1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 2:41 am May 2, 2026

Forum Moderators: phranque

Message Too Old, No Replies

My sessions won't work with mod_rewrite

Sessions disappears after implementing mod_rewrite

         

mankey

4:21 pm on Jul 21, 2005 (gmt 0)

10+ Year Member



Hi!

I have a log in system with a box on every page where you can log in. The post form sends you back to the same page but a script checks if a user came through any post forms and either logs them in, out, or updates their status.

Anyway, everything worked before setting up my .htaccess file to change URLs like this:


RewriteEngine ON

RewriteRule ^news/?$ index.php?section=news [L]
RewriteRule ^news/([0-9]*)/?$ index.php?section=news&id=$1 [L]

Later I added QSA to every rule: [L,QSA]

As for the URLs, they are working as intended. But the weird thing is that whenever I log in from ANY other page than the index.php (the root page), I always lose my session when I go to another page (When I press the login-button and the form sends me back to the same page I'm logged in, but then when I click myself to another page on the site the sesssion seems to die!).

However, if I log in from the root page "http://localhost/test/" everything seems to work. But logging in from for example "http://localhost/test/news/" causes the above mentioned problem. It also works fine if I log in from the "original" URLs, like "http://localhost/test/index.php?section=news".

Is there any "known" problem with sessions and rewriting to folders or maybe I should provide som code if anyone think it's needed?

The site is built like this:
I have a index.php which fetches different pages depending on the querystring. Some files are included like this:

$includes = $_SERVER['DOCUMENT_ROOT'] . '/inc/';

include $includes . 'login.php';

and index.php basically looks like this (-- indicates that they are fetched from different includes):


ob_start( 'ob_gzhandler' );
// tried removing this
--

session_start();
ini_set("arg_separator.output","&");
ini_set("url_rewriter.tags","a=href,area=href,frame=src,input=src,fieldset=");
// tried removing those 2 above
--

$connection = mysql_connect("localhost","user","pass") or die("Couldn't connect!");
$db = mysql_select_db("database", $connection) or die("DB Error!");
$CurrTime = date("Y-m-d H:i:s", strtotime("+0 hours"));

--

/* Sets status 0 for inactive (away 20 minutes) users */
$DateMinus = date("Y-m-d H:i:s", strtotime("+0 hours") - 20*60);
mysql_query("UPDATE users SET status = 0 WHERE datelogin < '$DateMinus' AND status = 1") or die(mysql_error());

/* When you log on */
if ($_POST['action'] == 'login' && $_COOKIE[AutoLogin] == 0) {

$username = $_POST['username'];
$password = $_POST['password'];

// Check the user
$SQL = mysql_query("SELECT uid, username, password, rank, status, datelogin FROM users WHERE username = '$username' AND password = '$password'") or die (mysql_error());
$objRS = mysql_fetch_array($SQL);

// If he exists
if(mysql_num_rows($SQL) == 1 && $objRS['rank']!= '0') {

$CookieLenght = (time()+60*60*24*30*12*1);

// Update status
mysql_query("UPDATE users SET status = 1, datelogin = '$CurrTime' WHERE uid = $objRS[uid]") or die (mysql_error());

if($_POST['AutoLogin'] == 1) {
setcookie("AutoLogin", 1, $CookieLenght);
}

// Cookies
setcookie("uid", $objRS[uid], $CookieLenght);
setcookie("username", $username, $CookieLenght);
setcookie("password", $password, $CookieLenght);

// Sessions
$_SESSION[sess_uid] = $objRS[uid];
$_SESSION[sess_status] = 1;

Header("Location: " . $_SERVER['REQUEST_URI'] . "");
exit;

} else {
$loginerror = " --- Error msgs --- ";
}

/* Updating status while logged in (AutoLogin = 1 is somewhat similar) */
} else if ($_COOKIE[AutoLogin] == 0 && empty($_POST['action']) && isset($_SESSION['sess_uid'])) {

