['var2']=$_POST['var2']   
    ...
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
       "http://www.w3.org/TR/html4/strict.dtd">
<html>
    <head> ... </head>
    <body>
    <form  action='step3.php' enctype="multipart/form-data" method='post'> 
    ...
    </form>
    </body>
</html>   

The problem is, if someone registers and is on page step2.php and accidentally opens step1.php in a new tab, then all saved variables from step1.php ($_SESSION['var1'],$_SESSION['var2'],..) are lost.

Is there any possibility to prevent that from happening?

Answer 1

This is very simple example of multistep form with session plus reset functionality... not sure how, but maybe gives you some ideas. You can involved JavaScript for validation later.

<?php 
// startup
if ( empty($_POST["f1"]) && empty($_POST["f2"]) && empty($_POST["f3"]) && empty($_SESSION["mode"]) ) {
    $mode = 1;
    $_SESSION["mode"] = 1;
}

// reset
if ( !empty($_POST["reset"]) ) {
    $mode = 1;
    $_SESSION["mode"] = 1;
}

// section A
if ( $_SESSION["mode"] == 1 ){
    if ( !empty($_POST["f1"]) ) {
        $mode = 2; // switch to next
        $_SESSION["mode"] = 2;
    }else{
        $mode = 1; // stay current step
    }
}
// section B
if ( $_SESSION["mode"] == 2 ){
    if ( !empty($_POST["f2"]) ) {
        $mode = 3;// switch to next
        $_SESSION["mode"] = 3;
    }else{
        $mode = 2; // stay current step
    }
}
// section C - last part
if ( $_SESSION["mode"] == 3 ){
        $mode = 3;// stay current step
}

?>  

<form action="" method="post">
<?php if( $mode == 1 )  { ?> A: <input type="text" name="f1"><br> <?php } ?>        
<?php if( $mode == 2 )  { ?> B: <input type="text" name="f2"><br> <?php } ?>        
<?php if( $mode == 3 )  { ?> C: <input type="text" name="f3"><br> <?php } ?>    
<br><br>
<input type="submit">
<input name="reset" type="submit" value="Reset">
</form>

Answer 2

Create a session variable which is no longer present after the form in step2.php has been submitted. Then check for presence of this variable before deleting the session in step1.php.

For example:

IN STEP 1:

if (!isset($_SESSION["do_not_destroy"]) session_destroy();
$_SESSION["do_not_destroy"] = 1;

IN STEP 3:

unset($_SESSION["do_not_destroy"]);

Answer 3

Always POST to the same URL and execute different branches of code, depending on the fields you've received.