OK, I been using Chrome but just used IE and did exactly what you told me. I cleared out hundreds of cookies. Went back to the site and ran the script again. I then went to the cookies folder again and nothing in there. I guess the cookies is not setting.


well that is quite odd..

do you know how to set permissions for your folders?

If you can, make sure your HTML root folder has read and write priveleges.

If you use file-zilla (it's the only way I know how to do it), right click on the folder that your index.php is (the folder, not the file), and set the number in there to 777. See if that helps.


Its set to 755. I tried 777 which includes group and other and it kills the file. It won't run it. 755 is set to read and write.


on a new page try this:

if(session_start()) {
echo "I started!";
echo "I didn't start :(";

I started! is what it said.

On a different note, I checked Chrome Browser and there is a PHPSESSID cookie for the website. I guess it is registering the session.

Edited by diablo4151: update


k.. I think I got it.

on workspace_files.php do this and delete what you have:

header('Location: workspace.php');
}else {
if(isset($_SESSION['username'])) {



}else { // no session and no user so someone accessed the page improperly
header('Location: workspace.php');

Explanation: If your server has session.autostart enabled in php.ini (which I think it does) then sessions will persist automatically between your pages. When we call session start, if this setting is enabled, we are basically overwriting the current session, and losing all our data.

If the above works, it means that the setting is enabled. Instead, on your pages you need to see if a session_id() is set, and if so then a session is initiated, and we dont need to set another one.


It did go to workspace_files.php. However, there is an error again.

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

As for session.autostart, this is what I found in php.ini

; Initialize session on request startup.
session.auto_start = 0

Edited by diablo4151: update


I made a type on line 2. Should read if(!isset(session_id())){ <- note the extra parentheses.

I really don't know why you are having trouble with this... Ill keep looking on the googlefriend...


Its still not working. I just don't get it.

I wonder if these codes are written correctly? Its the code that tell the file to fetch the file name (workspace_files.php) located under redirect column of my SQL.

// get the redirect column's value
$redirect = trim($result['redirect']);
    if ($redirect == '') {
        echo "No redirect value was set!";
    } else {
        header("Location: /$redirect");
} else {
    echo "Please try again";

There is nothing wrong with the redirect. If you take out the if check on the page being redirected to, you will have the page load just fine. The problem is your sessions are not persisting through your domain.


Maybe this is the problem why my session is not saving. I host my account with ipower.com. They have a root directory. Under root directory, they have a Home Directory call public_html. Public_html is where we are required to place all our files. Because I broadcast 3 different websites from this one account, I have 3 different sub-directories which I named a, b and c. Under the "c" sub-directory is where I place all the files for this website including workspace.php, workspace_login.php and workspace_files.php. Because of the 3 websites, inside ipower.com's Domain area I had to change this website from Home Directory to Subdirectory pointing this website located in the "c" sub-directory to /public_html/c/ instead of /public_html/ which is the Home Directory. I talked to the rep at ipower.com and he said that I might have to change the session path inside php.ini to make it work. I have no idea how to do this. Can you help? Below is the Session section of the php.ini. Can you look at it and see if the path is correct based on what I wrote? Thank you.

; Handler used to store/retrieve data.
session.save_handler = files

; Argument passed to save_handler.  In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this
; variable in order to use PHP's session functions.
; As of PHP 4.0.1, you can define the path as:
;     session.save_path = "N;/path"
; where N is an integer.  Instead of storing all the session files in
; /path, what this will do is use subdirectories N-levels deep, and
; store the session data in those directories.  This is useful if you
; or your OS have problems with lots of files in one directory, and is
; a more efficient layout for servers that handle lots of sessions.
; NOTE 1: PHP will not create this directory structure automatically.
;         You can use the script in the ext/session dir for that purpose.
; NOTE 2: See the section on garbage collection below if you choose to
;         use subdirectories for session storage
; The file storage module creates files using mode 600 by default.
; You can change that by using
;     session.save_path = "N;MODE;/path"
; where MODE is the octal representation of the mode. Note that this
; does not overwrite the process's umask.
session.save_path = "/var/php_sessions"

; Whether to use cookies.
session.use_cookies = 1

; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.
; session.use_only_cookies = 1

; Name of the session (used as cookie name).
session.name = PHPSESSID

; Initialize session on request startup.
session.auto_start = 0

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

; The path for which the cookie is valid.
session.cookie_path = /

; The domain for which the cookie is valid.
session.cookie_domain =

; Handler used to serialize data.  php is the standard serializer of PHP.
session.serialize_handler = php

; Define the probability that the 'garbage collection' process is started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts
; on each request.

session.gc_probability = 1
session.gc_divisor     = 100

; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440

; NOTE: If you are using the subdirectory option for storing session files
;       (see session.save_path above), then garbage collection does *not*
;       happen automatically.  You will need to do your own garbage
;       collection through a shell script, cron entry, or some other method.
;       For example, the following script would is the equivalent of
;       setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
;          cd /path/to/sessions; find -cmin +24 | xargs rm

