Page 1 of 1
cookies and sessions
Posted: Thu Oct 05, 2006 10:10 pm
by Dave2000
I have a site. I can login when cookies are enabled. However, when i disable cookies i can no longer log in

Help?

How can i solve this please...
Shears

Posted: Thu Oct 05, 2006 10:12 pm
by Flamie
some code that show how you "check" if someone is logged in might help ;p
Posted: Thu Oct 05, 2006 10:16 pm
by Luke
if cookies are disabled you have to propogate the session via the url (?PHPSESSID=klhfas;kldfj)
Posted: Thu Oct 05, 2006 10:24 pm
by Dave2000
this is the part of the code
Code: Select all
if(!isset($_SESSION['userid'])) {
redirect('logout.php');
}
if( $_SESSION['ip_lock'] == 'true' && $_SESSION['login_ip'] != $_SERVER['REMOTE_ADDR']) {
redirect('logout.php');
}
if ($_SESSION['useragent'] != $_SERVER['HTTP_USER_AGENT']) {
redirect('logout.php');
}
I dont understand what you mean "propogate the session via the url" Do you mean i have to write something like...
$id = session_id();
if cookies not set, make the url:
http://domain.com/index.php/?PHPSESSID=$id
THank you
Posted: Thu Oct 05, 2006 11:06 pm
by s.dot
Seems like your session is configured to use only cookies. Configure your php.ini to not use only cookies.
Posted: Thu Oct 05, 2006 11:07 pm
by Dave2000
i cant. i'm on a shared server

Posted: Thu Oct 05, 2006 11:08 pm
by s.dot
PS:
Code: Select all
if( $_SESSION['ip_lock'] == 'true' && $_SESSION['login_ip'] != $_SERVER['REMOTE_ADDR']) {
redirect('logout.php');
}
This isn't a very reliable statement. AOL browser users change ip addresses on every page view. Same with users with dynamic web proxies.
Posted: Thu Oct 05, 2006 11:09 pm
by s.dot
Shears wrote:i cant. i'm on a shared server

ini_set()
Posted: Thu Oct 05, 2006 11:09 pm
by Dave2000
Actually, it is very reliable. Look closer

Posted: Thu Oct 05, 2006 11:11 pm
by s.dot
Sorry, I don't know your code base well, i was only making a general assumption. Just trying to help!

Posted: Thu Oct 05, 2006 11:28 pm
by Dave2000
Thank you for your help...
Is session.use_only_cookies the variable i would need to change. At the moment, it's set to off. If i'm right, shouldn't session ids be able to be be passed in URL when it's off?
Thank you
PS. The IP statement is fine because, before loggin in, the user has an option to tick a box, for whether they want their IP to be locked while the are logged in.
Posted: Thu Oct 05, 2006 11:30 pm
by s.dot
s session.use_only_cookies the variable i would need to change. At the moment, it's set to off. If i'm right, shouldn't session ids be able to be be passed in URL when it's off?
Yes. With this configuration set to ON, it does not allow sessions to be passed via the URL (like when cookies are disabled). With it set to OFF, users with cookies disabled will be able to pass the session through the URL.
Posted: Thu Oct 05, 2006 11:36 pm
by Dave2000
Do you know any other variables that may influence this? Essentially, session.use_only_cookies is set to OFF, but i am still unable to login when i disable cookies.

Posted: Thu Oct 05, 2006 11:40 pm
by s.dot
Shears wrote:Do you know any other variables that may influence this? Essentially, session.use_only_cookies is set to OFF, but i am still unable to login when i disable cookies.

Given the code you've provided, no. That would be the only thing causing it. Are you calling setcookie() anywhere, and depending on it for login? Otherwise, it should work fine! I am not the gurus of gurus, so i will let someone else try to help! Good luck bro.