Home/ Questions/Q 8213015
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T10:58:13+00:00

Really annoying problem I can’t solve/can only partially solve. Nice juicy one for you

  • 0

Really annoying problem I can’t solve/can only partially solve. Nice juicy one for you pros.

I’ve got a basic login system set up. Like this:

Login.php:

  1. line 1: session_start();
  2. Check if($_SESSION['logged_in'] == true) header("Location: /controls.php);, incase they’ve already entered their details.
  3. If they haven’t entered them yet, user enters credentials, if valid: $_SESSION['logged_in'] = true;
  4. After database credentials are checked and session is set to true, redirect using PHP header("Location: /controls.php);

Bear in mind, the session is now set.

Controls.php

  1. line 1: session_start();
  2. line 2: if($_SESSION['logged_in'] != true) {header("Location: /index.php");}

Instantly I get taken to index.php ONLY IN CHROME AND FIREFOX.

Also, I have accounttools.php, where the session is again required. Once I try to access accounttools.php, the session is destroyed/unset and any attempt to load accounttools.php results in the header redirect to my /index.php page, again ONLY IN FIREFOX AND CHROME.

I’ve also got to add in something. If I go back to login.php and re-login, everything works fine and the session gets set properly. Is this a browser-based bug? PHP is executed before any data gets sent to the browser, so how on earth can these browsers act differently if the PHP has already been executed by the time anything reaches the user?

Login file:

// Login.php
<?php session_start();

if($_SESSION['logged_in'] == true)
{
    header("Location: /controls.php");
    exit();
}

if($_POST['username_login'] && $_POST['password_login'])
{
    // Do necessary database work to check credentials (edited out here).
    // ...    
    // Check re-hashed pass against database hash (password checking)
    if($make_password == $current_user[0]['password'])
    {
        // If this is OK login is a success.
        $_SESSION['logged_in'] = true;
        header("Location: /controls.php");
        exit();
    }
}
?>

Controls file:

// controls.php
// This page instantly redirects to index.php
<?php session_start();

// Go to homepage if logging out.
if($_POST['logging_out']) 
{
    unset($_SESSION['logged_in']); 
    header("Location: /index.php"); 
    exit();
} 
// No access unless logged in.
// This session seems to no longer exist at this point. Why??
if($_SESSION['logged_in'] != true)
{
    header("Location: /index.php");
    exit();
}
?>

Edit: I’ve discovered something else: If I login and manually enter the URL of the $_SESSION-restricted page, the $_SESSION is not destroyed.

There is some part of the header() redirect that is causing th $_SESSION to become unset/destroyed in Google and Mozilla.

I’ve also been Googling like crazy and apparently this is a common problem amongs PHP coders. Someone must have a clue what this is?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I see a problem with the way you are redirecting after a successful login: It is a javascript redirect so it will only happen after all the php has finished executing and the result has been sent to the browser. That means that codes after your redirect are executed as well.

    I would recommend not outputting anything to the browser until the very end and use the:

    header("Location: /...");
exit();

    combination everywhere where you want to redirect so that you are sure that nothing happens to your session after the redirect code.

    To avoid getting headers already sent problems, I would also recommend getting rid of stuff like:

    ?>
<?php

    like on the first lines of login.php.

    • 0