$_SESSION variable works on localhost, but not on live site

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
fantomas
Forum Newbie
Posts: 10
Joined: Tue Jan 03, 2006 5:37 pm

$_SESSION variable works on localhost, but not on live site

Post by fantomas »

twigletmac | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]

Hi everyone, and thanks in advance for any help that you can offer.

I'm creating my first login system, and have encountered a confusing problem.

I have an 'a_login.php' page that uses an HTML form to pass $loginUsername and $loginPassword variables to another script, 'a_logincheck.php.' That script checks $loginUsername and $loginPassword against entries in a MySQL DB table, and if the user is authenticated (values in variables and DB match), then I set:

Code: Select all

$_SESSION['loginUsername'] = $loginUsername;
and redirect the authenticated user to the home page of the admin section/CMS for the site, 'a_home.php'.

If the user in not authenticated, then I set:

Code: Select all

$_SESSION['message'] = "Error: Could not connect to the application as <span class=\"admin_username\">{$loginUsername}</span>. Please double-check your username and password, and try again.";
as a message to tell the user what happened, and redirect them to 'a_logout.php,' which is a multi-purpose script that either displays a message to an authenticated user who's legitimately logging out after a session:

Code: Select all

if (isset($_SESSION['loginUsername'])) {
  $message .= "Thank you, <span class=\"admin_username\">{$_SESSION['loginUsername']}</span>, for using the holsterbag.com administrative section.";
}
or to a user who's either entered the wrong username/password, or is trying to access a part of the site without being logged in (this code excerpt just displays any error messages that have been created due to the various problems that would occur with a login):

Code: Select all

if (isset($_SESSION['message'])) {
  $message .= $_SESSION['message'];
  unset($_SESSION['message']);
}
Then I destroy the session and attempt to display the $message to the user.

The problem is, I can get the $_SESSION['loginUsername'] variable to display without incident, both on my local server (localhost) - but the $message variable and $_SESSION['message'] variable display only on my local server, not on the live site!

My local server is Apache running on Windows XP; my live site is running on Linux (PHP Info is at http://www.twarr.com/phpinfo.php). With regard to the SESSION settings in my php.ini files, the only difference between my local server and the live server is that "session.use_trans_sid" is on (set to 1) on the live server, and is off (set to 0) on my localhost. I wouldn't think that would affect this problem, but I could very well be wrong, as I don't fully understand that setting.

To see this functioning live (though of course the code won't appear), check out http://www.twarr.com/holsterbag/admin/a_login.php - use twarr as the username and password as the password (there's really nothing there to access yet but a simple CMS home page); the security code can be left blank.

The code for related files is:


>>> a_login.php (just HTML - can be seen at http://www.twarr.com/holsterbag/admin/a_login.php


>>> a_logout.php

Code: Select all

<?php

session_start();
$message = "";

// an authenticated user has logged out
if (isset($_SESSION['loginUsername'])) {
  $message .= "Thank you, <span class=\"admin_username\">{$_SESSION['loginUsername']}</span>, for using the holsterbag.com administrative section.";
}
// some script, possibly the setup script, may have set up a logout message
if (isset($_SESSION['message'])) {
  $message .= $_SESSION['message'];
  unset($_SESSION['message']);
} else {
}

// destroy the session
session_destroy();

// display the page (including the message)

?>

<!-- Begin header -->

<?php
$pageTitle = 'note';
include ('a_includes/a_header.php');
?>

<!-- End header -->

<!-- Begin page content -->

<div class="content">
  <h1>Note</h1>
  <p><?= $message; ?></p>
  <p>Please return to the <a href="a_login.php">Login</a> page if you would like to re-enter the administrative section of the site.</p>
</div>

<!-- End page content -->

<!-- Begin footer -->

<?php
include ('a_includes/a_footer.php');
?>

<!-- End footer -->


>>>   a_logincheck.php

<?php

require 'a_includes/a_authentication.php';
require 'a_includes/db.php';

if (!$connection = @mysql_connect($db_hostname, $db_username, $db_password)) {
  die ("Cannot connect to database.");
}

// clean the data collected in the form
$loginUsername = mysqlclean($_POST, "loginUsername", 10, $connection);
$loginPassword = mysqlclean($_POST, "loginPassword", 10, $connection);

if (!mysql_selectdb($db_databasename, $connection)) { // if not able to connect to database, display error
  showerror();
}

session_start();

// authenticate the user
if (authenticateUser($connection, $loginUsername, $loginPassword)) {
  // register the username
  $_SESSION['loginUsername'] = $loginUsername;
  // register the IP address that started this session
  $_SESSION['loginIP'] = $_SERVER['REMOTE_ADDR'];
  // relocation back to the first page of the application
  header("Location: a_home.php");
  exit;
} else {
  // authentication failed; set up a logout message
  $_SESSION['message'] = "Error: Could not connect to the application as <span class=\"admin_username\">{$loginUsername}</span>. Please double-check your username and password, and try again.";
  // relocate to the logout page
  header("Location: a_logout.php");
  exit;
}

?>

>>> a_authentication.php

Code: Select all

<?php

function authenticateUser($connection, $username, $password) {
  // test the username and password parameters
  if (!isset($username) || !isset($password)) {
  	return false;
  }
  // create a digest of the password collected from the challenge
  $password_digest = md5(trim($password));
  // formulate the query to find the user
  $query = "SELECT password FROM users WHERE username = '{$username}' AND password = '{$password_digest}'";
  // execute the query
  if (!$result = @mysql_query ($query, $connection)) {
  	showerror();
  }
  // if there is exactly one row, then we've found the user
  if (mysql_num_rows($result) != 1) {
    return false;
  } else {
    return true;
  }
}
  
