missing session variables problem

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I=92m having what is probably a session problem that I hope someone can
shed some light on. I=92ve seen similar problems noted via Google
search, but no good solutions yet, alas.

I designed a system that has been in use for about two years, with
hundreds of users across the US. One poor woman (who is, of course, a
manager) can no longer use the system, although it used to work for
her. When she logs on, she is immediately redirected to my restricted
access page, which takes some explanation.

The index.php page accepts login and password info, and fetches
password and clearance information from the database for the specified
user. If the login fails, the user gets redirected to a login failed
page (not the problem). If the login succeeds, the username and
clearance level (there about ten of these that govern access rights)
are stored in session variables and the user is redirected to
main.php, the main switchboard for the application.

Like all other web pagesinside=94 the application, main.php validates
that there is an active session, and that the clearance level is
appropriate to the page. If not, only then does the user get
redirected to the restricted access page. This serves several
purposes, notably that no one can jump into the middle of the web
application and start doing things without logging in first. And the
clearance level affects the options available to the user on many
pages, so we always need to know what it is for the logged in user.

For this woman, she gets restricted access immediately. So she has
logged in successfully, or she would simply have gone to the login
failed page. Since the access check happens at the top of every page,
this strongly suggests that the session superglobal has been somehow
=93blown away=94 in the time (less than a second) that it took her to be

I can log in as her with no problem. My co-workers can log in as her
with no problem. It=92s just her. She can=92t do it, and is getting rather
annoyed at us as a result. She is running the antiquated IE 6, but I
have a copy of that around and it works fine for me. There=92s no
JavaScript involved, so it can=92t be that she has that disabled. It=92s
all server-side code, and it runs fine for everyone else. Or me if I
am pretending to be her.

I did find one report where some poor guy had 400 users, and two of
them had a very similar problem. So I=92m doing twice as well. But this
does not help poor Ms. Murphy.

Suggestions, please? Could it be something else, other than the
session variables (hard to believe)? Why only one person out of

Re: missing session variables problem

calast wrote:
Quoted text here. Click to load it

Did you try logging in under different names from HER computer?  Not a
copy of IE6 - but her system.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Re: missing session variables problem

Quoted text here. Click to load it
Quoted text here. Click to load it

And, conversely, did you try having her log in on someone else's machine WHILE
YOU WATCH? You might spot something that she's doing that she shouldn't.

Stranger things have happened; there's a story on the Computer Stupidities
page (http://rinkworks.com/stupid/cs_printers.shtml , about two screens down)
of a user complaining that the bottom half of everything she printed on her
laser printer was blurred -- seems she was pulling the paper out of the
machine before it finished printing...

Re: missing session variables problem

 spambait@milmac.com (Doug Miller) wrote:

Quoted text here. Click to load it

Hmm. That's how the oul' Woman treats coffee and then asks "do you have
to make it so strong?"
Very old woody beets will never cook tender.
  -- Fannie Farmer

Re: missing session variables problem

Quoted text here. Click to load it

If the user's browser isn't dealing with the session cookie properly,
and assuming you're not putting the session in the URL
(session.use_trans_sid, which is in some situations a security
risk), the session variables won't show up.

A session problem is often a cookie problem, and may be related
to security settings on the user's browser.

Problems include outright browser bugs, cookies operating across
different domains, and settings that filter cookies.

Quoted text here. Click to load it

At this point, you should dump out the contents of $_SESSION[] to
see if it's completely empty, and then check if the session cookie
is there ($_COOKIE['PHPSESSID'], or whatever cookie is used on your

Note that PHP will probably hand out a session to any browser that
connects, so if the session cookie gets lost, it will have another
(different) session generated for it.  This is a good thing, but
you should never depend on "whether a session exists".  Depend on
"whether a session exists with $_SESSION['logged_in'] = true"

Quoted text here. Click to load it

So when this woman is redirected to main.php, *DOES* she have a
session, with variables in it?  (My guess is NO).

Perhaps you should log specially the situation where someone lands
on main.php, and has *NO* session variables (heavy use of isset()
is likely here), as distinguished from landing on main.php (or other
pages) and has variables indicating insufficient privileges.

Quoted text here. Click to load it

No cookie, no session variables.

$_SESSION[] isn't *blown away*, it's never set up after the page
load (due to the redirection).  The session cookie provides, in
effect, a database key to a table containing session data to select
the correct session data.  On my system, I use a session handler,
and the session data is literally in a MySQL table.  The default
session handler uses files in a directory, which still functions
like a database.

Quoted text here. Click to load it

Get a list of all the settings she has, and reproduce them on your
browser.  Also reproduce the same patch configuration.

Quoted text here. Click to load it

Session cookie.

No cookies, no session variables.

Re: missing session variables problem

El 27/01/2010 4:54, calast escribió:
Quoted text here. Click to load it

It's pretty obvious that she managed to corrupt or misconfigure her
browser. Managers are always installing bloatware in their laptops.

I suppose that reinstalling Windows or upgrading IE is not an option so
some ideas could be:

1. Remove cookies and temporary Internet files
2. Reset all security settings to the default value
3. Check proxy settings
4. Disable suspicious plugins
5. Check name resolution and %WINDIR%\system32\drivers\etc\hosts file
6. Scan for virus and malware

Other than that, you'd probably need to track HTTP traffic from the
manager's computer, check what cookies are being sent and inspect how
session values are being changed.

Last but not least... Does PHP have register_globals set to on?

-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com

Re: missing session variables problem

calast wrote:
Quoted text here. Click to load it

Another thought - is it possible she's accessing http://example.com and
you're redirecting to http://www.example.com (or vice versa)?

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Re: missing session variables problem

Quoted text here. Click to load it
Quoted text here. Click to load it

It sounds like her browser is not accepting/forwarding the session

You could embed some code in the restricted access page to try to
report back to the user on any cookies presented, the IP address and
server time. Also change your webserver logs to record the cookie
presented (if any), e.g.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%i\" \"%i
\" \"%C\""

Then get your customer to send you a screenshot.



Re: missing session variables problem

Quoted text here. Click to load it

The most obvious question, then, is what's changed on her machine to
make it stop working for her? Did she install some anti-virus, toolbar,
or other such extension that's interfering with the session cookie? Did
her machine catch a virus?


Re: missing session variables problem

So, first off, thanks for all the suggestions. I will try a few things
and see what feedback I can get.

I did mention that users are all across the US. In truth, I have no
idea what state this woman is in (geographically speaking I know her
emotional state, and it isn=92t good). So access to her is a bit
difficult I can=92t go log in to her computer, since it might be 3,000
miles away. Nor can I watch what she is doing. A further complication
is that she isn=92t my customer. I designed this system for a company so
that they could provide online appointment scheduling, and her
employer is their customer. If I need information, I have to use an
employee as aproxy server=94 which actually works pretty well, but
means I can=92t ask her questions directly.

I have already asked what Gordon Burditt suggested, even providing a
web page she can go to that will dump the session to the screen once
she is logged on (and redirected). So far, I have not received a
response from her as to what she sees on-screen when she does this,
although it would be helpful. And no, I don=92t really just check to see
if a session exists, I look for something more specific.

So I need to take another look at how the session cookies work (it=92s
been two years since I looked at this part of the system) and do some
logging here.

Site Timeline