Page 1 of 1

*SOLVED* Session variables not setting.

Posted: Fri Apr 02, 2004 11:00 am
by pickle
Problem solved. It was just logic, not a fundamental problem


Hi all.

Here's my problem. I've got a website that requires certain pages be secure. So, what I've done is use the built in HTTP Authentication hook, and pop up a little box for the username and password. The trouble I'm having is that when I get the username and password from the box and validate said credentials, I can't get a session variable (the timeout) to stick. Here's my code.

Note: DB is a custom MySQL wrapper object. find_auth_group(), check_valid_credentials(), and randomID() are also custom functions.

Code: Select all

//***************************************************************************
// Function: authenticate
// Purpose:  To determine if the current page is to be secure, and if so, require the login
// Params:   page id, group id, DB connection
// Returns:  nothing
//***************************************************************************

function authenticate($page_id,$gid,$DBSession)
{
  session_start();
  $required_groups = find_auth_group($page_id,$gid,$DBSession);

  //if there are some access limitations
  if(count($required_groups) != 0)
  {
    $DBSession = new DB();

    $session_timeout = $_SESSION["timeout"];

    //check if session has expired
    if($session_timeout < time())
    {
      //check if they're re-authenticating
      $logging_sid = $_SESSION["logging_sid"];
      $query = "select * from loggingin where sid = '$logging_sid'";
      $result = $DBSession->sql_query($query,"finding logging in sid");

      //if sid exists, they're re-logging in, and have passed username and password
      if($DBSession->count_rows($result) > 0)
      {
        //use username and password that have been set
        $username = $_SERVER["PHP_AUTH_USER"];
        $password = $_SERVER["PHP_AUTH_PW"];
        $valid_credentials = check_valid_credentials($username,$password,$required_groups);

        //update session timeout
        if($valid_credentials)
        {
          $twenty_minutes_worth_of_seconds = 60 * 20;
          //*******************************
          //this line doesn't seem to want to work
          //*******************************
          $_SESSION["timeout"] = time() + $twenty_minutes_worth_of_seconds;
        }

        //remove the temporary sid from loggingin table
        $logging_sid = $_SESSION["logging_sid"];
        $query = "delete from loggingin where sid = '$logging_sid'";
        $result = $DBSession->sql_query($query,"deleting logging in sid");
      }//if logging in
      //if sid doesn't exist, pop up box
      else
      {
        $logging_sid = randomID(SIDLen);
        $query = "insert into loggingin values('$logging_sid')";
        $result = $DBSession->sql_query($query,'inserting logging sid');
        header('WWW-Authenticate: Basic realm="Restricted Access Page"');
        header('HTTP/1.0 401 Unauthorized');
        echo <<<CANCELLED
This page requires that you login to view it.
<a href = "javascript:history.go(-1)">Go back</a>
CANCELLED;
        exit();
      }
    }//if session has timed out
  }//if there are access restrictions
}//authenticate function
Thanks folks. I'm really banging my head against a wall on this one.