Session ID is being changed when I don't want it to

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
A1phanum3ric
Forum Newbie
Posts: 9
Joined: Tue May 30, 2006 6:26 am
Location: Torbay, UK

Session ID is being changed when I don't want it to

Post by A1phanum3ric »

Hey people,

I'm wondering if you could give me clues as to why my session ID changes on one page. I'll explain.

I've developed a CMS which stores the user's session ID upon successful login. All the admin pages have session_start(); at the top, and check that the current session ID still matches that in the database (hence keeping them logged in).

However, on one of my pages (print invoice page), the page will render fine, but when navigating to any other page, you'll be presented with the logon dialog again.

After a lot of testing, I found that this was due to the print invoice page changing the session ID once the page has been loaded, but what I don't understand is why.

session_start(); is called at the beginning of the script, so what could be going wrong?

Cheers,

Ed.

P.S. The following code is the print invoice page:

Code: Select all

<? HIDDEN ?>
Last edited by A1phanum3ric on Thu Nov 02, 2006 11:28 am, edited 1 time in total.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Only this script/page is causing this behaviour?
Do you use
A1phanum3ric wrote:

Code: Select all

<?
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Expires: " . gmdate("D, d M Y H:i:s") . " GMT");
in any other scripts? (only wild guessing)

Does the script run with error_reporting=E_ALL?
User avatar
A1phanum3ric
Forum Newbie
Posts: 9
Joined: Tue May 30, 2006 6:26 am
Location: Torbay, UK

Post by A1phanum3ric »

Hi thank you very much for your swift reply.

Removing the following lines:

Code: Select all

header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Expires: " . gmdate("D, d M Y H:i:s") . " GMT");
Has no effect on the page. These headers are set throughout the site on all admin pages too... The print invoice page does run fine, it just seems to reset the session_id after executing and outputting the page.

Cheers,

Ed.
User avatar
blacksnday
Forum Contributor
Posts: 252
Joined: Sat Jul 30, 2005 6:11 am
Location: bfe Ohio :(

Post by blacksnday »

The only other part that seems to affect logins
(without knowing the rest of your code)
would be this:

Code: Select all

if (!$oAdmin->isLoggedIn()) 
{ 
        exit; 
}
is that the same control used for other pages requiring login/valid Session ID's?
User avatar
A1phanum3ric
Forum Newbie
Posts: 9
Joined: Tue May 30, 2006 6:26 am
Location: Torbay, UK

Post by A1phanum3ric »

I'm afraid not...


Even commenting out:

Code: Select all

/*
$oAdmin 		= new User(array(	"hostname"=>$DBHostName,
									"username"=>$DBUserName,
									"password"=>$DBPassword,
									"dbname"=>$DBName,
									"tablename"=>"admin"));
*/
/*
if (!$oAdmin->isLoggedIn())
{
	exit;
}
*/
Both the admin/user class and admin check, I'm still getting my session ID changed...
User avatar
blacksnday
Forum Contributor
Posts: 252
Joined: Sat Jul 30, 2005 6:11 am
Location: bfe Ohio :(

Post by blacksnday »

Maybe it is because:

Code: Select all

//----------------------------------------------------------------------------- 
//      SESSION 
//----------------------------------------------------------------------------- 
session_start();
is below the Headers and after all includes?


p.s.
Trial and error was my best teacher...... :P
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

session_start() -if not configured otherwise- tries to set a cookie to store the session id client-side.
This cookie header pops up in headers_list().
The client send the session id as cookie back to the server with the next request. If shows up in $_COOKIE.

Print both lists/arrays in your script and compare the session ids.

Code: Select all

<body marginwidth="0" leftmargin="0" rightmargin="0" topmargin="0" bottommargin="0" onload="this.focus();window.print();">
<?php
echo '<pre>cookies: '; print_r($_COOKIE); echo "</pre>\n";
echo '<pre>headers: '; print_r(headers_list()); echo "</pre>\n";
?>
<table width="650" height="95%" border="0" cellpadding="0" cellspacing="0">
Post Reply