Page 1 of 1

$_SESSION control and headers

Posted: Fri Oct 06, 2006 1:56 pm
by aceconcepts
Hi,

I am having a lot of difficulty with sessions and in particular 'checking' the session variable in different pages.

What I am trying to do is authorise access to each page by calling auth.inc.php, a file i made that checks the value of a session variable and depending on its value will either grant access or call the login page.

My problem is that when i call auth.inc.php from different pages, the session variable is empty.

Here is my code:

Login page:

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
h2
{
	font-family: Arial, Helvetica, Sans-serif;
	font-weight: bold;
	color: #FF9900;
}
</style>
</head>

<body>
<table width="100%" height="100%" border="0" cellpadding="0" cellspacing="0">
  <tr>
    <td>
<form name="login" method="post" action="check_login.php">
        <table width="354" align="center" cellpadding="0" cellspacing="0">
          <tr>
            <td colspan="3"><h2>Smile32 CMS - Secure Log In</h2></td>
          </tr>
<tr>
            <td width="98" height="30"><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Username</font></td>
<td width="120"><input name="username" type="text" size="20"></td>
<td width="134">&nbsp;</td>
</tr>
<tr>
            <td height="30"><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Password</font></td>
<td><input name="pword" type="password" size="20"></td>
<td>&nbsp;</td>
</tr>
<tr>
            <td height="60" colspan="2" align="right"> <div align="center"></div>
              <div align="right">
                <input name="submit" type="submit" value="Log In">
              </div></td></tr>
</table>
</form>
	</td>
	<td>&nbsp;</td>
  </tr>
</table>
</body>
</html>
This login page works fine and the form data is successfuly posted.

The code below checks the login values:

Code: Select all

<?php
session_start();
ob_start();
$user=$_POST['username'];
$pword=$_POST['pword'];

if(empty($user))
{
	$err=1;
}
if(empty($pword))
{
	$err=1;
}

if($err==1)
{ ?>
	<script language="JavaScript" type="text/JavaScript">
		<!--
		function MM_popupMsg(msg) { //v1.0
  			alert(msg);
			javascript: history.go(-1);
		}
		//-->
	</script>
	<body onLoad="MM_popupMsg('Please enter both a username and password!')">
<?
exit;
}

if(isset($_POST['submit']) && $user=="username" && $pword=="password")
{ 

$_SESSION['logged']=1;
header("Location: products/get_products.php");

} else {
?>
	<script language="JavaScript" type="text/JavaScript">
		<!--
		function MM_popupMsg(msg) { //v1.0
  			alert(msg);
			javascript: history.go(-1);
		}
		//-->
	</script>
	<body onLoad="MM_popupMsg('Invalid username and/or password!')">
<?
}
?>
This script also seems to work fine because the subsequent page (products/get_products.php) is accessed.

However, when i call the script below once i have logged in, the session variables' value is empty:

Code: Select all

<?php
include"../auth.inc.php";
include"../cms_header.php";
include"../conn.inc.php";
?>
<html>
<head>
<title>Smile32 CMS - Orders</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="../../../css/cms_orders.css" type="text/css" rel="stylesheet">
</head>

<body leftmargin="5" topmargin="0">
  <!-- CONTENT USING PHP/MYSQL LOOP -->
  <?
$view=$_REQUEST['view'];
$cid=$_REQUEST['cid'];
$re_url="http://www.smile32.co.uk" . $_SERVER['PHP_SELF'] . "?view=" . $view;

$query=mysql_query("SELECT customer_first_name, customer_last_name FROM customer WHERE customer_id='$cid'");

while($get_row=mysql_fetch_array($query))
{
extract($get_row); 
} ?>
<table width="760" cellpadding="0" cellspacing="0">
<? if($view=="cust")
{ ?>
  <tr><td><h2>Order History for: "<? echo $customer_first_name . " " . $customer_last_name; ?>"</h2></td></tr>
<? } else { ?>
<tr><td><h2>Order History</h2></td></tr>
<? } ?>
<tr><td><a href="order_history.php?view=all">View All Orders</a> | <a href="order_history.php?view=new">View New Orders</a></td></tr>
<tr><td>&nbsp;</td></tr>
</table>

