I have been fighting with this problem all day. I have read numerous SO and forum posts where so many others had this same problem, and the posts spanned years.
My problem was part of a back end system I wrote to allow very basic alterations to database data, New entries could be added, updated or deleted. Pretty standard issue stuff. For simplicity, each function, insert, update, delete and an overall view of the database contents were on separate pages (insert.php, update.php, depete.php).
When adding a new entry, editing or deleting an existing entry, a redirect followed that would take the user back to the view,php page to show the updated data list. Problem is, the redirect wasn't working. The session variable was somehow discarded during the redirect which, due to my code, tossed the user back to the login page.
Here was my code:
if ($done || !isset($_GET['client_id'])) {
header('Location: http://website.com/admin/view.php');
exit;
}
Many thanks to all of you! It checked to make sure the updated data was posted and if all was well, redirected to view.php.
But it wouldn't, and yes, my pages all started with the necessary <?php session_start(); ?>
. So after hours of scouring the web, I came across a nine-year old entry in the PHP manual that I felt was worthy of sharing:
http://www.php.net/manual/en/ref.session.php#37555
In it, the poster mentions, "Be aware of the fact that absolute URLs are NOT automatically rewritten to contain the SID. "
He suggested, "Skipping the 'http:' did the job." so I removed it from my code as such:
if ($done || !isset($_GET['client_id'])) {
header('Location: view.php');
exit;
}
And it WORKED. This topic has been a headbanger for many of us and I wanted to share it for what it's worth.
HOWEVER, I also do have a question, and that is, what would the proper procedure be to allow an absolute URL to be written that did contain the SID?