Page 1 of 1

Can't pass $_SESSION variables from one page to another!

Posted: Tue Feb 03, 2004 11:20 am
by dimitris
This is my code:

Code: Select all

<?php
session_start(); 
header("Cache-control: private");
error_reporting(E_ALL);
if(isset($HTTP_POST_VARS['submit'])){
    if((strlen($HTTP_POST_VARS['username']) > 0) && (strlen($HTTP_POST_VARS['password']) > 0)){ 
        $username = $HTTP_POST_VARS['username'];
        $password = $HTTP_POST_VARS['password'];
        require_once ("../../w/connect.inc");//einai sto music.hxotpon.net/blabla.php 
        $query = "SELECT * FROM customers WHERE username='$username'"; 
        $query_result = mysql_query ($query); 
        $check = mysql_num_rows($query_result); 
        if($check > 0) 
            { 
                $a = 0; 
                $row = mysql_fetch_array($query_result); 
                  if(($row['username'] == $username) && ($row['password'] == $password)) 
                    { 
                        $logged_in = TRUE; 
                        $login_status = TRUE;//user authenticated 
						$id_customer = $row['id_customer'];//prepei na kseroume poios ekane login
						$_SESSION['logged_in'] = TRUE;
						
						$_SESSION['id_customer'] = $id_customer;
                    } else { 
                        $_SESSION['logged_in'] = FALSE;//wrong password 
                        $login_status = FALSE; 
                    } 
                  if($_SESSION['logged_in']) 
                  { 
						  
						//$_SESSION['session_id'] = 0; 
                      $rand = rand(1,9); 
                      $session_id=$rand.substr(md5($REMOTE_ADDR), 0, 11+$rand); 
                      $session_id.=substr(md5(rand(1,1000000)), rand(1,32-$rand), 21-$rand); 
                      session_id($session_id);
					  $_SESSION['session_id'] = $session_id; 
                      echo '<font color="green"> &#931;&#969;&#963;&#964;&#972; password </font>'; 
                      echo $session_id; 
                  } else { 
                      echo '<font color="red"> Wrong password</font>'; 
                  } 
               } else { 
                  echo '<b><font color="red"> Try Again </font></b>'; 
               }//telos if($query_result) 
               mysql_close(); 
            } else { 
               echo '<font color="red">You left empty one of the fields!</font>'; 

            }//telos if(strlen... 
         }  
?>
...some html....

<td><div align=center><strong>

Code: Select all

<?php
if($_SESSION['logged_in']){//ekteleitai kai auto
echo'<span class=style4>&#917;&#965;&#967;&#945;&#961;&#953;&#963;&#964;&#959;&#973;&#956;&#949; &#960;&#959;&#965; &#963;&#965;&#957;&#948;&#949;&#952;&#942;&#954;&#945;&#964;&#949; &#963;&#964;&#959;</span> 
	<span class=style2>HXOTPON</span>';}else{
echo'<meta http-equiv="Refresh" content="0;url=http://xxx/index.php">';
}
?>
<span class=style4>κάντε
<a href="index.php">clidk</a>
to continue</span></strong></div></td>

All the functions work properly and i can echo the $_SESSION variables easily in this page (e.g. login.php) but when i return back to index.php i can't recover any $_SESSION variable!

In index.php i use the code:

Code: Select all

<?php
		session_start(); 
		header("Cache-control: private");

 echo $_SESSION['logged_in']; 
 echo $_SESSION['id_customer']; 
?>

....html and php code..

but i can't use the $_SESSION variables!(NO echo!)

Any idea about that problem??

Posted: Tue Feb 03, 2004 2:44 pm
by DuFF
What happens if you do this on index.php?

Code: Select all

<?php
echo "<pre>";
print_r($_SESSION);
echo "</pre>";
?>

Posted: Tue Feb 03, 2004 3:46 pm
by ol4pr0
DuFF wrote:What happens if you do this on index.php?

Code: Select all

<?php
echo "<pre>";
print_r($_SESSION);
echo "</pre>";
?>
I guess this is one of those statements that should be put on a topic with header

[READ THIS FIRST PART 2 ]

Posted: Wed Feb 04, 2004 3:28 am
by dimitris
DuFF wrote:What happens if you do this on index.php?

Code: Select all

<?php
echo "<pre>";
print_r($_SESSION);
echo "</pre>";
?>
I checked my code & i made some tests and i found that the problem was that:

Code: Select all

$rand = rand(1,9); 
$session_id=$rand.substr(md5($REMOTE_ADDR), 0, 11+$rand); 
$session_id.=substr(md5(rand(1,1000000)), rand(1,32-$rand), 21-$rand); 
session_id($session_id);
Where i erased the following line:

Code: Select all

session_id($session_id);
This line seems to destroy any value of the previous $_SESSION variables! :?

Posted: Wed Feb 04, 2004 7:26 am
by DuFF
You could change the session_id before you set the session variables, but not after. What PHP does is set a cookie on the user's machine with the session_id (or passes it thru the URL). If you change the session_id after assigning the session variables, then the cookie will not point to the correct session variables.

Posted: Wed Feb 04, 2004 2:41 pm
by dimitris
Thanks DUFF!
You are right!
Do you think that passing session_id is better than storing cookies in client's pc?

Posted: Wed Feb 04, 2004 3:43 pm
by DuFF
I prefer cookies, read this for more info:
php.net wrote: The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.

Assess the importance of the data carried by your sessions and deploy additional protections -- this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.

There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.