<!-- FIELD HEADERS -->

<table width="760" cellpadding="2" cellspacing="2">
  <tr bgcolor="#FF9900"> 
    <td width="120"><strong><font color="#FFFFFF">Date</font></strong></td>
    <td width="100"><strong><font color="#FFFFFF">Order Code</font></strong></td>
    <td width="220"><strong><font color="#FFFFFF">Customer</font></strong></td>
    <td width="250"><strong><font color="#FFFFFF">Delivery</font></strong></td>
    <td width="60"><strong><font color="#FFFFFF">Total</font></strong></td>
    <td width="200" colspan="2" align="center"><strong><font color="#FFFFFF">Options</font></strong></td>
  </tr>

<?
if(empty($view))
{
	$view="all";
}

switch ($view)
{
case "all":	
	$query="SELECT DISTINCT order_details.order_num, product_order.order_id, product_order.order_date, customer_first_name,
							customer_last_name, product_order.order_total, delivery.del_destination, delivery.del_duration
			FROM product_order, order_details, customer, delivery, product
			WHERE product_order.order_id=order_details.order_num
			AND order_details.product_id=product.prod_code
			AND product_order.customer_id=customer.customer_id
			AND product_order.del_id=delivery.del_id
			ORDER BY product_order.order_date";
	break;

case "new":
	$query="SELECT DISTINCT order_details.order_num, product_order.order_id, product_order.order_date, customer_first_name,
							customer_last_name, product_order.order_total, delivery.del_destination, delivery.del_duration
			FROM product_order, order_details, customer, delivery, product
			WHERE product_order.order_id=order_details.order_num
			AND order_details.product_id=product.prod_code
			AND product_order.customer_id=customer.customer_id
			AND product_order.del_id=delivery.del_id
			AND product_order.status='NEW'
			ORDER BY product_order.order_date";
	break;

case "cust":

	$query="SELECT DISTINCT order_details.order_num, product_order.order_id, product_order.order_date, customer_first_name,
							customer_last_name, product_order.order_total, delivery.del_destination, delivery.del_duration
			FROM product_order, order_details, customer, delivery, product
			WHERE product_order.order_id=order_details.order_num
			AND order_details.product_id=product.prod_code
			AND product_order.customer_id=customer.customer_id
			AND product_order.del_id=delivery.del_id
			AND product_order.customer_id='$cid'
			ORDER BY product_order.order_date";

	break;
}
	$result=mysql_query($query)
		or die(mysql_error());

	if(mysql_num_rows($result)==0)
	{ ?>
  <tr> 
    <td height="30" colspan="7" align="center">There are no orders to display!</td>
  </tr>
</table>
	<? 
	exit;
	}

$total_gross=0;
	while($row=mysql_fetch_array($result))
	{
		extract($row); 
		$total_gross=number_format($total_gross + $order_total, 2);
		?>

