oAuth flow interruption


#1

I have been using Abraham Williams’ oAuth lib for nearly 3 years, with no problem. I am writing a new app, and for oAuth, I essentially copied the code I’ve been using all along. It’s no longer working (it keeps bouncing me back to my application). Following is part of my code:

if (isset($_REQUEST['oauth_token'])){
  if (isset($_REQUEST['oauth_token']) && $_SESSION['oauth_token'] !== $_REQUEST['oauth_token']) {
    $_SESSION['oauth_status'] = 'oldtoken';
      session_start();
      session_destroy();
      if ($connection) {
          unset ($connection);
      }
      print "<script>self.location='http://mywebsite.com';</script>";
  } 
  $connection = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET, $_SESSION['oauth_token'], $_SESSION['oauth_token_secret']);
  $access_token = $connection->getAccessToken($_REQUEST['oauth_verifier']);
  $_SESSION['access_token'] = $access_token;
  unset($_SESSION['oauth_token']);
  unset($_SESSION['oauth_token_secret']);
  /* If HTTP response is 200 continue otherwise send to connect page to retry */
  if (200 == $connection->http_code) {
    /* The user has been verified and the access tokens can be saved for future use */
    $_SESSION['status'] = 'verified';
  } else {
    /* Save HTTP status for error dialog on connnect page.*/
    if ($_SESSION) {
      session_start ();
      session_destroy ();  
    }    
  }  
  print "<script>self.location='http://mywebsite.com';</script>";
}

$connection = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET);
$request_token = $connection->getRequestToken(OAUTH_CALLBACK);

$_SESSION['oauth_token'] = $token = $request_token['oauth_token'];
$_SESSION['oauth_token_secret'] = $request_token['oauth_token_secret'];
switch ($connection->http_code) {
  case 200:
    $url = $connection->getAuthorizeURL($token);
    print "<script>self.location='$url';</script>";
    break;
  default:
    echo 'Could not connect to Twitter';
    return;
}

After doing some digging, I found out that while the redirect happens properly, only the $_REQUEST is making it through, but the $_SESSION is not. So, I am bounced back to my app, because the if statement on line 3 will return a false, as the $_SESSION is no longer there.

Did anything change in the way the redirect is done?

Additional information:

If I print out the $connection object (that I get after line 30), I get the following:

TwitterOAuth Object
(
    [http_code] => 200
    [url] => https://api.twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2F270acme.us%2Ftwitter%2F&oauth_consumer_key=xxxxxxxxxxx&oauth_nonce=xxxxxxxxxxx&oauth_signature=xxxxxxxxxxx&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1346100612&oauth_version=1.0
    [host] => https://api.twitter.com/1/
    [timeout] => 30
    [connecttimeout] => 30
    [ssl_verifypeer] => 
    [format] => json
    [decode_json] => 1
    [http_info] => Array
        (
            [url] => https://api.twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2F270acme.us%2Ftwitter%2F&oauth_consumer_key=xxxxxxxxxxx&oauth_nonce=xxxxxxxxxxx&oauth_signature=xxxxxxxxxxx&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1346100612&oauth_version=1.0
            [content_type] => text/html; charset=utf-8
            [http_code] => 200
            [header_size] => 1030
            [request_size] => 380
            [filetime] => -1
            [ssl_verify_result] => 0
            [redirect_count] => 0
            [total_time] => 0.413556
            [namelookup_time] => 0.0015
            [connect_time] => 0.090786
            [pretransfer_time] => 0.282416
            [size_upload] => 0
            [size_download] => 146
            [speed_download] => 353
            [speed_upload] => 0
            [download_content_length] => 146
            [upload_content_length] => 0
            [starttransfer_time] => 0.413388
            [redirect_time] => 0
        )

    [useragent] => TwitterOAuth v0.2.0-beta2
    [sha1_method] => OAuthSignatureMethod_HMAC_SHA1 Object
        (
        )

    [consumer] => OAuthConsumer Object
        (
            [key] => xxxxxxxxxxx
            [secret] => xxxxxxxxxxx
            [callback_url] => 
        )

    [token] => OAuthConsumer Object
        (
            [key] => xxxxxxxxxxx
            [secret] => xxxxxxxxxxx
            [callback_url] => 
        )

    [http_header] => Array
        (
            [date] => Mon, 27 Aug 2012 20:50:12 GMT
            [status] => 200 OK
            [etag] => "xxxxxxxxxxxxxxxx"
            [x_runtime] => 0.02192
            [x_frame_options] => SAMEORIGIN
            [expires] => Tue, 31 Mar 1981 05:00:00 GMT
            [last_modified] => Mon, 27 Aug 2012 20:50:12 GMT
            [x_mid] => xxxxxxxxxxxxxxxx
            [pragma] => no-cache
            [cache_control] => no-cache, no-store, must-revalidate, pre-check=0, post-check=0
            [content_type] => text/html; charset=utf-8
            [x_transaction] => 95b96b3dc4dcac67
            [content_length] => 146
            [set_cookie] => _twitter_sess=xxxxxxxxxxx; domain=.twitter.com; path=/; HttpOnly
            [vary] => Accept-Encoding
            [server] => tfe
        )
)