; PHP 4.2 and less have an undocumented feature/bug that allows you to
; to initialize a session variable in the global scope, albeit register_globals
; is disabled.  PHP 4.3 and later will warn you, if this feature is used.
; You can disable the feature and the warning separately. At this time,
; the warning is only displayed, if bug_compat_42 is enabled.

session.bug_compat_42 = 0
session.bug_compat_warn = 1

; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =

; How many bytes to read from the file.
session.entropy_length = 0

; Specified here to create the session id.
session.entropy_file =

;session.entropy_length = 16

;session.entropy_file = /dev/urandom

; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
session.cache_limiter = nocache

; Document expires after n minutes.
session.cache_expire = 180

; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
;   to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
;   in publically accessible computer.
; - User may access your site with the same session ID
;   always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 1

; Select a hash function
; 0: MD5   (128 bits)
; 1: SHA-1 (160 bits)
session.hash_function = 0

; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
; 4 bits: 0-9, a-f
; 5 bits: 0-9, a-v
; 6 bits: 0-9, a-z, A-Z, "-", ","
session.hash_bits_per_character = 4

; The URL rewriter will look for URLs in a defined set of HTML tags.
; form/fieldset are special; if you include them here, the rewriter will
; add a hidden <input> field with the info which is otherwise appended
; to URLs.  If you want XHTML conformity, remove the form entry.
; Note that all valid entries require a "=", even if no value follows.
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

Edited by diablo4151: update


Hi again,

session.save_path = "/var/php_sessions"

I wouldn't think that using a subdirectory should cause session problems, but if you have direct access to your php.ini file, try changing your session.save_path (line 31 in your snippet above) to:

session.save_path = "/temp"

as this has been suggested in a few other forums (and is also the setting used in my php.ini).

Edited by Zagga


The only problem with using /temp is it potentially opens it up to public/shared access. So if you can use a non-root folder (the folder above your HTML folder) it would be preferred.

If security is not a major issue, then don't worry about it.


Ryan / Zagga,

You guys are right. It is my server that is giving me a hard time with the session. I know this because I tested the same codes on a different server (my friend's) and it works fine. I can't get any help at ipower.com (hosting company) so I gave up on it. Unfortunately for me, I have paid for the entire year of hosting and still have about 3 months left before I can host it elsewhere. In the meantime, I found this code which is not the most practical but since there are only a handfull of people logging in, I think it will work fine for the time being. Can you help look over workspace_files.php and workspace_logout.php? Again, thank you!

workspace.php (don't need help here)

<form name="form" method="post" action="workspace_login.php">
<tr><td>Username: <input name="username" type="text"></td></tr>
<tr><td>Password: <input name="password" type="password"></td></tr>
<tr><td><input type="submit" name="submit" value="Login"></td></tr>

workspace_login.php (don't need help here)

$users['johndoe'] = array('password' => '12345', 'redirect' => 'workspace_files.php'); 
$users['janedoe'] = array('password' => '67890', 'redirect' => 'workspace_files.php'); 
if(array_key_exists($_POST['username'],$users)) { 
    if($_POST['password'] == $users[$_POST['username']]['password']) { 
        $_SESSION['loggedIn'] = true; 
else { 
    // invalid password 
    header('Location: workspace.php'); 
else { 
    // invalid username 
    header('Location: workspace.php'); 

workspace_files.php (need help here - this is the code that go on top of workspace_files.php where it protects the file. However, I can't get it to work as it keeps redirecting back to workspace.php)

if (!isset($_POST['$users'])) {
    header('Location: workspace.php');
<title>Secured Page</title>
<p>Welcome <b><?php echo $_SESSION['users']; ?></b>
Information here.</p>
<p><a href="workspace_logout.php">Logout</a></p>

workspace_logout.php (need help here)


if (session_destroy()){

header("Location: workspace.php");

Edited by diablo4151: update


There is not reason you cant hold the info in a database and pass a simple check to enter the page you want.

You can simply pass the username as a GET variable in the header change.

header("Location: http://www.foo.com/?user=myvar&pw=password");

Then your login page, you can check the GET for the login parameters against the database.

I would encourage you to encrypt the username and password if you use this method, or even making some sort of tokenID attached to the protected pages and query the DB for the token ID.

Hard coding your passwords in your PHP pages is poor practice.. but if it's for something simple and doesnt require security then it will do as a temporary fix.


Hi diablo4151!

Your only problem is like ryantroop said because i copyed your scripts, made the database, and tested it. Only thing you must change is

$username="*****"; // Mysql username
$password="*****"; // Mysql password


$user="*****"; // Mysql username
$pass="*****"; // Mysql password


mysql_connect("$host", "$username", "$password"


mysql_connect("$host", "$user", "$pass"

and everything works fine...

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.