<tr bgcolor="#DCEFDC">
<td height="30"><a href="get_orders.php?date=<? echo $order_date; ?>" title="View orders placed on <? echo $order_date; ?>" class=data_link><? echo $order_date; ?></a></td>
<td><a href="get_order.php?orderid=<? echo $order_id; ?>" class=data_link title="View details for this order"><? echo $order_id; ?></a></td>
<td><a href="get_customer.php?cid=<? echo customer_id; ?>" class=data_link title="View orders for <? echo $customer_first_name . " " . $customer_last_name; ?>"><? echo $customer_first_name . " " . $customer_last_name; ?></a></td>
<td><? echo $del_destination . ": " . $del_duration; ?></td>
<td><? echo "£" . $order_total; ?></td>
<td align="center" width="70"><a href="get_order.php?orderid=<? echo $order_id; ?>" class=data_link>View</a></td>
<td align="center" width="70"><a href="modorder.php?action=remove&orderid=<? echo $order_id; ?>&re_url=<? echo $re_url; ?>" class=data_link>Delete</a></td>
</tr>
<?
	}
?>
<tr bgcolor="#FF9900"><td colspan="7">&nbsp;</td></tr>
<tr><td colspan="7">&nbsp;</td></tr>
<tr><td colspan="5" align="right"><font face="Arial, Helvetica, Sans-serif" font size="5" color="#009933"><strong>Total Income <font size="2">(Gross):</font> £<? echo $total_gross; ?></strong></font></td></tr>
</table>
</body>
</html>
Sorry about all the code.

What am i doing wrong?

Posted: Fri Oct 06, 2006 2:01 pm
by RobertGonzalez
Are you calling session_start() before any output to the browser? Have you done a simple session check to see if sessions are working completely? Are you checking the spelling of the session array index for the var you are trying to access? Have you echo'ed that var out before checking it?

Posted: Fri Oct 06, 2006 2:14 pm
by aceconcepts
Hi,

Thanks for the quick reply.

Yes, I have done all that you've asked and still no value appears even when i echo the sesion variable.

Here is my auth.inc.php script:

Code: Select all

<?php
session_start();
if(isset($_SESSION['logged']) && $_SESSION['logged'] == 1)
{
//do nothing
} else {
//header("Location: index.php");
?>
<META HTTP-EQUIV="Refresh"CONTENT="0; URL=http://cms.smile32.co.uk/shop">
<?
}
?>
On each page I have included this script in order to determine whether the user has logged in.

Posted: Fri Oct 06, 2006 2:34 pm
by RobertGonzalez
Before you do anything else clear your broswer cache. Then create the following two files. Run page1.php and click the link and see what page2.php shows...

PAGE 1:

Code: Select all

<?php
session_start();
$_SESSION['test']="Page-1-test-var";
echo $_SESSION['test'] . ' is the value set for "test".<br />';
echo 'Our current session id is ' . session_id() . '<br />';
echo '<a href="test2.php">Try the test</a>';
?>
PAGE 2:

Code: Select all

<?php
session_start();
echo $_SESSION['test'] . ' is the value set for "test".<br />';
echo 'Our current session id is ' . session_id() . '<br />';
?>
This will let us see if sessions are working at all. Lets start small and move up from there.

Posted: Fri Oct 06, 2006 2:42 pm
by aceconcepts
Hi,

I created page 1 and 2 and then folowed the link and session value was displayed along with the session id.



It worked.

So what am I doing so badly wrong?

Here's the link:

http://www.smile32.co.uk/cms/shop/page1.php

Posted: Fri Oct 06, 2006 2:57 pm
by RobertGonzalez
Okay, try this. Make a new page and add this to it...

Code: Select all

<?php
session_start();
print_r($_SESSION);
?>
Call this page when you would normally call the page you are asking about. It will tell you which SESSION vars are set and what the values of those vars are.

Posted: Fri Oct 06, 2006 3:12 pm
by aceconcepts
Hi,

Can you set a session var equal to a numeric value?

I am asking this because I have set my session variable as follows:

$_SESSION['logged']=1;

But this didn't work.

So i changed it to:

$_SESSION['logged']="1";

And now everything seems to work fine.

Any reason why?

Posted: Fri Oct 06, 2006 3:13 pm
by RobertGonzalez
Yes, you can set any value to a session var (it is an array). I would suggest changing it back to 1 and seeing if it works now. It may have been a cache thing.

Posted: Fri Oct 06, 2006 3:39 pm
by aceconcepts
I changed the session value back to 1 as opposed to "1" and it worked. Everything seems ok.

Thanks for all of your help.