I am making a simple oauth site.
In index.php:
<?php
session_start();
if (empty($_SESSION['authentication']))
$_SESSION['authentication'] = 'pending';
?>
<html>
<form action="oauth.php" method="post">
<span>
<?php
echo $_SESSION['authentication'];
?>
</span>
<input type="hidden" name="action" value="authenticate">
<input type="submit" value="authenticate">
</form>
</html>
In oauth.php:
<?php
session_start();
if (isset($_POST['action']) and $_POST['action'] == 'authenticate') {
$url = $serverAuth ... ;
header('Location: ' . $url); //google oauth, it will come back to oauth.php
exit();
}
if (isset($_GET['code'])) {
$ch = curl_init($serverToken);
$result = curl_exec($ch);
$tokens = json_decode($result, true);
if (isset($tokens['access_token'])) {
$_SESSION['authentication'] = 'good';
$_SESSION['access_token'] = $tokens['access_token'];
} else {
$_SESSION['authentication'] = 'error';
}
header('Location: ./');
exit();
}
if (isset($_GET['error'])) {
if ($_GET['error'] == 'access_denied')
$_SESSION['authentication'] = 'denied';
else
$_SESSION['authentication'] = 'error';
header('Location: ./');
exit();
}
?>
I want to make the site like: by default, $_SESSION['authentication'] is “pending”; when I refresh the page, every session variables are gone, and $_SESSION['authentication'] reset to default. But I cannot reset $_SESSION at the beginning of index.php, because functions in oauth.php have header() to redirect to this page.
How to deal with it?
You must start the session on every single page that requires access to
$_SESSION. Only destroy it when explicitly requested, e.g. on logout.