Can't pass $_SESSION variables from one page to another!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
dimitris
Forum Contributor
Posts: 110
Joined: Wed Jan 14, 2004 3:47 am
Location: Athens, Greece

Can't pass $_SESSION variables from one page to another!

Post by dimitris »

This is my code:

Code: Select all

<?php
session_start(); 
header("Cache-control: private");
error_reporting(E_ALL);
if(isset($HTTP_POST_VARS['submit'])){
    if((strlen($HTTP_POST_VARS['username']) > 0) && (strlen($HTTP_POST_VARS['password']) > 0)){ 
        $username = $HTTP_POST_VARS['username'];
        $password = $HTTP_POST_VARS['password'];
        require_once ("../../w/connect.inc");//einai sto music.hxotpon.net/blabla.php 
        $query = "SELECT * FROM customers WHERE username='$username'"; 
        $query_result = mysql_query ($query); 
        $check = mysql_num_rows($query_result); 
        if($check > 0) 
            { 
                $a = 0; 
                $row = mysql_fetch_array($query_result); 
                  if(($row['username'] == $username) && ($row['password'] == $password)) 
                    { 
                        $logged_in = TRUE; 
                        $login_status = TRUE;//user authenticated 
						$id_customer = $row['id_customer'];//prepei na kseroume poios ekane login
						$_SESSION['logged_in'] = TRUE;
						
						$_SESSION['id_customer'] = $id_customer;
                    } else { 
                        $_SESSION['logged_in'] = FALSE;//wrong password 
                        $login_status = FALSE; 
                    } 
                  if($_SESSION['logged_in']) 
                  { 
						  
						//$_SESSION['session_id'] = 0; 
                      $rand = rand(1,9); 
                      $session_id=$rand.substr(md5($REMOTE_ADDR), 0, 11+$rand); 
                      $session_id.=substr(md5(rand(1,1000000)), rand(1,32-$rand), 21-$rand); 
                      session_id($session_id);
					  $_SESSION['session_id'] = $session_id; 
                      echo '<font color="green"> &#931;&#969;&#963;&#964;&#972; password </font>'; 
                      echo $session_id; 
                  } else { 
                      echo '<font color="red"> Wrong password</font>'; 
                  } 
               } else { 
                  echo '<b><font color="red"> Try Again </font></b>'; 
               }//telos if($query_result) 
               mysql_close(); 
            } else { 
               echo '<font color="red">You left empty one of the fields!</font>'; 

            }//telos if(strlen... 
         }  
?>
...some html....

<td><div align=center><strong>

Code: Select all

<?php
if($_SESSION['logged_in']){//ekteleitai kai auto
echo'<span class=style4>&#917;&#965;&#967;&#945;&#961;&#953;&#963;&#964;&#959;&#973;&#956;&#949; &#960;&#959;&#965; &#963;&#965;&#957;&#948;&#949;&#952;&#942;&#954;&#945;&#964;&#949; &#963;&#964;&#959;</span> 
	<span class=style2>HXOTPON</span>';}else{
echo'<meta http-equiv="Refresh" content="0;url=http://xxx/index.php">';
}
?>
<span class=style4>κάντε
<a href="index.php">clidk</a>
to continue</span></strong></div></td>

All the functions work properly and i can echo the $_SESSION variables easily in this page (e.g. login.php) but when i return back to index.php i can't recover any $_SESSION variable!

In index.php i use the code:

Code: Select all

<?php
		session_start(); 
		header("Cache-control: private");

 echo $_SESSION['logged_in']; 
 echo $_SESSION['id_customer']; 
?>

....html and php code..

but i can't use the $_SESSION variables!(NO echo!)

Any idea about that problem??
User avatar
DuFF
Forum Contributor
Posts: 495
Joined: Tue Jun 24, 2003 7:49 pm
Location: USA

Post by DuFF »

What happens if you do this on index.php?

Code: Select all

<?php
echo "<pre>";
print_r($_SESSION);
echo "</pre>";
?>
User avatar
ol4pr0
Forum Regular
Posts: 926
Joined: Thu Jan 08, 2004 11:22 am
Location: ecuador

Post by ol4pr0 »

DuFF wrote:What happens if you do this on index.php?

Code: Select all

<?php
echo "<pre>";
print_r($_SESSION);
echo "</pre>";
?>
I guess this is one of those statements that should be put on a topic with header

[READ THIS FIRST PART 2 ]
User avatar
dimitris
Forum Contributor
Posts: 110
Joined: Wed Jan 14, 2004 3:47 am
Location: Athens, Greece

Post by dimitris »

DuFF wrote:What happens if you do this on index.php?

Code: Select all

<?php
echo "<pre>";
print_r($_SESSION);
echo "</pre>";
?>
I checked my code & i made some tests and i found that the problem was that:

Code: Select all

$rand = rand(1,9); 
$session_id=$rand.substr(md5($REMOTE_ADDR), 0, 11+$rand); 
$session_id.=substr(md5(rand(1,1000000)), rand(1,32-$rand), 21-$rand); 
session_id($session_id);
Where i erased the following line:

Code: Select all

session_id($session_id);
This line seems to destroy any value of the previous $_SESSION variables! :?
User avatar
DuFF
Forum Contributor
Posts: 495
Joined: Tue Jun 24, 2003 7:49 pm
Location: USA

Post by DuFF »

You could change the session_id before you set the session variables, but not after. What PHP does is set a cookie on the user's machine with the session_id (or passes it thru the URL). If you change the session_id after assigning the session variables, then the cookie will not point to the correct session variables.
User avatar
dimitris
Forum Contributor
Posts: 110
Joined: Wed Jan 14, 2004 3:47 am
Location: Athens, Greece

Post by dimitris »

Thanks DUFF!
You are right!
Do you think that passing session_id is better than storing cookies in client's pc?
User avatar
DuFF
Forum Contributor
Posts: 495
Joined: Tue Jun 24, 2003 7:49 pm
Location: USA

Post by DuFF »

I prefer cookies, read this for more info:
php.net wrote: The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.

Assess the importance of the data carried by your sessions and deploy additional protections -- this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.

There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.
Post Reply