Auth0 Home Blog Docs

Using PHP $_SESSION to redirect after login prevents login itself

I want users to redirect to the page they came from originally after they login - I have seen the docs on using state etc. but I would like to know why the below doesn’t work :face_with_raised_eyebrow:

I’m using lock with login.php and a page after that called redirect.php as a redirect. This is how login looks with a session to get the page the user started on so it can be redirected later:
<?php
require DIR . ‘/vendor/autoload.php’;

  use Auth0\SDK\Auth0;

  session_start();
  $_SESSION['redirect_url'] = $_SERVER['HTTP_REFERER'];

  [$domain and client params here]
  $redirect_uri  = "http://localhost:3000/auth/redirect.php";
  $audience      = "";

  if($audience == ''){
    $audience = 'https://' . $domain . '/userinfo';
  }

  $auth0 = new Auth0([
      'domain' => $domain,
      'client_id' => $client_id,
      'client_secret' => $client_secret,
      'redirect_uri' => $redirect_uri,
      'audience' => $audience,
      'scope' => 'openid profile',
      'persist_id_token' => true,
      'persist_access_token' => true,
      'persist_refresh_token' => true,
  ]);

\Firebase\JWT\JWT::$leeway = 2400000;

$auth0->login();

This is then how redirect.php looks:

<?php
session_start();
echo "Thank you, redirecting you...";
header('Location: ' . $_SESSION['redirect_url']);
?>

This has been correctly returning me to the original page, but the login doesn’t work - I’m still logged out, no error message, no user info dump, nothing. Is my use of $_SESSION breaking something that auth0 uses? Or is there a different issue?

The login was working fine before I instated the redirect flow (I just hardcoded the homepage as the redirect)… And I am aware of the docs talking about nonce etc but I just wanted to test with this first - surely it should work?

I’ve tried the above using $_COOKIE also, and it has the exact same issue - I call the header(location) in the redirect PHP script and it correctly redirects to the origin page but with no login session even though this is post login…

Why is the login breaking when using these methods?

My login file:
<?php
require DIR . ‘/vendor/autoload.php’;

  use Auth0\SDK\Auth0;

  setcookie('redirect_url', $_SERVER['HTTP_REFERER'], time() + (86400 * 30), "/");

  my domain, token etc.
  $redirect_uri  = "http://localhost:3000/auth/redirect.php";
  $audience      = "";

  if($audience == ''){
    $audience = 'https://' . $domain . '/userinfo';
  }

  $auth0 = new Auth0([
      'domain' => $domain,
      'client_id' => $client_id,
      'client_secret' => $client_secret,
      'redirect_uri' => $redirect_uri,
      'audience' => $audience,
      'scope' => 'openid profile',
      'persist_id_token' => true,
      'persist_access_token' => true,
      'persist_refresh_token' => true,
  ]);

\Firebase\JWT\JWT::$leeway = 2400000;

$auth0->login();

My redirect page:

<?php

    echo "Thank you for using us, redirecting you...";
    $redirect = $_COOKIE['redirect_url'];
    header('Location: '.$redirect);

?>

What is the issue here? Please help