#614 PHP session handling issues with HTTP/1.1

Can't Reproduce
Mike Elliott

I was having problems with users getting the
"You must be logged in
to access this page." when cookies were properly enabled and the
server settings were correct. This occasionally happens in IE 5.0,
and always happens in Opera 6.01.

Cause: Race condition in
redirect.php. The cookies are being sent, and a Location: header is
being sent, but no html. The cookies may or may not be set before the
page from the Location: header is loaded. IE: 50/50, Opera: 95/5
fail/success. Therefore, the PHPSESSID cookie is missed, and the
resulting "not logged in" page is given.

< header("Location: $redirect_url");
echo "<html><head><META HTTP-EQUIV=\"Refresh\" CONTENT=\"0;

Why: Since
html is sent in this case, all header information has to be received
and processed before the html can be processed. The cookies are
registered before the jump to the new page. An attempt at a shortcut
with the Location: is what causes the race condition.


1 2 > >> (Page 1 of 2)
  • Logged In: YES

    OK, I see your point. Upping priority to be included in 1.2.6.

    • priority: 5 --> 9
    • status: open --> open-accepted
  • Logged In: YES

    How about if we send both? I have this faint recollection
    that this used to fix things. E.g. we don't remove the
    header("Location: $redirect_url"), but keep it and add the
    HTML. Can you try it -- does opera still ignore the cookies
    in this case?

    • assigned_to: nobody --> graf25
  • Mike Elliott
    Mike Elliott

    Logged In: YES

    Tried sending both. Fails. I assume the Location: is processed, and the
    rest ignored. As a warning, don't try to get fancy with HTTP_USER_AGENT
    processing and looking for Opera. Opera can be configured to reply IE,
    Netscape, or Opera which would defeat the purpose.

    • milestone: --> Can't Reproduce
    • status: open-accepted --> pending-accepted
  • Logged In: YES

    I can't reproduce this. At all. Any browser -- Opera 6.01,
    IE 5.5, IE 6.0. Any php version. Marking as "can't
    reproduce". For s&g -- try turning off the plugins and see
    if this makes any difference.

  • Mike Elliott
    Mike Elliott

    • status: pending-accepted --> open-accepted
  • Mike Elliott
    Mike Elliott

    Logged In: YES

    Turning off all plugins and sending both fails.
    Turning off all plugins
    and sending Location: fails.

    This is the same bug referenced in
    417373, 466636, and 539168, so I know others can reproduce it.

    • priority: 9 --> 5
  • Logged In: YES

    I just upgraded to 1.2.6 and am NOW getting this error with Opera when I
    didn't in 1.2.5! It happens every time I try to send mail... mostly just
    then. I implemented the "fix" and it isn't "fixed".

  • Logged In: YES

    It seems that this is in fact related to PHP issues with
    HTTP-1.1. We are only reliant on PHP to provide us this
    data, so we are quite helpless in this situation.

    • summary: Fix: Login race condition in Opera --> PHP session handling issues with HTTP/1.1
  • Logged In: YES

    I had the exact same symptons on Apache/1.3.24 &
    PHP/4.2.1 but almost all the time with most browsers.

    Adding the following to the Apache conf file for the webmail
    entry solved my problem:

    php_admin_flag session.auto_start on

    Even without the patch suggested in the bugdescription it
    seems to work.

    Good luck,


  • Logged In: NO

    I was having problems with PHP :
    Warning: Failed opening '/mail1/functions/page_header.php'
    for inclusion (include_path='.:/usr/local/lib/php') in
    /var/www/htdocs/mail1/functions/display_messages.php on line 99
    Good luck


  • Logged In: NO

    I have solved the problem for me.
    I'm running an apache 2.0.39 PHP 4.2.2_dev and had this
    problem with all HTTP 1.1 Browsers.

    My fix looks as this:

    --- src/login.php.orig Fri Jul 19 19:24:10 2002
    +++ src/login.php Fri Jul 19 19:24:31 2002
    @@ -83,6 +83,7 @@
    setcookie('username', '', 0, $base_uri);
    setcookie('key', '', 0, $base_uri);
    header('Pragma: no-cache');


    Don't ask why, but it works. At least for me. :))))


  • Logged In: NO

    The echo meta refresh solved my "must be logged in"

    PHP 4.1.2 engine on IIS 5 (W2K)
    Client - IE 6
    Mail server - Exchange 5.5

    Interestingly enough, I did not seem to have the problem
    when my PHP engine resided on IIS in XP.


  • Logged In: NO

    The echo meta refresh solved my "must be logged in"

    PHP 4.1.2 engine on IIS 5 (W2K)
    Client - IE 6
    Mail server - Exchange 5.5

    Interestingly enough, I did not seem to have the problem
    when my PHP engine resided on IIS in XP.


  • Logged In: NO

    Could someone post an updated redirect.php file
    somewhere? I tried adding it in, but it's still not
    working. Thank you!

  • Logged In: NO


    thanx alot for your solution! it worked for me as well! :-)
    i'm running apache 2.0.39 with php 4.2.2.

    all the other fixes diden't worked for me (and i've tested them
    all :-o) windseeker you did my day...!

    but can anyone tell me the technical background of this fix...?


  • Logged In: NO

    THANK YOU!!! This finally fixed my IIS5/W2K/IE6

    -- Rodney Sizemore
    RESA Academy

  • Logged In: NO

    I've tried changing my redirect.php file to read just as
    above but the problem persists on a Mac using Netscape under
    OS9. I can log in to squirrel mail but as soon as I delete
    and email I get the "you aren't logged in" error. Hitting the
    back button will work to get me back to my mail info. BUT...
    I have other users that may not be savvy enough to hit the
    back button.

    PHP and Squirrel mail are running under OSX 10.1.5

    Do I have to recompile php or anything to get the change to
    stick? I have rebooted already.


  • Logged In: NO

    Did you try the change in login.php such as "Windseeker"
    described ? It worked for me, but I'm not sure if it affects
    anything else (such as safety).


  • Logged In: NO

    Just a tad too fast....
    It still doesn't work, regardless of different patches.
    I still have to login twice.


1 2 > >> (Page 1 of 2)