Problem with SESSION_STAR(); any help ??

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
duk
Forum Contributor
Posts: 199
Joined: Wed May 19, 2004 8:45 am
Location: London

Problem with SESSION_STAR(); any help ??

Post by duk »

hy there,

its my first post, so i have one question about sessions...

so, i create a litle forum with simple mysql autentication, but i use


session_start();

$_SESSION["nick"] = $nick;


so to acess the variable $nick in other pages i have to do:


session_start();

$nick = $_SESSION["nick"];


ok everything ok, now i have created one other page, about other thinks, do not have any relation with the forum, but i use the same system with session_start

ok what happen ?

i loge with nick duk, in forum, the $_SESSION regists the variable $nick, and if i want to visit my other page, this other page tell me im loged in with the nick duk becouse this page acess the same variabel $nick with $_SESSION, so im loged in to my page with a user that doesn´t exist's, with this conflit i was able to post a msg in my forum, with a user that doesn't exist in my mysql Data base...

someone knows how to resolve this situation ???

sorry my english

regards
duk
duk
Forum Contributor
Posts: 199
Joined: Wed May 19, 2004 8:45 am
Location: London

Post by duk »

maybe try to use PHPSESSID ??? any idea ?
User avatar
launchcode
Forum Contributor
Posts: 401
Joined: Tue May 11, 2004 7:32 pm
Location: UK
Contact:

Post by launchcode »

Post some of your code (SOME of it.. not all of it!) because it's a bit hard to see what you're actually doing right now.
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

other than other errors in your code you failed to post

mysql_num_rows is a powerful function to see if a username is in fact in existance.
duk
Forum Contributor
Posts: 199
Joined: Wed May 19, 2004 8:45 am
Location: London

Post by duk »

ow..

the problem is not the code, the problem is that!!

if you have one apache server with PHP, and if you create a simple code that using session_start(); to registe some variables as global...

and if you have some code like this:

Code: Select all

<?php

session_start();

$nick = "me";

$_SESSION["nick"] = $nick;

echo "ok, now you can jump to other page";


?>

ok if you run this page, now if you use the some window of IE, to jump to my page... here is my funtion to autenticate:

Code: Select all

<?php

function login($email,$password) 

{ 

mysql_connect("localhost","user","pwd") or die ("problemas de ligação á base de dados"); 

$comando = "select email,id,nick,valido,autenti from membros where passwd='$password'"; 



if ($comando) 

{ 

             $executa_comando = mysql_db_query("ptcup", $comando); 

             $registo = mysql_fetch_row($executa_comando); 

             $email_db = $registo[0]; 
             $id_membro = $registo[1]; 
             $nick = $registo[2]; 
             $valido = $registo[3]; 
             $autenti = $registo[4]; 

                          if (($email) == ($email_db) && ($valido) == S ) 

                               { 

                                session_start(); 

                                $_SESSION["id_membro"] = $id_membro; 
                                $_SESSION["nick"] = $nick; 
                                $_SESSION["autenti"] = $autenti; 

                                 $comando2 = "select id_clan from membros where nick='$nick'"; 

                                 $executa_comando2 = mysql_db_query("ptcup", $comando); 

                                 $registo2 = mysql_fetch_row($executa_comando2); 

                                 $id_clan = $registo2[0]; 

                                 if($id_clan != 0) 

                                 { 

                                 session_start(); 

                                 $_SESSION["id_clan"] = $id_clan; 

                                 } 


                                you_in($nick,$id_membro); 

                                mysql_close(); 
                                } else { 

                                autenticacao_falhou(); 

                                mysql_close(); 

                                } 


             } else { 

             autenticacao_falhou(); 

             mysql_close(); 
             } 





} 



?> 



?>
so, i use $_SESSION["nick"] = $nick

and i use this, to chosse what function will be work:

Code: Select all

<?php

$email = $_POST["email"]; 
$password = $_POST["password"]; 

session_start(); 

$nick = $_SESSION["nick"]; 
$id_membro = $_SESSION["id_membro"]; 


if ($nick) 

{ 

you_in($nick,$id_membro); 

} elseif (($email) && ($password)) { 

login($email,$password); 

} else { 

mostra_pagina(); 

} 


?>
so if you read all of this you understande, that your variable of the first code, will be in my you_in(); function... and you are a user that doesn't exist..
Last edited by duk on Thu May 20, 2004 5:53 am, edited 1 time in total.
User avatar
launchcode
Forum Contributor
Posts: 401
Joined: Tue May 11, 2004 7:32 pm
Location: UK
Contact:

Post by launchcode »

You are always logged in because all your code does is check to see if the variable $nick isn't false - it will never be false, because 2 lines above you set it to the value of $_SESSION["nick"] - and even if this is empty it will still set $nick to be an empty string value.

You should be using single quotes: $_SESSION['nick'] btw.
duk
Forum Contributor
Posts: 199
Joined: Wed May 19, 2004 8:45 am
Location: London

Post by duk »

no sorry see with more atention...

i put $nick = $_SESSION["nick"];


becou in my function with autentication i set the $_SESSION["nick"]

about thew code i dont have any problem here try to understand, i just want a way to prevent that some user in other page with some code, get in my page logged... so

im thinking in use session_id();

if you pute in your server a page with the first code i demonstrate... and if you inicializate the same variable $nick with session_start(); and if you go to my server, he checks that is session_start is true, and if is true i will get the variable $nick...

but session_start works like that so, if i use this simple way we have problems, so i need to use other way to prevent this to happen.
User avatar
launchcode
Forum Contributor
Posts: 401
Joined: Tue May 11, 2004 7:32 pm
Location: UK
Contact:

Post by launchcode »

You never posted your you_in function, so it was impossible to tell what it did.

Let me get this straight - the only way you check to see if someone is logged in is to see if a session *value* (nick) exists??
duk
Forum Contributor
Posts: 199
Joined: Wed May 19, 2004 8:45 am
Location: London

Post by duk »

yes, but this var nick, is true just after the user log in the system, so if the login is true e set the var nick with their nick, that is in the mysql db...
User avatar
launchcode
Forum Contributor
Posts: 401
Joined: Tue May 11, 2004 7:32 pm
Location: UK
Contact:

Post by launchcode »

Could you not just use two different session values? One for the forum and one for the rest of the site?

Or even better - don't rely on sessions at all really - just issue a session value which could be their user ID (or something like this, depending how secure you want to be) and then validate their login and extract their nick on every page.

There are numerous ways to handle this though.
duk
Forum Contributor
Posts: 199
Joined: Wed May 19, 2004 8:45 am
Location: London

Post by duk »

yes you right.. i have a lot of ways to resolve this situation, i have an ideas...

about what you say, to change the session in the forum and in the page, but anyway i ill have the same problem...

my idea is use in the autentication, an method to be a unique autentication...

i need to think in one way easy to not have to write all code in all pages...
Post Reply