// connects to a session and checks that the user has authenticated, and that the remote IP address
// matches the address used to create the session
function sessionAuthenticate() {
  // check if the user hasn't logged in
  if (!isset($_SESSION["loginUsername"])) {
    // the request does not identify a session
	$_SESSION['message'] = "You are not authorized to access the URL: '{$_SERVER['REQUEST_URI']}'";
	header("Location: a_logout.php");
	exit;
  }
  // check if the request is from a different IP address than was initially used (hijack)
  if (!isset($_SESSION['loginIP']) || ($_SESSION['loginIP'] != $_SERVER['REMOTE_ADDR'])) {
    // the request did not originate from the machine that was used to create the session;
	// POSSIBLY A HIJACK ATTEMPT
	$_SESSION['message'] = "You are not authorized to access the URL {$_SERVER['REQUEST_URI']} from the address {$_SERVER['REMOTE_ADDR']}";
	header("Location: a_logout.php");
	exit;
  }
}

?>

Sorry for including so much code, but I have absolutely no idea where the problem lies. I've spent hours trying to figure out what's going on, but I'm really at a loss.

Thanks SO MUCH to anyone who takes the time to try to help - I really appreciate it. Please let me know if you have any ideas, questions, or need to look at any additional code.

Troy


twigletmac | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
fantomas
Forum Newbie
Posts: 10
Joined: Tue Jan 03, 2006 5:37 pm

Forgot one thing

Post by fantomas »

Sorry, but I forgot one last important section of code:


>>> a_logincheck.php

Code: Select all

<?php

require 'a_includes/a_authentication.php';
require 'a_includes/db.php';

if (!$connection = @mysql_connect($db_hostname, $db_username, $db_password)) {
  die ("Cannot connect to database.");
}

// clean the data collected in the form
$loginUsername = mysqlclean($_POST, "loginUsername", 10, $connection);
$loginPassword = mysqlclean($_POST, "loginPassword", 10, $connection);

if (!mysql_selectdb($db_databasename, $connection)) { // if not able to connect to database, display error
  showerror();
}

session_start();

// authenticate the user
if (authenticateUser($connection, $loginUsername, $loginPassword)) {
  // register the username
  $_SESSION['loginUsername'] = $loginUsername;
  // register the IP address that started this session
  $_SESSION['loginIP'] = $_SERVER['REMOTE_ADDR'];
  // relocation back to the first page of the application
  header("Location: a_home.php");
  exit;
} else {
  // authentication failed; set up a logout message
  $_SESSION['message'] = "Error: Could not connect to the application as <span class=\"admin_username\">{$loginUsername}</span>. Please double-check your username and password, and try again.";
  // relocate to the logout page
  header("Location: a_logout.php");
  exit;
}

?>

This is called by the form in a_login.php where the user enters his/her login information.

Thanks!
fantomas
Forum Newbie
Posts: 10
Joined: Tue Jan 03, 2006 5:37 pm

Settings problem, not a logic problem?

Post by fantomas »

All that I can figure out is that since this all works on localhost, just not on the live server, there can't be a logic problem or bug here, right? It's got to be an issue with either a disparity in the php.ini settings between my localhost and the live server, or a difference in the way the script/session runs on Windows XP (localhost) and Linux (the live server)?

Any ideas?
fantomas
Forum Newbie
Posts: 10
Joined: Tue Jan 03, 2006 5:37 pm

Ideas anyone?

Post by fantomas »

Ideas anyone? I need help... :?
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

I managed to log in at http://www.twarr.com/holsterbag/admin/a_login.php ? If you have cookies disabled for your live site then that could be causing the problem (maybe).

Unless I've misunderstood the problem.

Mac
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

check your hosts settings for cookies and sessions.
fantomas
Forum Newbie
Posts: 10
Joined: Tue Jan 03, 2006 5:37 pm

Still stumped...

Post by fantomas »

Thank you both for the suggestions - I'm still kind of stumped, though...

With regard to the SESSION settings in my php.ini files (localhost and live server), the only difference between the two is that "session.use_trans_sid" is on (set to 1) on the live server, and is off (set to 0) on my localhost. I wouldn't think that would affect this issue - would it? Other than that, the settings are identical. I didn't check the COOKIES settings, but I don't use cookies at any point in my scripts - could those settings still be causing a problem here?

The login system works as intended both locally and on the live site, but to clarify the problem a bit, the issue lies in the fact that the $_SESSION['message'] variable does not seem to store any values even though it returns TRUE when !isset($_SESSION['message']) is called. I use that session variable to store any error messages that occur - most notably, when a user tries to log in with the wrong username/password/security code - and when a user clicks a link to access a page in the CMS that he/she is not authorized to view. Since the variable seems to contain no value when set, I can't display the appropriate message to the user when I try to.

In a_logincheck.php, for example, I set:

Code: Select all

$_SESSION['message'] = "Error: Could not connect to the application as <span class=\"admin_username\">{$loginUsername}</span>. Please double-check your username and password, and try again.";
But in a_logout.php, I set a variable $message = $_SESSION['message'], destroy the session, and then try to display $message on the page; at this point, based on my debugging, bot $message and $_SESSION['message'] are set, but neither contains a value.

Any ideas? Thanks again.
fantomas
Forum Newbie
Posts: 10
Joined: Tue Jan 03, 2006 5:37 pm

Forgot one more thing...

Post by fantomas »

I forgot to provide the login info in case it's needed:

Username: twarr
Password: password
Security Code: 01-06-06 (tomorrow it will be 01-07-06, etc.)

Thanks!
Post Reply