Sessions Are Killing ME!!!
Moderator: General Moderators
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
I had posted this simple test on another thread here (search for 'session AND test' with author 'everah'). Try this and see what comes of it.
Before you do anything else clear your broswer cache. Then create the following two files. Run page1.php and click the link and see what page2.php shows...
PAGE 1:
PAGE 2:
Before you do anything else clear your broswer cache. Then create the following two files. Run page1.php and click the link and see what page2.php shows...
PAGE 1:
Code: Select all
<?php
session_start();
$_SESSION['test']="Page-1-test-var";
echo $_SESSION['test'] . ' is the value set for "test".<br />';
echo 'Our current session id is ' . session_id() . '<br />';
echo '<a href="test2.php">Try the test</a>';
?>Code: Select all
<?php
session_start();
echo $_SESSION['test'] . ' is the value set for "test".<br />';
echo 'Our current session id is ' . session_id() . '<br />';
?>- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Can you describe your directory structure that you are trying to access sessions from? The reason I ask is that there may be an issue with the session cookie setting the path higher than what you are trying to do. Not sure if this is a possible problem or not, but it might be worth looking into.
To kind of clarify where I am coming from, when setting a cookie, one of the parameters you pass to the cookie is the cookie path. If the path to the cookie is '/' is becomes available site wide. But if the path to the cookie is '/foo/' then it is only available within that directory and above ('/foo/bar', '/foo/bar/baz', etc), but not below ('/').
I am not sure if the sessions cookie works along the same lines, but if you are calling session_start() from within, say, the folder '/admin/', then the cookie path will be '/admin/' and will not be available below that directory.
To kind of clarify where I am coming from, when setting a cookie, one of the parameters you pass to the cookie is the cookie path. If the path to the cookie is '/' is becomes available site wide. But if the path to the cookie is '/foo/' then it is only available within that directory and above ('/foo/bar', '/foo/bar/baz', etc), but not below ('/').
I am not sure if the sessions cookie works along the same lines, but if you are calling session_start() from within, say, the folder '/admin/', then the cookie path will be '/admin/' and will not be available below that directory.
The PHP Manual wrote: Taken from the PHP manual on set_cookie():
If set to '/', the cookie will be available within the entire domain. If set to '/foo/', the cookie will only be available within the /foo/ directory and all sub-directories such as /foo/bar/ of domain. The default value is the current directory that the cookie is being set in.
i already checked that all up on the directory things. i had all my scripts in /admin and they were were breaking within the directory session.
I would have a page like this:
i would access it from another page like this:
I would have a page like this:
Code: Select all
session_start();
if(/*passcheck*/) {
$_SESSION['in'] = 1;
}
else {
//give my login page
}Code: Select all
session_start();
if($_SESSION['in'] == 1) {
//echo the secret stuff
}
else {
//echo the login page
}- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
well,yea,according to myscript it will break. Here is one:
main.php
login.php
main.php
Code: Select all
<?PHP
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Main Admin Page</title>
</head>
<body>
<?PHP
print_r($_SESSION);
error_reporting(E_ALL);
if(!isset($_SESSION['in']) || $_SESSION['in'] != 1) {
echo 'You are not logged in,please go to <a href="http://avi.aerohostale.com/admin">Here</a> to login';
}
else {
echo 'Welcome to the admin page. This is the basic layout so far.<br>Please use one of the links below to do what you would like to.';
echo '<br>';
echo '<br>';
echo '<a href="http://avi.aerohostale.com/admin/addoffer.php">Add An Offer</a>';
echo '<br>';
echo '<a href="http://avi.aerohostale.com/admin/tabview.php">View Pending and Completed Offers</a>';
echo '<br>';
echo '<a href="http://avi.aerohostale.com/admin/pay.php">Make a Payment to Someone</a>';
}
?>
</body>
</html>Code: Select all
<?PHP
$you = $_POST['you'];
$me = $_POST['me'];
if(($you == '**') && ($me == '***')) {
$_SESSION['in'] = 1;
echo 'You are in,please go <a href="http://avi.aerohostale.com/admin/main.php">Here</a>';
}
else{
header("Location: http://avi.aerohostale.com/admin");
