Session Replication

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Crashin
Forum Contributor
Posts: 223
Joined: Mon May 06, 2002 3:42 pm
Location: Colorado

Session Replication

Post by Crashin »

Ugh...in the spirit of being a security concious as possible, I'm switching one of my client's sites over to strictly having register_globals turned off. Eventually, they'll be migrating to a server where this is true. May as well be prepared.

So, my sessions are killing me on this!!! I used to use session_register to register my session vars, but as we all know this is a no-no with register_globals turned off.

So, I've switched over to using the $_SESSION array. Here's the glitch. I've got the following to register my user upon login:

Code: Select all

<?php
session_start();

include "../functions/includes.php";

if((isset($_POST['user_name'])) && (isset($_POST['passwd']))) {
	
	//if the user has just tried to log in
	db_connect() or die('Cannot connect to the database!');
	
	$query = "SELECT * FROM user WHERE user_name='" . $_POST['user_name'] . "' AND passwd=PASSWORD('" . $_POST['passwd'] . "')";
	$result = mysql_query($query);
	if(mysql_num_rows($result) > 0) {
		//they are in the database - register the user name
		$_SESSION['valid_user'] = $_POST['user_name'];
	}
}
?>
This starts a new session, which I can clearly see shows up in my session.save_path folder (yep, it exists). I click on a link from this page to go to the next page and the problem occurs.

Code: Select all

<?php
session_start();

/* More code here */

if (isset($_SESSION['valid_user'])) {
     // do stuff
}
else {?>
	<p class="body">You are not currently logged in.</p>
	<p class="body">Click <a class="bold" href="../">here</a></strong> to log-in.</p>
	
	</td>
	</tr>
	</table>
	</td>
	</table><?php
}
?>
The next page creates another session (!!??), which I can see in the session.save_path folder. On this page I check for the existence of $_SESSION['valid_user'] and receive false, presumably because the session that this page just created did not have anything registered to it.

I have a link displayed to go back to the log on page if the user ends up here without logging on first. So, when I log-on again...VOILA! I am registered correctly and can go where I please on my session-restricted pages.

To summarize my problem: Why isn't page #2 recognizing that there's already a session initiated, and instead creating a new session?

Any advice? My phpinfo for sessions follows:

Code: Select all

Session Support  enabled  
Registered save handlers  files user  

Directive Local Value Master Value 
session.auto_start Off Off 
session.bug_compat_42 Off Off 
session.bug_compat_warn On On 
session.cache_expire 180 180 
session.cache_limiter nocache nocache 
session.cookie_domain no value no value 
session.cookie_lifetime 0 0 
session.cookie_path / / 
session.cookie_secure Off Off 
session.entropy_file no value no value 
session.entropy_length 0 0 
session.gc_divisor 1000 1000 
session.gc_maxlifetime 1440 1440 
session.gc_probability 1 1 
session.name PHPSESSID PHPSESSID 
session.referer_check no value no value 
session.save_handler files files 
session.save_path C:\PHP\sessiondata C:\PHP\sessiondata 
session.serialize_handler php php 
session.use_cookies On On 
session.use_only_cookies Off Off 
session.use_trans_sid Off Off
User avatar
Crashin
Forum Contributor
Posts: 223
Joined: Mon May 06, 2002 3:42 pm
Location: Colorado

Post by Crashin »

Bumpety...bump...bump...
Bumpety...bump...bump...
Look at that topic go...
hedge
Forum Contributor
Posts: 234
Joined: Fri Aug 30, 2002 10:19 am
Location: Calgary, AB, Canada

Post by hedge »

how are you getting from the first page to the second... using header I am guessing. If so are you appending the SID to the url?
User avatar
Crashin
Forum Contributor
Posts: 223
Joined: Mon May 06, 2002 3:42 pm
Location: Colorado

Post by Crashin »

No, not using header. I'm providing a form on the 1st page (log-on) that calls itself on submit to verify the log-on u/n and p/w. If log-on is successful, a menu is displayed from which the EU can go forth during the session. The second page is accessed by clicking a menu item.

I'm using session cookies (i.e. session.use_cookies On), as opposed to passing the SID via the GET method.
User avatar
Crashin
Forum Contributor
Posts: 223
Joined: Mon May 06, 2002 3:42 pm
Location: Colorado

Post by Crashin »

Awww, might as well bump.
BUMP!
Go ahead and bu-ump!
Yeah, yeah, bump.
BUMP!
Might as we-ell bu-ump! 8)
User avatar
DuFF
Forum Contributor
Posts: 495
Joined: Tue Jun 24, 2003 7:49 pm
Location: USA

Post by DuFF »

Wow, this ones got me completely stumped. The only thing I can think of is on the first page add this and see what it outputs:

Code: Select all

<?php
   if(mysql_num_rows($result) > 0) {
      //they are in the database - register the user name
      $_SESSION['valid_user'] = $_POST['user_name'];
      echo "Username = " . $_SESSON['valid_user'];
   } 
?>
Just a thought . . .
User avatar
Crashin
Forum Contributor
Posts: 223
Joined: Mon May 06, 2002 3:42 pm
Location: Colorado

Post by Crashin »

Hey Duff...thanks for the tip! I've already got that in there, although it's not displayed:

Code: Select all

/* More code here */ 

if (isset($_SESSION['valid_user'])) { 
     // do stuff 
} 
else {?>
The "do stuff" displays to the user a message that they're logged-in and the user name that they're logged-in as (i.e. $_SESSION['valid_user']). So, we know that the session is registered because of the check. But, page 2 isn't recognizing the original session. Weird. :?
User avatar
DuFF
Forum Contributor
Posts: 495
Joined: Tue Jun 24, 2003 7:49 pm
Location: USA

Post by DuFF »

Hmm, I found 2 things during my google search:
This seems to be a popular question these days, and I know it has something to do with making the page - no cache. But I can't locate the actual code for that at the moment.
I don't know anything about cache though, but you could try this. Possibly try header("Cache-control: private"); right below session_start()?
session variables are not set until the entire php document has been parsed.

I ran into a more subtle variation on this, which mystified me for ages. Take this code:

<?
session_start();
session_register("my_variable");
$my_variable="Hello world";
header("Location: next.php");
exit;
?>

The session variable will never be set. Why? Because the browser is redirected before the end of the script has been parsed. If you've ever wondered why bulletin boards usually display a "Your message has been sent" page before redirecting with a <meta> refresh... that's the reason.
Not sure if this applies to you but its possible. Hope one of these works.
User avatar
Crashin
Forum Contributor
Posts: 223
Joined: Mon May 06, 2002 3:42 pm
Location: Colorado

Post by Crashin »

Thanks for the tips. I'll give them a try and get back to the forum with the results.
Post Reply