Page 1 of 1

[SOLVED] Sessions & Cookies for login page

Posted: Thu Jan 27, 2005 3:54 pm
by drgnjucr
Well, I'll try and make a long story, short.

I'm not sure why, but if I attempt to use $_SESSION['varname']; and I don't pass the PHPSESSID in the query string I will get blank data. Once I insert the PHPSESSID into the QS I get my data? That was problem 1. Now, I'm willing to settle for just passing the sid in the qs.

Because my site has many static pages, and the core of the pages are built from .js files for two seperate dynamic menus I have the problem of not being able to retain a session when leaving a php page, which is obvious.

I've now configured my apache webserver to parse .js and .htm files as php and now the links do append "A" session ID to the end of the url.

Problem is, instead of appending the current session ID it's generating an new one?

I've tried adding <?php session_start() ?> to the header of the pages and this did not work.... I thought I read somewhere that you needed to do this in order to create, or use any sessions..I'm new to PHP and very, very lost with sessions.

Any help would be greatly appreciated. 3 weeks of reading articles on the web and no luck. I think at this point I'm more confused then anything.

Thanks to all.

Mike

Posted: Thu Jan 27, 2005 3:58 pm
by feyd
yes, session_start() must be called before sessions begin to work. You may need to adjust your session settings inside the php.ini, but shouldn't have to as it's normally set to work off the bat. If you turn trans_id on, php should add the session id to all urls if and when needed.

also, since you're using $_SESSION avoid using session_register(), session_unregister() and a few others as noted on their documentation pages on php.net.

Posted: Thu Jan 27, 2005 4:05 pm
by drgnjucr
Some php pages were actually htm pages that I renamed. I have a design template created with an .htm with 2 .js files. So, my php pages are written just like a .htm.

<!-- EXAMPLE -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<!-- END Example -->

Should I be placing the session_start() at the very first line of the page, or just before any php code?

I've also noticed that a cookie is sent to the client machine named "PHPSESSID" with a sessionID as the value of the cookie. I can not reference it with $_COOKIE['cookiename'] nor will any values populate on other php pages dispite the cookie being set.

Thanks so much!

Posted: Thu Jan 27, 2005 4:08 pm
by John Cartwright
session_start() has to be before any output.

Posted: Thu Jan 27, 2005 4:35 pm
by feyd
if you want to get their session id, it's available through session_id(). I believe php will not allow you to fiddle with the session cookie without going through it, first. Although it's been a while since I've played with sessions and cookies like that. At any rate, your shouldn't put anything else inside the cookie, as php needs to read it accurately to make the session information available to you.

Posted: Fri Jan 28, 2005 9:23 am
by drgnjucr
Thanks for the all the replies so far! It is so much appreciated.

On my second page, or the page after a sucessful login, if I try to echo the session_id() and I refresh the page; it's always a new ID?

Code: Select all

<p align="left"><span style="font-weight:bold">Here is the session returned with session_id(): </span><?php echo session_id(); ?></p>
On this page, I don't actually call the session_start() until line 100. So, according to eveyone's help I should delete that and move it to line #1?

Sorry for the posting of code....
Here is where I try to retreive my session vars:

Code: Select all

<?php 
			session_start();
			header("Cache-control: private"); //IE 6 Fix
			   echo "<BR>";
			   echo "<span style="font-weight: bold;">UserID:</span>" . $_SESSION&#1111;'uid'];
			   echo "<BR>";
			   echo "<span style="font-weight: bold;">md5 CheckSum of your password:</span>" . $_SESSION&#1111;'passwd'];
			   echo "<BR>";
			   echo "<span style="font-weight: bold;">Group ID:</span>" . $_SESSION&#1111;'gid'];
			   echo "<BR>";
			   echo "<span style="font-weight: bold;">Real Name</span>" . $_SESSION&#1111;'realName'];
			   echo "<BR>";
		   ?>
Again, many Thanks!
Mike

Posted: Fri Jan 28, 2005 9:26 am
by feyd
if your browser isn't accepting the cookie, for whatever reason, and you do not have trans_id on, you will generate a new session each page call.

Posted: Fri Jan 28, 2005 9:37 am
by drgnjucr
In Firefox, I can see the cookie and the value. Each page refresh updates the output on the screen as well as the value of the cookie?
So, the brower must be accepting the cookie.. right?

Checking IE in the temp i'net files..I also see a cookie with the PHPSESSID in it..

Could I possibly have my php.ini misconfigured?
Here is a portion of my php.ini which I know I have messed with. Mabye the way I set it up is causing a problem for php to know where the cookie is?

Code: Select all

; where MODE is the octal representation of the mode. Note that this
; does not overwrite the process's umask.
session.save_path = "C:/PHP/tmp"

; Whether to use cookies.
session.use_cookies = 1

; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.
session.use_only_cookies = 0

; Name of the session (used as cookie name).
session.name = PHPSESSID

; Initialize session on request startup.
session.auto_start = 1

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 1800

; The path for which the cookie is valid.
session.cookie_path = "/tmp"
Mike

Posted: Fri Jan 28, 2005 9:50 am
by feyd
since you have auto_start enabled, that may be screwing with it. I would turn that off, as most hosts will not have it enabled.

Posted: Fri Jan 28, 2005 9:57 am
by timvw
this is a nice workaround :)

Code: Select all

<?php
// only start a session if there isn't one already
if (!isset($_SESSION)) session_start();

...


?>

Posted: Fri Jan 28, 2005 10:51 am
by drgnjucr
I wasn't too clear in my ealier reply.
Each page refresh updates the output on the screen as well as the value of the cookie?
it's updated with a new value... You may have guessed that is what I ment, but I wanted to make it clear. :o

Well, I set the auto_start enabled option to 0 and restarted the service. I also added the work-around, and tried them independantely Still, the output of the session_id() keeps changing to a new value when the page refreshes....

I must have something really jacked up! hehe...

I copied some sample code from the php.net manual thinking it should work...and surprise, it has the same effect as my own code does..
Here is the code snippet I tested from php.net:

Code: Select all

<?php
// page1.php
session_start();

echo 'Welcome to page #1';

$_SESSION&#1111;'favcolor'] = 'green';
$_SESSION&#1111;'animal']  = 'cat';
$_SESSION&#1111;'time']    = time();

// Works if session cookie was accepted
echo '<br /><a href="page2.php">page 2</a>';

// Or maybe pass along the session id, if needed
echo '<br /><a href="page2.php?' . SID . '">page 2</a>';
?>
The fist link in the example does not show the session var's on page 2. The second link shows them?

Mike

Posted: Fri Jan 28, 2005 10:53 am
by feyd
sounds like the cookie isn't set properly..

FINALLY!

Posted: Fri Jan 28, 2005 11:12 am
by drgnjucr
Thank you so much feyd!

To close this Topic, here was my problem:

I must have modified the php.ini for the cookie_path:

Code: Select all

; The path for which the cookie is valid.
session.cookie_path = "/tmp"
Now, thanks to the help of feyd, I changed it to:

Code: Select all

; The path for which the cookie is valid.
session.cookie_path = "/"

IT WORKS!

Thanks for all the replies!