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Logging In</title>
</head>
<body>
</body>
</html>- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
I didn't read this whole topic, but try this:
login.php
Code: Select all
<?PHP
session_start();
echo ' <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Main Admin Page</title>
</head>
<body> ';
print_r($_SESSION);
error_reporting(E_ALL);
if(!isset($_SESSION['in']) || $_SESSION['in'] != 1) {
echo 'You are not logged in,please go to <a href=\"http://avi.aerohostale.com/admin\">Here</a> to login';
}
else {
echo 'Welcome to the admin page. This is the basic layout so far.<br>Please use one of the links below to do what you would like to.';
echo '<br>';
echo '<br>';
echo '<a href=\"http://avi.aerohostale.com/admin/addoffer.php\">Add An Offer</a>';
echo '<br>';
echo '<a href=\"http://avi.aerohostale.com/admin/tabview.php\">View Pending and Completed Offers</a>';
echo '<br>';
echo '<a href=\"http://avi.aerohostale.com/admin/pay.php\">Make a Payment to Someone</a>';
}
?>
</body>
</html>login.php
Code: Select all
<?PHP
$you = $_POST['you'];
$me = $_POST['me'];
if(($you == '**') && ($me == '***')) {
$_SESSION['in'] = 1;
echo 'You are in, please go <a href=\"http://avi.aerohostale.com/admin/main.php\">Here</a>';
}
else{
header("Location: http://avi.aerohostale.com/admin");
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Logging In</title>
</head>
<body>
</body>
</html>- ambivalent
- Forum Contributor
- Posts: 173
- Joined: Thu Apr 14, 2005 8:58 pm
- Location: Toronto, ON
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Let's try your code with some comments...
main.php
login.php
main.php
Code: Select all
<?php
// First things first, start the session
// We should remember to do this on EVERY page in the session domain
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Main Admin Page</title>
</head>
<body>
<?php
// If there is nothing in the session var print_r returns array()
print_r($_SESSION);
// Set our error reporting level
error_reporting(E_ALL);
// Checking to see if the session var 'in' is not set OR if it doesn't equal 1
// So anything other than a value of 1 for the session 'in' var will result in else
if ( !isset($_SESSION['in']) || $_SESSION['in'] != 1 ) {
// Either session var 'in' was not set or it did not equal 1
echo 'You are not logged in,please go to <a href="http://avi.aerohostale.com/admin">Here</a> to login';
}
else {
// session var 'in' was set to 1
echo 'Welcome to the admin page. This is the basic layout so far.<br>Please use one of the links below to do what you would like to.';
echo '<br>';
echo '<br>';
echo '<a href="http://avi.aerohostale.com/admin/addoffer.php">Add An Offer</a>';
echo '<br>';
echo '<a href="http://avi.aerohostale.com/admin/tabview.php">View Pending and Completed Offers</a>';
echo '<br>';
echo '<a href="http://avi.aerohostale.com/admin/pay.php">Make a Payment to Someone</a>';
}
?>
</body>
</html>Code: Select all
<?php
// Same as before, let's start the session
session_start();
// Normally I would check to see if there was a POST var sent
// But first, for clarity, initialize the vars to check
$you = '';
$me = '';
// Now check is post is set and assign new values
if ( isset($_POST['somecheckablepostfield']) ) {
$you = $_POST['you'];
$me = $_POST['me'];
}
// Check the value of the vars to check against what we know already
if(($you == '**') && ($me == '***')) {
// Vars to check matched what we already know
// Let's set our session var 'in' for use beyond this point
// Of course, we know that up to now, the session var 'in' was unset
$_SESSION['in'] = 1;
echo 'You are in,please go <a href="http://avi.aerohostale.com/admin/main.php">Here</a>';
}
else {
// Vars to check did not match the known
header("Location: http://avi.aerohostale.com/admin");
exit(); // Always call exit after a header redirect
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Logging In</title>
</head>
<body>
</body>
</html>- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
When you say authenticated, are you talking about after the form is submitted? I don't see a form anywhere in the code you posted.
What should happen is throughout your admin section, there should be a check on every page for a session value that should show that the user is authorized to be there. If that value is true, let the page load. If it is not, redirect the page to the login form. The login form should have the same check, but if the user is already authorized, they should be redirected to a navigation page of some sort. Otherwise they should see a form.
