Page 1 of 1

Problem creating a new session

Posted: Tue Mar 02, 2004 8:15 pm
by brookside
We are new and just learning to use php. We are trying to create a Login page that will create a session once a user has logged in.

Our error is:
Warning: session_start(); cannot send session cookie - headers already sent by (output started at /home/nwmissouri/public_html/USer_Validate.php:8)

Our code is:

Code: Select all

<html>
<head>
<title>Access Test</title>
</head>



<script language = "JavaScript">

function emptyUserOrPass()
{

  document.URL = "http://www.nwmissouri.kkytbs.net/Error_Login.php";

}

function invalidUserOrPass()
{

  document.URL = "http://www.nwmissouri.kkytbs.net/Invalid_Login.php";

}

function adminCheck()
{

  document.URL = "http://www.nwmissouri.kkytbs.net/Admin_Welcome.php";

}

function memberCheck()
{
  document.URL = "http://www.nwmissouri.kkytbs.net/Member_Welcome.php";
}


</script>


<body>

<?php 
session_start();

if(isset($HTTP_POST_VARS['username']) && isset($HTTP_POST_VARS['password']))
{

 $username = $HTTP_POST_VARS['username'];
 $password = $HTTP_POST_VARS['password'];
 
 if(!$username || !$password)
 {
   session_destroy();
   echo("<script language = 'JavaScript'>");
   echo("emptyUserOrPass();");
   echo("</script>");
 }

 //trims extra spaces off username
 $username = trim($username);
 $password = trim($password);

$db = mysql_connect('localhost', 'nwmissouri', 'info1') or die ("Could not connect: " . mysql_error());

//Checks to see if connection failed
if(!$db)
{
  echo 'Error:  Could not connect to database.  Please try again later.';
}
 
mysql_select_db('nwmissouri');



$query = 'select * from LOGIN '
         ."where Username = '$username' "
         ." and Password = '$password'";

$result = mysql_query($query);
$row = mysql_fetch_array($result);

if(mysql_num_rows($result) > 0)
{
  session_register('username');
  //if they are in the database register the user id
  $HTTP_SESSION_VARS['valid_user'] = $username;

  

  if($row['User_Level'] == 1)
  {
     echo ("<script language = 'JavaScript'>");
     echo ("adminCheck();");
     echo ("</script>");
  }

  echo ("<script language = 'JavaScript'>");
  echo ("memberCheck();");
  echo ("</script>");
}
else
{
 
 session_destroy();
 echo ("<script language = 'JavaScript'>");
 echo ("invalidUserOrPass();");
 echo ("</script>");
}

}//end if



?>
</body>
</html>
EDITED BY BECH100: ADDED PHP TAGS

Posted: Tue Mar 02, 2004 8:40 pm
by markl999
session_start() must come before any output. Output is basically anything that's sent to the browser, like <html> and even whitespace.

So simplest solution is to put session_start() right at the top, before _anything_, Eg
<?php
session_start();
?>
<html>
blah blah blah...

(You can use output buffering but that's another story ;))

Posted: Tue Mar 02, 2004 8:46 pm
by brookside
Thank you very much.

Posted: Wed Mar 03, 2004 4:57 am
by twigletmac
Not sure which version of PHP you are using but if it's PHP 4.1.0 or above you can rewrite the code to make it a bit more future proof:

Code: Select all

<?php
session_start();
?>

<html>
<head>
<title>Access Test</title>
</head>

<script language = "JavaScript">
<!-- Just trimmed the JS to make the script a bit shorter to repost -->
</script>

<body>

<?php

// use $_POST instead of $HTTP_POST_VARS
if(isset($_POST['username']) && isset($_POST['password'])) {
	
	// you can trim the values here (makes more sense for the next bit.
	$username = trim($_POST['username']);
	$password = trim($_POST['password']);

	// if you're checking to see whether a variable is empty, use the
	// empty() function, if you're checking to see whether a variable
	// has a boolean false value do !$variable.
	if(empty($username) || empty($password)) {
		session_destroy();
		echo '<script language = "JavaScript">';
		echo 'emptyUserOrPass();';
		echo '</script>';
	}

	$db = mysql_connect('localhost', 'nwmissouri', 'info1') or die('Could not connect: '.mysql_error());

	// don't bother with the connection failed code because the or die()
	// statement will stop the script so you won't get to this point
	// if the connection has failed.

	// add error handling to database selecting as well
	mysql_select_db('nwmissouri') or die(mysql_error());

	// * try to avoid multilined single or double quoted strings as they
	//   can be confusing when you read your code
	// * don't do SELECT * FROM, specify the fields you want returned
	//   and save some processing time for the db.
	$query  = "SELECT Username FROM LOGIN ";
	$query .= "WHERE Username = '$username' AND Password = '$password'";

	$result = mysql_query($query);

	// don't bother fetching a row if you don't need the data

	if (mysql_num_rows($result) > 0) {
		// don't use session_register() it's deprecated and doesn't work 
		// well with $_SESSION or $HTTP_SESSION_VARS

		// use $_SESSION instead of $HTTP_SESSION_VARS
		$_SESSION['valid_user'] = $username;


		if($row['User_Level'] == 1) {
			echo '<script language = "JavaScript">';
			echo 'adminCheck();';
			echo '</script>';
		}

		echo '<script language = "JavaScript">';
		echo 'memberCheck();';
		echo '</script>';
	} else {
		session_destroy();
		echo '<script language = "JavaScript">';
		echo 'invalidUserOrPass();';
		echo '</script>';
	}

} //end if

?>
</body>
</html>
Mac