Trouble getting sessions to transfer to login page

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
squatchimo
Forum Commoner
Posts: 28
Joined: Thu Feb 03, 2005 3:36 pm

Trouble getting sessions to transfer to login page

Post by squatchimo »

I've spent all day on this problem and would appreciate any help.

Before the customer is allowed into checkout area, I would like checkout.php to verify that they are logged in. If not, it redirects them to login.php.

Here is my login verification page:

Code: Select all

<?php
session_start();
header("Cache-control: private");/* IE6 fix */
include('../blank/common.php');

$user = $_POST&#1111;'username'];
$pass = $_POST&#1111;'password'];
$sql = mysql_query("SELECT * FROM users WHERE uname='$user' AND pword='$pass'");
$login = mysql_num_rows($sql);
echo mysql_error();
if($login > 0)&#123;
$_SESSION&#1111;username] = $user;
$_SESSION&#1111;password] = $pass;
header("Location: http://www.blank.com/blank/checkout.php");
exit(); 
&#125;else&#123;
echo "That username does not exist!<br>";
include 'login.php';
&#125;
?>
Here is the checkout page:

Code: Select all

<?php
session_start();
header("Cache-control: private");/* IE6 fix */
include('../blank/common.php');

$user = $_SESSION&#1111;'username'];
$pass = $_SESSION&#1111;'password'];
$sql = mysql_query("SELECT * FROM users WHERE uname='$user' AND pword='$pass'");
$login = mysql_num_rows($sql);
echo mysql_error();
if ($login == 0)&#123;
header("Location: http://www.blank.com/blank/login.php");
exit(); 
&#125;else&#123;
***REST OF CODE***
As of now, when I login with a valid username and password, it still sends me to the login page. Thanks for looking!
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

the usual...

1-) kick in error control

ini_set('error_reporting', E_ALL);
ini_set('display_errors', TRUE);


2-) ask mysql if there are errors....
msyql_error()

3-) use mysql_real_escape_string....
squatchimo
Forum Commoner
Posts: 28
Joined: Thu Feb 03, 2005 3:36 pm

Post by squatchimo »

Thanks for the reply Tim. Which page are you telling me to add this to? I'm not understanding #3 as well.

Thanks.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

i would add them to all your pages :)

fe: i nowhere so you perform a mysql_connect....



#3 is about cleaning your data, to avoid sql injection. more can be read at http://www.php.net/mysql_real_escape_string
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

On your login page:

Code: Select all

<?php 
session_start(); 
header("Cache-control: private");/* IE6 fix */ 
include('../blank/common.php'); 

$user = $_POST&#1111;'username']; 
$pass = $_POST&#1111;'password']; 
$sql = mysql_query("SELECT * FROM users WHERE uname='$user' AND pword='$pass'"); 
$login = mysql_num_rows($sql); 
echo mysql_error(); 
if($login > 0)&#123; 
$_SESSION&#1111;username] = $user; 
$_SESSION&#1111;password] = $pass; 
header("Location: http://www.blank.com/blank/checkout.php"); 
exit(); 
&#125;else&#123; 
echo "That username does not exist!<br>"; 
include 'login.php'; 
&#125; 
?>
Do you notice that your $_SESSION vars array keys are not quoted? That might be causing some problems.

You might also want to add in some string validation on your password. If you are not encrypting it, you should clean it up by trimming blank spaces, removing quote signs, equal signs, etc. You might also want to look into MD5() or SHA1() encryption to add a bit of ecurity to your code.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

^^ encryption :arrow: hash ;)
squatchimo
Forum Commoner
Posts: 28
Joined: Thu Feb 03, 2005 3:36 pm

Post by squatchimo »

Thanks for all of the comments. I plan on using md5 for the password once I get this session problem sorted out. Also, I am using mysql_error() after each DB connection. What else do I need to use?

I modified the session verbage slightly in the login validation page and added session_write_close() per php.net documentation.

Code: Select all

$_SESSION&#1111;'username'] = $user;
$_SESSION&#1111;'password'] = $pass;
session_write_close();
header("Location: http://www.carenstevens.com/gallery/checkout.php");
Now when this directs me to the checkout page, I get the following error:

"Warning: session_write_close(): write failed: Disk quota exceeded (122) in /home3/www/blank/blank/validate_login.php on line 14

Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in /home3/www/blank/blank/validate_login.php on line 14

Warning: Cannot modify header information - headers already sent by (output started at /home3/www/blank/blank/validate_login.php:14) in /home3/www/blank/blank/validate_login.php on line 15"

I noticed a post from feyd in a prior thread where he suggested if you can't modify the path in php.ini, you should store the session info in the database. I do store the session id in my database, but how do I have the checkout page check for this for validation?

Hopefully I'm making sense. Thanks again for the help everyone!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

you're wanting to switch to database sessions now, is that it?

viewtopic.php?t=23781
squatchimo
Forum Commoner
Posts: 28
Joined: Thu Feb 03, 2005 3:36 pm

Post by squatchimo »

Thanks for the reply feyd. I actually saw that link in another post here. Now what book(s) do I need to go and buy and read to be able to understand that? Because that's waaay over my head. I spent about 30 minutes studying that post earlier today (because I've been working on this problem ALL day and your post seemed like it would be the answer) but after investing half an hour, I came away confused.

It seems like this should have been a relatively simple thing to accomplish, but since my php.ini file is apparently set wrong (and I can't change it) my only option is to store the session info in the database and I am now lost.

I guess I'll just have to make the customer log in each time they want to access the shopping cart checkout. Maybe you know of a tutorial that may help? I'm really frustrated and ready to give up right about now.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

invest some time into playing with session_set_save_handler() where you create functions that the session subsystem calls.. that's the major part. The next step is to play with the data packing (as it's in a specific format), and then once you can read the session data, you can then insert it into a database, and retrieve it back out.
squatchimo
Forum Commoner
Posts: 28
Joined: Thu Feb 03, 2005 3:36 pm

Post by squatchimo »

Thanks feyd..again. I bookmarked that section in php.net and will tackle it when I have some more time.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Can't you just use session_start() at the beginning of the sessioned app, add vars to the session using $_SESSION[$var] = $value, then when the sesion is over, kill all the session vars by running $_SESSION through a foreach loop and unset($_SESSION[$var]) for each iteration? I have a fairly sizable application that I wrote using this technique and it seems to work pretty good.
Post Reply