I suppose without seeing the entire code for your login page, your main page and some of the other pages I couldn't really tell you what is happening. If the code is not that long, can you post the entire thing? If it is enormous, PM me and I will give you my email address to send it to. This problem needs to be fixed, if for nothing else, then just because I want to see it fixed!
What should happen is throughout your admin section, there should be a check on every page for a session value that should show that the user is authorized to be there. If that value is true, let the page load. If it is not, redirect the page to the login form. The login form should have the same check, but if the user is already authorized, they should be redirected to a navigation page of some sort. Otherwise they should see a form.
I suppose without seeing the entire code for your login page, your main page and some of the other pages I couldn't really tell you what is happening. If the code is not that long, can you post the entire thing? If it is enormous, PM me and I will give you my email address to send it to. This problem needs to be fixed, if for nothing else, then just because I want to see it fixed!
these are the main pages i am interacting with for now. Once the sessions are fixed on one,they should be jsut as easy to fix on following pages.
index.php
login.php
main.php
there is all of the interacting pages. Hopefully this will get solved:)
index.php
Code: Select all
<?PHP
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Admin Page</title>
<style type="text/css">
<!--
.style1 {font-size: 16px}
.style4 {font-size: 24px}
-->
</style>
</head>
<body>
<h1>
<?PHP
//simple check to see if the person is logged in
if(isset($_SESSION['in']) && $_SESSION['in'] == 1) {
echo '<font color=green>You are logged in,please go <a href="http://avi.aerohostale.com/admin/main.php">Here</a> to see the main page.</font>';
}
else {
?>
<div align="center" class="style1">
<h1 align="center" class="style4">Admin Login</h1>
<form id="form1" name="form1" method="post" action="login.php">
<p align="center">Username
<input name="you" type="text" id="you" />
</p>
<p align="center">Password
<input name="me" type="password" id="me" />
</p>
<p align="center">
<input type="submit" name="Submit" value="Login" />
<input type="reset" name="Submit2" value="Reset" />
</p>
</form>
<p> </p>
<div align="center" class="style1"></div>
</h1>
<?PHP
}
?>
</body>
</html>Code: Select all
<?php
// Same as before, let's start the session
session_start();
// Normally I would check to see if there was a POST var sent
// But first, for clarity, initialize the vars to check
$you = '';
$me = '';
// Now check is post is set and assign new values
if ( isset($_POST['Submit']) ) {
$you = $_POST['you'];
$me = $_POST['me'];
}
// Check the value of the vars to check against what we know already
if(($you == '***') && ($me == '***')) {
// Vars to check matched what we already know
// Let's set our session var 'in' for use beyond this point
// Of course, we know that up to now, the session var 'in' was unset
$_SESSION['in'] = 1;
echo 'You are in,please go <a href="http://avi.aerohostale.com/admin/main.php">Here</a>';
}
else {
// Vars to check did not match the known
header("Location: http://avi.aerohostale.com/admin");
exit(); // Always call exit after a header redirect
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Logging In</title>
</head>
<body>
</body>
</html>Code: Select all
<?php
// First things first, start the session
// We should remember to do this on EVERY page in the session domain
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Main Admin Page</title>
</head>
<body>
<?php
// If there is nothing in the session var print_r returns array()
print_r($_SESSION);
// Set our error reporting level
error_reporting(E_ALL);
// Checking to see if the session var 'in' is not set OR if it doesn't equal 1
// So anything other than a value of 1 for the session 'in' var will result in else
if ( !isset($_SESSION['in']) || $_SESSION['in'] != 1 ) {
// Either session var 'in' was not set or it did not equal 1
echo 'You are not logged in,please go to <a href="http://avi.aerohostale.com/admin">Here</a> to login';
}
else {
// session var 'in' was set to 1
echo 'Welcome to the admin page. This is the basic layout so far.<br>Please use one of the links below to do what you would like to.';
echo '<br>';
echo '<br>';
echo '<a href="http://avi.aerohostale.com/admin/addoffer.php">Add An Offer</a>';
echo '<br>';
echo '<a href="http://avi.aerohostale.com/admin/tabview.php">View Pending and Completed Offers</a>';
echo '<br>';
echo '<a href="http://avi.aerohostale.com/admin/pay.php">Make a Payment to Someone</a>';
}
?>
</body>
</html>- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA