session_status()发出第一个连接

I have a website where people can create an account and then log in to their account.

When I check log in's inputs (email and password), I use a file called control_login.php. Here is its code:

// -> some DB calls checking whether the user exists or not...
if(isset($user->email) && password_verify($_POST['password_login'],$user -> password)){
    session_start();
    $_SESSION['auth'] = $user;
    $user_id = $_SESSION['auth']->id;
    echo "Loading your profile...";
    header("Refresh:2 ; url=http://www.someurl.com/account.php?id=$user_id");
    exit();
} 
else{     
    $errors_login['danger'] = "We couldn't find any account. Please try again";
}

If everything is fine, I start a session and redirect to account.php. If not, I display an error message.

This account.php file includes a specific function called logged_only() that starts a session when everything is fine or deny access if there is no session. Here is its code:

function logged_only(){
    if(session_status() == PHP_SESSION_NONE){ 
        session_start();
    } 
    if(!isset($_SESSION['auth'])){
        echo 'Access denied';
        header('Refresh:2 ; url=http://www.someurl.com');
        exit();
    }
}

Here is my issue: everything is working fine locally. On real life (i.e when using the website url), everything is working fine when using Internet Explorer. But, I have the following issue when using Chrome or Firefox:

  1. I open a browser, go to my website and log in for the first time
  2. I get "Loading your profile" from control_login.php meaning it found the user
  3. When arriving on account.php, I get the following 'Access denied' from my logged_only() function.
  4. I am redirected to the main page
  5. I log in for the second time
  6. I can connect to my profile properly :( ...
  7. There won't be any problem to log in as long as I don't close the browser.

I am kind of lost... Where is the problem coming from?

Thank you for your help!

Note: I don't use cookies at all for the present time.

I found the error:

It was all about the URL.

If you first connected to the website by typing someurl.com instead of www.someurl.com, it was failing and then automatically redirected to www.someurl.com due to logged_only().

So it won't fail only if these www are present when submitting user's information...

So, for those who need that, here is the way to change any non-www to a www-based url. All you need is update your htacess as follow:

# Redirect non-www to www:
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

This way, all url will be with these www!