0

Recently, I came across a weird contrast while developing a PHP script. The point is, I want to send an HTTP response status code to another page using the global $_SESSION variable. Then on the destination page, I will send this HTTP response status code to the browser by using the header() method. It doesn't matter what the HTTP response status code is. For example we consider here "422 Unprocessable Entity". So, easily we write our script:

file1.php: (the source file)

<?php
session_start();
$_SESSION['xyz'] = "422 Unprocessable Entity";
header('Location: file2.php');

file2.php: (the destination file)

<?php
session_start();
header("HTTP/1.1 " . $_SESSION['xyz']);
var_dump($_SESSION['xyz']);
unset($_SESSION['xyz']);

After entering URL example.com/file1.php, we will be transferred to the destination (example.com/file2.php) without any problems. In the browser console (Network tab) we will see a 422 error. No error_log file has created and also the output content of the page is:

string(24) "422 Unprocessable Entity"

Everything looks good. But the problem is, if you use https://httpstatus.io/ to check the correctness of the header sent, in addition to creating an error_log file on your server, you will encounter the following output:

wrong status code enter image description here

Which is quite confusing. Moreover, the content of error_log file is:

[02-May-2021 22:21:13 UTC] PHP Warning:  Undefined array key "xyz" in /www_root/file2.php on line 3
[02-May-2021 22:21:13 UTC] PHP Warning:  Undefined array key "xyz" in /www_root/file2.php on line 4

which means that the variable $_SESSION['xyz'] has not set.

I tried to debug the script simply by modifying file2.php:

<?php
session_start();
header("HTTP/1.1 422 Unprocessable Entity");
var_dump($_SESSION['xyz']);
unset($_SESSION['xyz']);

Then, the problem was solved strangely:

enter image description here

Now I want to ask the question, is the basis of my method (passing HTTP response status code to another page) correct? If so, why do I get error? Does the header() method execute in PHP before receiving $_SESSION variables? What is the execution schedule of these two functions? Thank you for your help.

Improve this question

1 Answer 1

Reset to default
1

I would suspect that something went wrong in the site checking.

Specifically, the behaviour you lament is the one I would expect if the server did follow the redirect, but without setting the session cookie header. If that is the case, then the file2.php got an empty session.

Try outputting the session_id() in file2.php and see whether it changes (it shouldn't, if the cookie is transferred correctly) between file1 and file2.

Or maybe send in the location a GET variable like id=(session id). Then in file2.php verify whether the id you got session_id() or not. If it is not, connect to the "good" session id (see session_id man page). And see if then you see the xyz key. Chances are that you will.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Your suspicion may be correct. I think there is no problem with our script at all. The problem is that 'httpstatus.io' does not hold on and transfer $_SESSION variables during the transition from file1.php to file2.php (302 Redirect). Now in this situation, what do you think is the simplest way to prevent error_log from being created?
Simply by add if(isset($_SESSION['xyz'])) after session_start(), error_log will no longer created.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.