I think CFMaBiSmAd is right ... If a browser for some reason does not support session cookies and session trans-sid feature is off (which is considered not safe and in all recent PHP releases is off by default), it would be that the browser with session cookies turned off would not work with sessions. Just in case: using cookies only for a session or enabling trans-sid (transferring session ID via URL which is considered not safe) is controlled by the following options in php.ini:
I do not go into detail why turning session trans-sid feature on is considered not safe here ... Probably it would be a slightly off-topic. Still I would provide the explanation if you asked me of course ... I would be glad to answer any your questions about sessions I could ...
In your case I woujld give the following notes which I think cold be tried by you ...
1. You are using
for redirects. Please notice that while relative URL's have been considered fine in HTTP 1.0, HTTP 1.1 requires to use absolute URL's in redirects as far as I know. I would advise to use absolute, not relative, URL's in your Location headers.
2. Please you the function session_write_close()
right before sending your location header. Without it session data is sometimes lost on redirect.
3. This would not affect the functionality greatly, still I would recommend to exit the script after the redirect. Headers like Location are generally a recommendation for the browser to redirect. If you do not exit your script, the page content is normally sent to the web-client (ni our case browser) anyway. Generally the user does not see this, by in some particular cases it could be abused by a hacker ...
Generally all 3 above look like lies this:
... This is slightly off-topic, but still: I do not see in your script if you redirect after successful login anywhere ... Still after successful login (after you have finished script debugging) I would generally recommend to use session_regenerate_id()
as protection against Session Fixation attacks. Please ask more questions if you consider this particular comment unclear - I do not go into detail here now since particularly session_regenerate_id()
would not affect the situation with IE - this is only a general security note.