Why does $session->login() require $session->redirect()?

[thetuningspoon]

We're working on building a front end login form and the programmer I'm working with discovered that after the form is submitted and the post values are used to log the user in with $session->login(), $user->isLoggedin() still returns false until after the page is physically reloaded, changed, or $session->redirect() is used in the code. Maybe it's just late and I'm not thinking straight, but what is the reason for this?

[horst]

The reason could be that, at the point when you use $session->login() (in your template-file ?) the variable $user already is populated. And it can't be changed automagically when you do a call to $session->login().

You may use something like:

    $u = $session->login($username,$pass);  // try to login a user
    if($u) {                                // if login was successful $u holds a user object
        $user = $u;                         // repopuplate the $user variable with the new user
    }

// .. and then the rest of your code :
    if( $user->isLoggedIn() ) {

[Harmster]

My idea (And don't take my words for it) is:

The session needs to be re initialized and the credentials used must be set in order to generate other dependancies like the $user object.

I took a look in the method in the $session class and you can see that a cookie is generated and some other things are set.

Code for reference: https://github.com/ryancramerdesign/ProcessWire/blob/03387f8283d518e9cc405eff8f05cd6a5bf77c4c/wire/core/Session.php#L257

public function ___login($name, $pass) {

		if(!$this->allowLogin($name)) return null;

		$name = $this->fuel('sanitizer')->username($name); 
		$user = $this->fuel('users')->get("name=$name"); 

		if($user->id && $this->authenticate($user, $pass)) { 

			$this->trackChange('login'); 
			session_regenerate_id(true);
			$this->set('_user_id', $user->id); 
			$this->set('_user_ts', time());

			if($this->config->sessionChallenge) {
				// create new challenge
				$challenge = md5(mt_rand() . $this->get('_user_id') . microtime()); 
				$this->set('_user_challenge', $challenge); 
				// set challenge cookie to last 30 days (should be longer than any session would feasibly last)
				setcookie(session_name() . '_challenge', $challenge, time()+60*60*24*30, '/', null, false, true); 
			}

			if($this->config->sessionFingerprint) {
				// remember a fingerprint that tracks the user's IP and user agent
				$this->set('_user_fingerprint', $this->getIP(true) . $_SERVER['HTTP_USER_AGENT']); 
			}

			$this->setFuel('user', $user); 
			$this->get('CSRF')->resetToken();

			return $user; 
		}

		return null; 
	}

[ryan]

Both guys here are correct. The session needs to be regenerated with a new session ID and some new cookies need to be set, etc. Redirecting after successful login ensures you are dealing with the new and authenticated session and $user, ready to work with. 

[thetuningspoon]

Thanks everyone!

[Craig]

To build on top of Ryan's response, redirecting is not just sensible to do on login, but whenever you have forms. The wikipedia page on the Post/Redirect/Get pattern explains it much better than what I can - it's definitely worth the read