I'm sure theres been dozen's of newbie's posting kindergarden threads on how to make a session username/login with php...I on the other hand know about sessions and logging in :-) i would consider my knowledge of php/msql intermediate (with oop being advanced).

My problem:

I have a login that sets a $_SESSION variable


$_SESSION['id']=$user['id'];

Then i have a main page: index.php which contains an iframe that loads the application content. The index.php page should not change during user access and is only there for the links to navigate the site which load in the iframe. in every page that loads in the iframe i have this code at the top of each page:


session_start();
if(!isset($_SESSION['id']){
header('Location: http://www.calsecurity.com/login.php');
}

This script works, however, it will randomly take me to the login.php page as if $_SESSION['id'] is not set?!

First, I would like any insight on why this is happening, i have a hunch theres something to do with IE and the iframe. I would also appreciate any input on possible ways to remedy my situatiion. I AM using session.cookie, cPanel w/ hostgator.com.

Thanks all!

Ive found this but do not entirely understand why IE6 and above silently block the session.cookie...

http://www.phpfreaks.com/forums/index.php?topic=157539.0

First off, i dont know who uses IE 6 anymore. lol. Second what if you tried this: put a login button on the index page where the user can login. The login scripts authenticates, then redirects back to the index page. From there you start your session. This way all the iframes would get the session start also, from the page refresh when the login script redirected back to the index page. Aslo, i read that php freaks and found that youu should try this in your session:



<?php
header('P3P CP="CAO PSA OUR"');
session_start();
if(!isset($_SESSION['id']){
header('Location: http://www.calsecurity.com/login.php');
}
?>

<?php
header('P3P CP="CAO PSA OUR"');
// ...


You shouldn't be using this header. It might solve your immediate problem, but it can also create security issues in IE.

It's a privacy policy statement, and it's basically telling IE that you "trust" the iframe, so IE will share info between it and the rest of your page (like your session cookie). trouble is, changing which page the iframe displays is a trivial matter - sometimes it even happens by accident. Once that happens, you have an external, unknown, possibly malicious site in your iframe (and now, it has your user's session cookie!) - and IE trusts it completely.

(I don't know what versions of IE this problem applies to, but it may be as recent as IE8. More research needed...)

The best solution here is to not use the iframe.

Since you're already using PHP, why not use include() for your menu?