php Session reverting to previous state

Question

I seem to be having a problem in which the state of the PHP session on this page begins with a defined set of parameters, but after redirecting to Twitter for app authorization, returns with a totally different session ID and session state. When I clear the cookies for my browser, this behavior stops and the program functions as it should. But on the next Twitter authorization attempt, the session reverts to the state it had the first time it was set after clearing cookies, but only after returning from Twitter.

Any help would be appreciated!

<?php

session_start();
echo session_id();

require 'oauth/twitteroauth.php';
require 'Abacus.php';

$twitter_consumer_key = 'OwxQxjghhyBOibNvg4Tg';
$twitter_consumer_secret = '3rBhdAyiLGeTBR6GY4i76vilFqqV2EL5cFQjmt8pJBg';

if (!isset($_SESSION['user'])) { echo "<script type='text/javascript'>window.location.href=(\"$index.php\")</script>"; die(); }

if (isset($_REQUEST['appauth']))
{
    $step = 0;
    if (isset($_REQUEST['step'])) {
        $step = $_REQUEST['step'];
    }

    switch ($_REQUEST['appauth'])
    {
        case 'twitter':
            if ($step == 1)
            {
                $twit_conn = new TwitterOAuth($twitter_consumer_key, $twitter_consumer_secret);
                $temp_cred = $twit_conn->getRequestToken();
                $_SESSION['twitter_temp_oauth_token'] = $temp_cred['oauth_token'];
                $_SESSION['twitter_temp_oauth_token_secret'] = $temp_cred['oauth_token_secret'];
                $redirect_url = $twit_conn->getAuthorizeURL($temp_cred);
                //header("Location: $redirect_url");
                echo "<script type='text/javascript'>window.location.href=(\"$redirect_url\")</script>";
                die();
            }
            else if ($step == 2)
            {
                $twit_conn = new TwitterOAuth($twitter_consumer_key, $twitter_consumer_secret, $_SESSION['twitter_temp_oauth_token'], $_SESSION['twitter_temp_oauth_token']);
                $token_cred = $twit_conn->getAccessToken();
                //$_SESSION['twitter_token_cred'] = $token_cred;

                $db_conn = mysql_connect(DATABASE_HOST, DATABASE_USER, DATABASE_PASSWORD);
                if (!$db_conn) { die('Could not connect to MySQL database.'); }
                mysql_select_db(DATABASE_NAME, $db_conn);

                mysql_query("DELETE FROM usercontentsources WHERE userid = {$_SESSION['user']['userid']} AND contentsourceid = 4", $db_conn);
                $insert_twitter_cred_sql = "INSERT INTO usercontentsources (userid, contentsourceid, params) VALUES ({$_SESSION['user']['userid']}, 4, '{$token_cred['oauth_token']} {$token_cred['oauth_token_secret']}')";
                mysql_query($insert_twitter_cred_sql, $db_conn);

                mysql_close($db_conn);

                $twit_conn = new TwitterOAuth($twitter_consumer_key, $twitter_consumer_secret, $token_cred['oauth_token'], $token_cred['oauth_token_secret']);
                var_dump($twit_conn->get('account/verify_credentials'));
            }
            break;
        case 'facebook':
            break;
        default:
            break;
    }
}

?>
<!DOCTYPE html>
<html>
    <head>
        <title>Settings - ProjectAbacus</title>
    </head>
    <body>
        <a href='settings.php?appauth=twitter&step=1'>Integrate Twitter</a>
    </body>
</html>

Answer 1

I just had a similar issue - it turns out that (in order to allow multiple Ajax requests for one session to be processed at once) we were calling session_write_close() at the start of the thread.

This meant any changes we made to the session values were not stored, and the session values reverted to their previous state when the page reloaded. We're moving / removing the session_write_close() call to fix it.