Page 1 of 1

Session ID is being changed when I don't want it to

Posted: Thu Nov 02, 2006 5:11 am
by A1phanum3ric
Hey people,

I'm wondering if you could give me clues as to why my session ID changes on one page. I'll explain.

I've developed a CMS which stores the user's session ID upon successful login. All the admin pages have session_start(); at the top, and check that the current session ID still matches that in the database (hence keeping them logged in).

However, on one of my pages (print invoice page), the page will render fine, but when navigating to any other page, you'll be presented with the logon dialog again.

After a lot of testing, I found that this was due to the print invoice page changing the session ID once the page has been loaded, but what I don't understand is why.

session_start(); is called at the beginning of the script, so what could be going wrong?

Cheers,

Ed.

P.S. The following code is the print invoice page:

Code: Select all

<? HIDDEN ?>

Posted: Thu Nov 02, 2006 5:19 am
by volka
Only this script/page is causing this behaviour?
Do you use
A1phanum3ric wrote:

Code: Select all

<?
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Expires: " . gmdate("D, d M Y H:i:s") . " GMT");
in any other scripts? (only wild guessing)

Does the script run with error_reporting=E_ALL?

Posted: Thu Nov 02, 2006 5:37 am
by A1phanum3ric
Hi thank you very much for your swift reply.

Removing the following lines:

Code: Select all

header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Expires: " . gmdate("D, d M Y H:i:s") . " GMT");
Has no effect on the page. These headers are set throughout the site on all admin pages too... The print invoice page does run fine, it just seems to reset the session_id after executing and outputting the page.

Cheers,

Ed.

Posted: Thu Nov 02, 2006 5:39 am
by blacksnday
The only other part that seems to affect logins
(without knowing the rest of your code)
would be this:

Code: Select all

if (!$oAdmin->isLoggedIn()) 
{ 
        exit; 
}
is that the same control used for other pages requiring login/valid Session ID's?

Posted: Thu Nov 02, 2006 5:45 am
by A1phanum3ric
I'm afraid not...


Even commenting out:

Code: Select all

/*
$oAdmin 		= new User(array(	"hostname"=>$DBHostName,
									"username"=>$DBUserName,
									"password"=>$DBPassword,
									"dbname"=>$DBName,
									"tablename"=>"admin"));
*/
/*
if (!$oAdmin->isLoggedIn())
{
	exit;
}
*/
Both the admin/user class and admin check, I'm still getting my session ID changed...

Posted: Thu Nov 02, 2006 5:47 am
by blacksnday
Maybe it is because:

Code: Select all

//----------------------------------------------------------------------------- 
//      SESSION 
//----------------------------------------------------------------------------- 
session_start();
is below the Headers and after all includes?


p.s.
Trial and error was my best teacher...... :P

Posted: Thu Nov 02, 2006 5:49 am
by volka
session_start() -if not configured otherwise- tries to set a cookie to store the session id client-side.
This cookie header pops up in headers_list().
The client send the session id as cookie back to the server with the next request. If shows up in $_COOKIE.

Print both lists/arrays in your script and compare the session ids.

Code: Select all

<body marginwidth="0" leftmargin="0" rightmargin="0" topmargin="0" bottommargin="0" onload="this.focus();window.print();">
<?php
echo '<pre>cookies: '; print_r($_COOKIE); echo "</pre>\n";
echo '<pre>headers: '; print_r(headers_list()); echo "</pre>\n";
?>
<table width="650" height="95%" border="0" cellpadding="0" cellspacing="0">