$_SESSION variable works on localhost, but not on live site
Posted: Tue Jan 03, 2006 8:22 pm
twigletmac | Please use
and redirect the authenticated user to the home page of the admin section/CMS for the site, 'a_home.php'.
If the user in not authenticated, then I set:
as a message to tell the user what happened, and redirect them to 'a_logout.php,' which is a multi-purpose script that either displays a message to an authenticated user who's legitimately logging out after a session:
or to a user who's either entered the wrong username/password, or is trying to access a part of the site without being logged in (this code excerpt just displays any error messages that have been created due to the various problems that would occur with a login):
Then I destroy the session and attempt to display the $message to the user.
The problem is, I can get the $_SESSION['loginUsername'] variable to display without incident, both on my local server (localhost) - but the $message variable and $_SESSION['message'] variable display only on my local server, not on the live site!
My local server is Apache running on Windows XP; my live site is running on Linux (PHP Info is at http://www.twarr.com/phpinfo.php). With regard to the SESSION settings in my php.ini files, the only difference between my local server and the live server is that "session.use_trans_sid" is on (set to 1) on the live server, and is off (set to 0) on my localhost. I wouldn't think that would affect this problem, but I could very well be wrong, as I don't fully understand that setting.
To see this functioning live (though of course the code won't appear), check out http://www.twarr.com/holsterbag/admin/a_login.php - use twarr as the username and password as the password (there's really nothing there to access yet but a simple CMS home page); the security code can be left blank.
The code for related files is:
>>> a_login.php (just HTML - can be seen at http://www.twarr.com/holsterbag/admin/a_login.php
>>> a_logout.php
>>> a_authentication.php
Sorry for including so much code, but I have absolutely no idea where the problem lies. I've spent hours trying to figure out what's going on, but I'm really at a loss.
Thanks SO MUCH to anyone who takes the time to try to help - I really appreciate it. Please let me know if you have any ideas, questions, or need to look at any additional code.
Troy
twigletmac | Please use
Code: Select all
andCode: Select all
tags where appropriate when posting code. Read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
Hi everyone, and thanks in advance for any help that you can offer.
I'm creating my first login system, and have encountered a confusing problem.
I have an 'a_login.php' page that uses an HTML form to pass $loginUsername and $loginPassword variables to another script, 'a_logincheck.php.' That script checks $loginUsername and $loginPassword against entries in a MySQL DB table, and if the user is authenticated (values in variables and DB match), then I set:Code: Select all
$_SESSION['loginUsername'] = $loginUsername;If the user in not authenticated, then I set:
Code: Select all
$_SESSION['message'] = "Error: Could not connect to the application as <span class=\"admin_username\">{$loginUsername}</span>. Please double-check your username and password, and try again.";Code: Select all
if (isset($_SESSION['loginUsername'])) {
$message .= "Thank you, <span class=\"admin_username\">{$_SESSION['loginUsername']}</span>, for using the holsterbag.com administrative section.";
}Code: Select all
if (isset($_SESSION['message'])) {
$message .= $_SESSION['message'];
unset($_SESSION['message']);
}The problem is, I can get the $_SESSION['loginUsername'] variable to display without incident, both on my local server (localhost) - but the $message variable and $_SESSION['message'] variable display only on my local server, not on the live site!
My local server is Apache running on Windows XP; my live site is running on Linux (PHP Info is at http://www.twarr.com/phpinfo.php). With regard to the SESSION settings in my php.ini files, the only difference between my local server and the live server is that "session.use_trans_sid" is on (set to 1) on the live server, and is off (set to 0) on my localhost. I wouldn't think that would affect this problem, but I could very well be wrong, as I don't fully understand that setting.
To see this functioning live (though of course the code won't appear), check out http://www.twarr.com/holsterbag/admin/a_login.php - use twarr as the username and password as the password (there's really nothing there to access yet but a simple CMS home page); the security code can be left blank.
