Strange PHP Session behavior


I'm being puzzled by the strange behavior of some session variables. The "token" variable in particular.

This is how I create it in index.php:

$_SESSION['token'] = sha1(rand(7451, 98632)); // Lets name it "something"

Then I do a POST with AJAX and pass that variable to another script, the ajax_io.php:

Inside the ajax_io.php:

if($_POST['token'] != $_SESSION['token']) die('Horribly');

My check always "dies", while the token is passed correctly by the javascript AJAX post in index.php, the $_SESSION['token'] in the ajax_io.php is different than the one created in the index.php.

e.g. in ajax_io.php:

The $_POST['token'] appears as "something"
$_SESSION['token'] appears as "something else"

It's like if the AJAX post is requesting the index.php (somehow) that creates another token and then requests the ajax_io.php to do the functionality requested.

Here is the Javascript AJAX request:

var token = '<?php echo $the_token; ?>';    
$.post("ajax_io.php", {
        token: token
    }, function(data) {
        // Do something with data


I haven't mentioned that on the real script, there is a foreach loop, and that loop is the cause of the trouble. It somehow rewrites the php token variable with a newly generated one on each loop but the script keeps the original value for setting the javascript variable.

$the_token = sha1(mt_rand(10, 100));
$_SESSION['tokens'][] = $the_token; // Notice the multidimensional array here

foreach(somethin) :
// do something other than setting any session variable
print_r( $_SESSION );


Array (
[tokens] => array (
[0] => b19477cb038d6e0f588b6631c1686c8e246b82d5 // The real one created at the beginning of the script
[1] => 51e57c94bfd5c81b11e8c48dc8002b1162f4cd84
[2] => 084c881c074678218a4394524f60d3867da84cb3

On this script if I echo out the $_SESSION I get an N amount of tokens, for example 3. But only the first one is the one created physically by my script, the other 2 where created by the loop. I've gone through the entire loop script but haven't found anything setting any sort of variables to the SESSSION.

By : petsoukos


YOu just have bad logic. Dont every time check for token. When you do it, it overwrites it. Just generate it on need, not every time.

$_SESSION['token'] = (empty($_SESSION['token'])) ? gen_new_token() : $_SESSION['token'];

You can store time, for wich its valid and so on.

Try changing .post to .ajax as synchronous and let us know what happens. Please post a barebones version of the script since what you posted works ok and the issue is probably a detail in the logic somewhere else.

By : johnjohn

I can't strip so much out from the script to post the code, the logic is the same as the original post, with the WHILE loop having about 50-60 lines more code.

I just found more tho. Browsers seem to be requesting the index.php file more than once. - - [14/Aug/2011:19:38:40 0300] "GET /cmdownloads/index.php?itsme=petsoukos HTTP/1.1" 200 11919 - - [14/Aug/2011:19:38:40 0300] "GET /cmdownloads/js/jquery-1.6.1.min.js HTTP/1.1" 304 - - - [14/Aug/2011:19:38:40 0300] "GET /cmdownloads/js/jquery-ui-1.8.13.custom.min.js HTTP/1.1" 304 - - - [14/Aug/2011:19:38:40 0300] "GET /cmdownloads/css/style.css HTTP/1.1" 304 - - - [14/Aug/2011:19:38:40 0300] "GET /cmdownloads/js/script.js HTTP/1.1" 304 - - - [14/Aug/2011:19:38:40 0300] "GET /cmdownloads/img/overlay.png HTTP/1.1" 304 - - - [14/Aug/2011:19:38:40 0300] "GET /cmdownloads/index.php?itsme=petsoukos HTTP/1.1" 200 11980 - - [14/Aug/2011:19:38:40 0300] "GET /favicon.ico HTTP/1.1" 404 209

One is being made by the user refreshing the page, but the other...? Can't find the source of that request.

By : petsoukos

This video can help you solving your question :)
By: admin