$username = $_COOKIE['username'];
$password = $_COOKIE['password'];

// Check the user
$SQL = mysql_query("SELECT uid, username, password, rank, status, datelogin FROM users WHERE username = '$username' AND password = '$password' AND rank!= '0'") or die (mysql_error());
$objRS = mysql_fetch_array($SQL);

// If he exists
if(mysql_num_rows($SQL) == 1) {

// Update status
mysql_query("UPDATE users SET status = 1, datelogin = '$CurrTime' WHERE uid = $objRS[uid]") or die (mysql_error());

// Sessions
$_SESSION[sess_uid] = $objRS[uid];
$_SESSION[sess_status] = 1;

} else {
session_destroy();
}
}

--

<html>
<head>

<base href="http://<?php echo $_SERVER['HTTP_HOST'] . "/index.php"?>" />

some html...

include $includes . 'the-correct-page.php';

more html...

I've been trying with various types of <BASE href> and ways of including the files, but it's always the same.

Some other weird things I noticed while testing was that the pages somehow "adapted" and didn't log me out after awhile. But when I closed the browser and deleted the session in the /tmp/ folder I was getting logged out again...

If you see something that might cause these weird bugs, please post!

[ CODE ] doesn't work? I quoted the code instead.

Thanks!

jdMorgan

5:03 pm on Jul 21, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



mankey,

Welcome to WebmasterWorld!

> I noticed while testing was that the pages somehow "adapted" and didn't log me out after awhile.

You're seeing the results of pages saved in your local browser cache, most likely. Flush your cache before testing any change to access-control code.

How you you pass the session info, as a query string? If so, you'll need to add the [QSA] flag to your rules.

That's all I can suggest right now, as I'm not a sessions user.

Jim

mankey

1:07 pm on Jul 22, 2005 (gmt 0)

10+ Year Member



Hi, thanks :)

Oh, forgot about the cache. I have tried some while clearing it alot now, and as expected the results are "worse" ;) But more true, I guess.

I have had QSA and L on my rules when testing (says under the code that I added QSA later :) ) Still no luck though.

How I pass the sessions.. hmm I'm not very sure, but I assume it's by a querystring? Sometimes I see the?PHPSESSID=session in IE but it disappears after a click or two. As stated in my code, I basically check if $_SESSION['sess_uid'] is set each time a page is loaded.

I also tried adding this to my links
<?php echo "?PHPSESSID=" . session_id( );?>
so it's always shown, and after 1 click the session seems to die, because the link is now only "?PHPSESSID=", where it previously showed the session.

I made a separate page just to test things out quick, but it was the same. Here's the htaccess:


Options +FollowSymLinks
RewriteEngine on
RewriteBase /testfolder/

RewriteRule ^testing/$ hey.php?page=test [L,QSA]
RewriteRule ^testing/([0-9]+)/$ hey.php?page=test&more=$1 [L,QSA]
RewriteRule ^okey/?$ hey.php?page=one[L,QSA]
RewriteRule ^okey/okidoki/$ hey.php?page=one&more=two[L,QSA]

and hey.php had all the code posted in the first message for login info and only the links to the different test sections (/testing/1/, /okey/okidoki/, and so on).

When I first enter the page, I get a PHPSESSID, and then i log in, everything's still fine. But after the next click the sessions seems to be dead, because the links do not have the PHPSESSID anymore.

Strangely, I'm never "logged out" when I'm using my "normal" links (hey.php?page=test, etc.), this just happens now while mod-rewriting the links :)

mankey

6:24 pm on Jul 30, 2005 (gmt 0)

10+ Year Member



No one has any ideas what I'm doing wrong?

It's so strange because it works wonderful when just surfing the site, but when I log in (except from the /index.php) from any subdirectory, weird things start happening (being logged out).

I've asked on other boards too but none of the suggestions has worked yet.

There isn't any special setting in the apache config which might be the cause of this, is it?

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 2:41 am May 2, 2026