The code for related files is:
>>> a_login.php (just HTML - can be seen at http://www.twarr.com/holsterbag/admin/a_login.php
>>> a_logout.php
Code: Select all
<?php
session_start();
$message = "";
// an authenticated user has logged out
if (isset($_SESSION['loginUsername'])) {
$message .= "Thank you, <span class=\"admin_username\">{$_SESSION['loginUsername']}</span>, for using the holsterbag.com administrative section.";
}
// some script, possibly the setup script, may have set up a logout message
if (isset($_SESSION['message'])) {
$message .= $_SESSION['message'];
unset($_SESSION['message']);
} else {
}
// destroy the session
session_destroy();
// display the page (including the message)
?>
<!-- Begin header -->
<?php
$pageTitle = 'note';
include ('a_includes/a_header.php');
?>
<!-- End header -->
<!-- Begin page content -->
<div class="content">
<h1>Note</h1>
<p><?= $message; ?></p>
<p>Please return to the <a href="a_login.php">Login</a> page if you would like to re-enter the administrative section of the site.</p>
</div>
<!-- End page content -->
<!-- Begin footer -->
<?php
include ('a_includes/a_footer.php');
?>
<!-- End footer -->
>>> a_logincheck.php
<?php
require 'a_includes/a_authentication.php';
require 'a_includes/db.php';
if (!$connection = @mysql_connect($db_hostname, $db_username, $db_password)) {
die ("Cannot connect to database.");
}
// clean the data collected in the form
$loginUsername = mysqlclean($_POST, "loginUsername", 10, $connection);
$loginPassword = mysqlclean($_POST, "loginPassword", 10, $connection);
if (!mysql_selectdb($db_databasename, $connection)) { // if not able to connect to database, display error
showerror();
}
session_start();
// authenticate the user
if (authenticateUser($connection, $loginUsername, $loginPassword)) {
// register the username
$_SESSION['loginUsername'] = $loginUsername;
// register the IP address that started this session
$_SESSION['loginIP'] = $_SERVER['REMOTE_ADDR'];
// relocation back to the first page of the application
header("Location: a_home.php");
exit;
} else {
// authentication failed; set up a logout message
$_SESSION['message'] = "Error: Could not connect to the application as <span class=\"admin_username\">{$loginUsername}</span>. Please double-check your username and password, and try again.";
// relocate to the logout page
header("Location: a_logout.php");
exit;
}
?>>>> a_authentication.php
Code: Select all
<?php
function authenticateUser($connection, $username, $password) {
// test the username and password parameters
if (!isset($username) || !isset($password)) {
return false;
}
// create a digest of the password collected from the challenge
$password_digest = md5(trim($password));
// formulate the query to find the user
$query = "SELECT password FROM users WHERE username = '{$username}' AND password = '{$password_digest}'";
// execute the query
if (!$result = @mysql_query ($query, $connection)) {
showerror();
}
// if there is exactly one row, then we've found the user
if (mysql_num_rows($result) != 1) {
return false;
} else {
return true;
}
}
// connects to a session and checks that the user has authenticated, and that the remote IP address
// matches the address used to create the session
function sessionAuthenticate() {
// check if the user hasn't logged in
if (!isset($_SESSION["loginUsername"])) {
// the request does not identify a session
$_SESSION['message'] = "You are not authorized to access the URL: '{$_SERVER['REQUEST_URI']}'";
header("Location: a_logout.php");
exit;
}
// check if the request is from a different IP address than was initially used (hijack)
if (!isset($_SESSION['loginIP']) || ($_SESSION['loginIP'] != $_SERVER['REMOTE_ADDR'])) {
// the request did not originate from the machine that was used to create the session;
// POSSIBLY A HIJACK ATTEMPT
$_SESSION['message'] = "You are not authorized to access the URL {$_SERVER['REQUEST_URI']} from the address {$_SERVER['REMOTE_ADDR']}";
header("Location: a_logout.php");
exit;
}
}
?>Sorry for including so much code, but I have absolutely no idea where the problem lies. I've spent hours trying to figure out what's going on, but I'm really at a loss.
Thanks SO MUCH to anyone who takes the time to try to help - I really appreciate it. Please let me know if you have any ideas, questions, or need to look at any additional code.
Troy
twigletmac | Please use
Code: Select all
andCode: Select all
tags where appropriate when posting code. Read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]