PHP - Can't add session variable even after session_start

Question

Most of the answers about not adding a session variable have ended in the user finding that the session was not being started.

I'm having an issue where I cannot add a session variable, even after a session_start.

Pertinent code:

login.php

<?php 
    require("../common.php"); 
    if(!empty($_SESSION['user'])) { 
        echo "true";
        header("Location: dashboard.php"); 
        die("Redirecting to dashboard.php"); 
    } 
    $submitted_username = ''; 
    if(!empty($_POST)) { 
        $info = " SELECT id, username, password, salt, email, access FROM users WHERE username = :username "; 
        $params = array( ':username' => $_POST['username'] ); 
        try { 
            $stmt = $db->prepare($info); 
            $result = $stmt->execute($params); 
        } catch(PDOException $ex)  { 
            die("Failed to run query"); 
        } 
        $login_ok = false; 
        $row = $stmt->fetch(); 
        if($row) { 
            $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
            for($round = 0; $round < 65536; $round++)  { 
                $check_password = hash('sha256', $check_password . $row['salt']); 
            }  
            if($check_password === $row['password']) { 
                $login_ok = true; 
            } 
        } 
        if($login_ok) { 
            unset($row['salt']); 
            unset($row['password']); 
            $_SESSION['user'] = $row;
            $_SESSION['access'] = "1";
            header("Location: dashboard.php"); 
            session_write_close();
            die("Redirecting to: dashboard.php"); 
        }  else { 
echo "<div id=\"loginfail\" class=\"gradwin\">\n";
echo "  <p class=\"dark1\">LOGIN FAILURE</p>\n";
echo "</div>\n";
            $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
        } 
    } 
?> 
<div id="loginbox" class="gradwin">
    <p class="darktitle">HITS Login</p> 
    <form action="index.php" method="post" name="formLogin"> 
    <!-- fake fields for Chrome autofill... -->
    <input style="display:none" type="text" name="fakeusername"/>
    <input style="display:none" type="password" name="fakepassword"/>
        <p class="dark1">Username:</p>
        <input type="text" name="username" autocomplete="off"><br>
        <p class="dark1">Password:</p> 
        <input type="password" name="password" autocomplete="off"><br><br>
        <input type="submit" value="Login" name="loginForm"><br><br>
    </form> 
    <a class="dark" href="register.php">Register</a>
</div>

common.php

<?php 

    $username = "MYNAME"; 
    $password = "MYPASS"; 
    $host = "localhost"; 
    $dbname = "MYDB"; 
    $conn = new mysqli($host, $username, $password, $dbname);
    $options = array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8'); 

    try { 
        $db = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password, $options); 
    } catch(PDOException $ex) { 
        die("Failed to connect to the database: " . $ex->getMessage()); 
    } 
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
    $db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC); 
    header('Content-Type: text/html; charset=utf-8'); 
    session_start(); 

I am being redirected to the dashboard.php page, so I know there is a session started. The session_start is in the common.php file. I have placed...

echo '<pre>';
var_dump($_SESSION);
echo '</pre>';

...in the dashboard.php file. I can see all the pertinent user data, but not the access data. My array echoes as follows:

array(1) {
  ["user"]=>
  array(3) {
    ["id"]=>
    string(2) "11"
    ["username"]=>
    string(2) "ba"
    ["email"]=>
    string(9) "ba@ba.com"
  }
}

Answer 1

Stupid error!!!

I had two versions of my login.php file on the server. One was called inc_login.php, which I was modifying. The index.php was looking at the other. One I got that straightened out, things worked perfectly.

Anyone else having an impossible issue, please note: you are probably doing something dumb like me.

Answer 2

Your code over here :

if(!empty($_SESSION['user'])) {
    $_SESSION['access'] = "1";
    header("Location: dashboard.php"); 
    die("Redirecting to dashboard.php"); 
} 

I think the error lies on the if statement which runs the code within the curly brackets. You've initiated the code to run only if the session variable 'user' is not empty which is perfectly fine. However you've never set a variable for it so therefore the code never sets the session variable 'access' to store the input 1 hence the array is dumping empty session variables.

Try this :

<?php 
require("../common.php"); 


    if(empty($_SESSION['user'])) {
        $_SESSION['access'] = "1";
        header("Location: dashboard.php"); 
        die("Redirecting to dashboard.php"); 
    } 

Answer 3

Your sending out headers before calling session_start(). session_start() must go before any headers are sent:

header('Content-Type: text/html; charset=utf-8'); 
session_start(); 

should be

session_start(); 
header('Content-Type: text/html; charset=utf-8');

Or, better yet, just move it to the top of the file.

Answer 4

IIRC, calls to die() or exit() will stop the session data from being stored. Other shutdown functions and destructors will be fired, but not session_write_close()

you'll either need to run session_write_close() before die() or rewrite that part to not use die().

a little more info here. https://bugs.php.net/bug.php?id=49462&edit=1

Answer 5

Try adding session_write_close() before your redirect / location header. I've noticed that in some cases a redirect can cause the session not to be written properly.