I have a login-form located at ?action=panel that is showing an 'interesting' behaviour:
I use a function called performLogin to check against DB, most code I left out for readability.
function performLogin()
{
// check for valid login and such
if ( valid ) // fake metacode
{
$_SESSION['user_id'] = $user_id;
header("Location: ?action=panel" );
exit();
}
}
If I call this function directly, it will check, update session and redirect just fine WITH a working session.
Now sometimes I must convert users from an old format which works with:
function convert()
{
// do some DB stuff
if ( converted ) // fake metacode
{
performLogin();
}
}
This is when stuff breaks. I can insert a breakpoint before the redirect and the _SESSION will be as it should be, after allowing the redirect it will be gone. Remember, calling performLogin directly always works.
One of the first things executed in index.php:
session_name("project_session");
session_start();
But it's getting even better:
Changing the redirect to anything different than "?action=panel" (with or without the domain in front) will work just fine. Also, if I comment the redirect out and manually go to ?action=panel, it works.
Things I tried so far:
-redirect with and without domain/URL before redirect: (one ore more of them)
-sleep(2);
-session_write_close();
-session_regenerate_id(true);
