Search code examples
phpsessionhttp-redirectsession-cookiesshared-hosting

PHP session lost after redirect

How do I resolve the problem of losing a session after a redirect in PHP?

Recently, I encountered a very common problem of losing session after redirect. And after searching through this website I can still find no solution (although this came the closest).

Solution

  • First, carry out these usual checks:

    1. Make sure session_start(); is called before any sessions are being called. So a safe bet would be to put it at the beginning of your page, immediately after the opening <?php declaration before anything else. Also ensure there are no whitespaces/tabs before the opening <?php declaration.
    2. After the header redirect, end the current script using exit(); (Others have also suggested session_write_close(); and session_regenerate_id(true), you can try those as well, but I'd use exit();)
    3. Make sure cookies are enabled in the browser you are using to test it on.
    4. Make sure you didn't delete or empty the session
    5. Make sure the key in your $_SESSION superglobal array is not overwritten anywhere
    6. Make sure you redirect to the same domain. So redirecting from a www.yourdomain.com to yourdomain.com doesn't carry the session forward.
    7. Make sure your file extension is .php (it happens!)
    8. Check PHP errors. It is possible that a session doesn't start due to some error.
    9. Open Developer tools in your browser, tick "Preserve log" and then request your file that starts a session. Check the PHPSESSID cookie value that is returned by the server, and one sent by the browser when requesting another file. In case they differ, it's a problem with cookies. In case they are the same, it's a problem with session storage
    10. Check the SameSite attribute on your cookie. Setting it to 'Strict' can sometimes prevent the session cookie from getting sent when the visitor returns from a third party site (for instance, during a SAML-based login process). If your SameSite value is set to 'Strict', try setting it to 'Lax' and see if that helps.

    Now, these are the most common mistakes, but if they didn't do the trick, the problem is most likely to do with your hosting company. If everything works on localhost but not on your remote/testing server, then this is most likely the culprit. So check the knowledge base of your hosting provider (also try their forums etc). For companies like FatCow and iPage, they require you to specify session_save_path. So like this:

    session_save_path('"your home directory path"/cgi-bin/tmp');
session_start();

    (replace "your home directory path" with your actual home directory path. This is usually within your control panel (or equivalent), but you can also create a test.php file on your root directory and type:

    <?php echo $_SERVER['SCRIPT_FILENAME']; ?>

    The bit before 'test.php' is your home directory path. And of course, make sure that the folder actually exists within your root directory. (Some programs do not upload empty folders when synchronizing)