PHP $_SESSION Empty on Next Page

PHP $_SESSION is empty during AJAX calls. First thing to check is register_globals must be Off. PHP $_SESSION return empty string when user navigates to the next page. When session ID is not invoked properly, the reason can be that the session.save_path is not set.
$_SESSION['username'] = $_POST['username']; The session variables are not set properly.

Now in this condition the session variables return blank on the next page.
echo $_SESSION['username']; returns blank string.

Checklist for Corrective Measures:

•  Add the following lines at the start of your PHP file:

@ini_set('session.save_path','/home/<UserID>/tmp/sessions');
session_set_cookie_params(3200, '/', $_SERVER['HTTP_HOST']);
session_start();

•  Make sure that the same sesison ID is in use. The session ID is needed to be saved in Javascript or database. 

session_id($_POST['session_id']);

Use session_id() to get the current session. This session ID can be sent to the client in form of values in Javascript variable.

• Normally the session_start() must be called before request headers are being sent, in order to set or retrieve any session variable value using the keyword $_SESSION.
  The session variables has been set or not can re-verified using the following line of codes:

 isset($_SESSION['username']);

• Check the satus of register_globals.

 Paste the code phpinfo(); in the PHP script on server. If the value is register_globals = On, then it is needed to be changed using a php.ini file.
Create a php.ini file in the root folder and add the following line of code.

register_globals = Off

• Create a php.ini file in the root folder and add the following line of codes:

session.save_path = "/home/<UserID>/tmp/sessions"
register_globals = Off

Also add the following lines in .htaccess file in the same folder:

<IfModule mod_suphp.c>
  suPHP_ConfigPath /home/<UserID>
  <Files php.ini>
    order allow,deny
    deny from all
  </Files>
</IfModule>

The <Files> tag makes sure that anyone form outside can't access the php.ini in the form of a web page URL.

Related Links:
PHP .htaccess

Disable Browser's Back Button

While making admin panel, one must disable the browser's back button after signout.

These are the loopholes left by many a programmers in their programming paradigm.

One of this loopholes can be overcome by disabling the back button, place this code in the head section and the user can't go back and refresh the page to move himself into the Logged In session once again even after the logout has been performed:

 <head>

<title>Welcome to the Secured Admin Panel</title>

<script language="JavaScript">
javascript:window.history.forward(1);
</script>

</head>

What happens under the normal programming architecture that when a user has logged in the entire data being passed into the server is being stored into the browser. Now even when a user logs out, one can easily use the back button to reach the login home page and press F5 to login into another session without having to enter the userid/password combination. However this is possible only if the browser hasn't been closed thereafter. So because of this loophole, one need not destroy the SESSION on logout as this won't solve this potential risk. So just changing the SESSION logged in variable to unset works exactly the same. The thing is to restrict the new visitor of that browser from using the back button for that domain.

There is much more needed to develop the secured login mechanism. For that one needs to catch each session id as well as server side SESSION variable trackback to maintain the unique login id whenever a user logs in and change that variable value on the logout action so that even the back button with the associated refresh action even can't result into the new login session. And in this case the user will have to again login to the admin panel by entering the required login credentials once again from the scratch.

Related Links:
Linux Security for Wamp