Page 1 of 1

Session Replication

Posted: Thu Dec 18, 2003 4:50 pm
by Crashin
Ugh...in the spirit of being a security concious as possible, I'm switching one of my client's sites over to strictly having register_globals turned off. Eventually, they'll be migrating to a server where this is true. May as well be prepared.

So, my sessions are killing me on this!!! I used to use session_register to register my session vars, but as we all know this is a no-no with register_globals turned off.

So, I've switched over to using the $_SESSION array. Here's the glitch. I've got the following to register my user upon login:

Code: Select all

<?php
session_start();

include "../functions/includes.php";

if((isset($_POST['user_name'])) && (isset($_POST['passwd']))) {
	
	//if the user has just tried to log in
	db_connect() or die('Cannot connect to the database!');
	
	$query = "SELECT * FROM user WHERE user_name='" . $_POST['user_name'] . "' AND passwd=PASSWORD('" . $_POST['passwd'] . "')";
	$result = mysql_query($query);
	if(mysql_num_rows($result) > 0) {
		//they are in the database - register the user name
		$_SESSION['valid_user'] = $_POST['user_name'];
	}
}
?>
This starts a new session, which I can clearly see shows up in my session.save_path folder (yep, it exists). I click on a link from this page to go to the next page and the problem occurs.

Code: Select all

<?php
session_start();

/* More code here */

if (isset($_SESSION['valid_user'])) {
     // do stuff
}
else {?>
	<p class="body">You are not currently logged in.</p>
	<p class="body">Click <a class="bold" href="../">here</a></strong> to log-in.</p>
	
	</td>
	</tr>
	</table>
	</td>
	</table><?php
}
?>
The next page creates another session (!!??), which I can see in the session.save_path folder. On this page I check for the existence of $_SESSION['valid_user'] and receive false, presumably because the session that this page just created did not have anything registered to it.

I have a link displayed to go back to the log on page if the user ends up here without logging on first. So, when I log-on again...VOILA! I am registered correctly and can go where I please on my session-restricted pages.

To summarize my problem: Why isn't page #2 recognizing that there's already a session initiated, and instead creating a new session?

Any advice? My phpinfo for sessions follows:

Code: Select all

Session Support  enabled  
Registered save handlers  files user  

Directive Local Value Master Value 
session.auto_start Off Off 
session.bug_compat_42 Off Off 
session.bug_compat_warn On On 
session.cache_expire 180 180 
session.cache_limiter nocache nocache 
session.cookie_domain no value no value 
session.cookie_lifetime 0 0 
session.cookie_path / / 
session.cookie_secure Off Off 
session.entropy_file no value no value 
session.entropy_length 0 0 
session.gc_divisor 1000 1000 
session.gc_maxlifetime 1440 1440 
session.gc_probability 1 1 
session.name PHPSESSID PHPSESSID 
session.referer_check no value no value 
session.save_handler files files 
session.save_path C:\PHP\sessiondata C:\PHP\sessiondata 
session.serialize_handler php php 
session.use_cookies On On 
session.use_only_cookies Off Off 
session.use_trans_sid Off Off

Posted: Fri Dec 19, 2003 10:19 am
by Crashin
Bumpety...bump...bump...
Bumpety...bump...bump...
Look at that topic go...

Posted: Fri Dec 19, 2003 10:43 am
by hedge
how are you getting from the first page to the second... using header I am guessing. If so are you appending the SID to the url?

Posted: Fri Dec 19, 2003 10:47 am
by Crashin
No, not using header. I'm providing a form on the 1st page (log-on) that calls itself on submit to verify the log-on u/n and p/w. If log-on is successful, a menu is displayed from which the EU can go forth during the session. The second page is accessed by clicking a menu item.

I'm using session cookies (i.e. session.use_cookies On), as opposed to passing the SID via the GET method.

Posted: Sat Dec 20, 2003 10:28 pm
by Crashin
Awww, might as well bump.
BUMP!
Go ahead and bu-ump!
Yeah, yeah, bump.
BUMP!
Might as we-ell bu-ump! 8)

Posted: Sat Dec 20, 2003 10:45 pm
by DuFF
Wow, this ones got me completely stumped. The only thing I can think of is on the first page add this and see what it outputs:

Code: Select all

<?php
   if(mysql_num_rows($result) > 0) {
      //they are in the database - register the user name
      $_SESSION['valid_user'] = $_POST['user_name'];
      echo "Username = " . $_SESSON['valid_user'];
   } 
?>
Just a thought . . .

Posted: Sat Dec 20, 2003 11:40 pm
by Crashin
Hey Duff...thanks for the tip! I've already got that in there, although it's not displayed:

Code: Select all

/* More code here */ 

if (isset($_SESSION['valid_user'])) { 
     // do stuff 
} 
else {?>
The "do stuff" displays to the user a message that they're logged-in and the user name that they're logged-in as (i.e. $_SESSION['valid_user']). So, we know that the session is registered because of the check. But, page 2 isn't recognizing the original session. Weird. :?

Posted: Sun Dec 21, 2003 10:31 am
by DuFF
Hmm, I found 2 things during my google search:
This seems to be a popular question these days, and I know it has something to do with making the page - no cache. But I can't locate the actual code for that at the moment.
I don't know anything about cache though, but you could try this. Possibly try header("Cache-control: private"); right below session_start()?
session variables are not set until the entire php document has been parsed.

I ran into a more subtle variation on this, which mystified me for ages. Take this code:

<?
session_start();
session_register("my_variable");
$my_variable="Hello world";
header("Location: next.php");
exit;
?>

The session variable will never be set. Why? Because the browser is redirected before the end of the script has been parsed. If you've ever wondered why bulletin boards usually display a "Your message has been sent" page before redirecting with a <meta> refresh... that's the reason.
Not sure if this applies to you but its possible. Hope one of these works.

Posted: Mon Dec 22, 2003 9:44 am
by Crashin
Thanks for the tips. I'll give them a try and get back to the forum with the results.