Page 1 of 1

Session data disappearing

Posted: Wed Jan 19, 2011 4:11 am
by billyq
Could be a fun one this, chaps, so I'll start from the beginning.

I'm developing a website that is hosted using XAMPP on a local network. As the server's name contains an underscore and IE6 (which all of our users use, unfortunately) hates underscores and won't accept cookies from a website whose address contains one, I'm resorting to using sessions with trans SID's (http://blahblahblah.com/index.php?PHPSESSID=xxxxxxxxx)

To do this, in my header include I have the following code:

Code: Select all

define('USE_TRANS_SESSION', true);

    if (USE_TRANS_SESSION == true)
    {
            ini_set("session.use_trans_sid", "1");
            ini_set("session.use_cookies","0");
            ini_set("session.gc_maxlifetime", "2592000");
    } else {
            ini_set("session.use_trans_sid", "false");
            ini_set("session.use_cookies","true");
            ini_set("session.gc_maxlifetime", "2592000");
    }
And then my 'doLogin.php' file contains the following:

Code: Select all

$_SESSION['username'] = $row['userName'];
$_SESSION['eNumber'] = $row['eNumber'];
$_SESSION['userClassName'] = $row['userClassName'];
logEvent($username, "Successful login");

//Code to stop people from using the same session ID from multiple PCs
$dbConn->query("DELETE FROM loggedinusers WHERE eNumber = '" . $row['eNumber'] . "'");
$dbConn->query("INSERT INTO loggedinusers (eNumber, lastLoginDate, lastIP) VALUES ('" . $row['eNumber'] . "', '" . date("Y-m-d H:i:s") . "', '" . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . "')");

session_write_close();

//Redirect user - please note that I have tried using $sessionid = session_id() before the session is closed and using this variable in the next line with no joy
			
header("Location:/blah/index.php?PHPSESSID=" . session_id());
header("Connection: close");
die();
In the authUser.php file, I do the following:

Code: Select all

$row = $loginDBConn->getNextAssocRow();
 
$rowCount = $loginDBConn->queryAssoc("SELECT * FROM loggedinusers WHERE eNumber = '" . $_SESSION['eNumber'] . "' LIMIT 1");
            if ($rowCount == 0)
                {
                    $loginFail = true;
                }
        if ($row['lastIP'] != $_SERVER['REMOTE_ADDR'])
            {
                $loginFail = true;
            }

if ($loginFail == true)
            {
                session_destroy();
                header("Location:/blah/login.php");
die();
}

Here's the fun part -- it appears that the session ID is transferred to index.php (which in turn includes header.php, which in turn includes authUser.php) but the session variable is an array with zero elements.

Am I doing something wrong or is this PHP misbehaving?

Any help appreciated, I'm tearing my hair out over this one!

EDIT: Strange thing happening - if I check (using Google Chrome's developer tools) what was passed to index.php after the doLogin.php script has run, I see that it has passed the session ID [text]http://blah/blah/index.php?PHPSESSID=sq ... 97t6qf1rr6[/text]

If I then copy and paste that entire URL into my browser, it works and the site runs as it should after I've logged in. If I log out and then back in, it goes back to square one. Very frustrating!#

EDIT 2: Although I am using session_write_close(), I thought that it may be a good idea to utilise a bit of JavaScript in doLogin.php that redirects the user after three seconds (in case the session data wasn't being written quickly enough). Still no joy -- same situation as above.

EDIT 3:Eureka! Sort of... the footer of my page uses ob_get_contents and then ob_end_clean to rewrite the URL so that the images are referred to absolutely rather than relatively. However, this breaks PHP's rewriting of the URL so that the session ID is on the end. Any ideas on how to get around this?

Re: Session data disappearing

Posted: Thu Jan 20, 2011 4:59 am
by billyq
Thought I'd return and give the answer to my own question in case someone has the exact same problem and stumbles on to this thread.

It turns out that if you clean the output buffer with trans_sid turned on, PHP doesn't work its magic by appending the session id to all links, forms, etc. However, with a little jiggerypokery you can actually use the output buffer AND have PHP do its session url rewriting. Code example below:

Code: Select all

    function fixImagesAndTitle($outputBuffer)
	{
		$outputBuffer = str_replace("<img src=\"", "<img src=\"/blah/", $outputBuffer);

		if ($pageTitle != "")
		{
	        $pageTitle = "My Web Page - " . $pageTitle;
	    } else {
	        $pageTitle = "My Web Page";
	    }

	    $outputBuffer = str_replace("<!--PAGETITLE-->", $pageTitle, $outputBuffer);

		return($outputBuffer);
	}

	//Rewrite output to fix links and title
	ob_start(fixImagesAndTitle);
And that's it - once your page is ready to output to the browser, the function will run and the links will be sessionified.

Hope this helps someone.