Auto-login, NTLM header seems to erase $_SESSION on redirect

I'm trying to create an auto login script. The computers are using IE8 on XP. The code successfully retrieves the user's Windows username and places it into a session, but once redirect is complete, the session is wiped clean.

In index.php:

session_start();
if (!isset($_SERVER["AUTH_USER"]) || $_SERVER["AUTH_USER"] == '') {
      header('WWW-Authenticate: NTLM', false);
      exit;
}

# Extract username
$user = explode('\\',$_SERVER["AUTH_USER"]);
$_SESSION['username'] = strtolower($user[1]);
print_r($_SESSION); // Success!
header("Location: index2.p开发者_如何学Gohp");

In index2.php:

session_start()
print_r($_SESSION); // Fail. array()

The key problem seems to be the header part because during testing, I've removed it and put in a dummy username and it successfully passes to the next page. I need the header though, because it is needed to do the NTLM authentication (ie. Put the AUTH_USER details in the $_SERVER array.)

EDIT I turned off anonymous authentication in IIS, then removed the header part and all worked. However, this creates loads of other problems.

I'd like to confirm the question posted and answered by Paul for anyone who gets stuck on this like I did.

I have multiple web sites running under IIS using PHP. Works great. Then I added a site that uses NTLM authenticated security (ie Windows Login). The session built on page 1 was not being carried forward to page 2. I dumped the $_SERVER settings, played with the INI file all to no eval. I broke the application down to the bare bones basics like Paul and confirmed that it only happens when prompting for the authentication.

To reproduce, start a new browser window, login to page 1 using winodws authentication - do not click save password, click a link to go to page 2 - no session variable. Close the browser and start again (to reset the authentication). This time remove the authentication stuff from page 1 before surfing. Goto page 2 and the session is there.

Turning off "Enable anonymous access" in the "Directory Security/Authentication and access control" property settings of my web site solved to problem.

Thanks Paul.

Add session_set_cookie_params(0) prior to starting the session. IE8 has a problem handling non-persistent cookies.