Page 1 of 1

session not working

Posted: Wed Oct 24, 2007 3:38 pm
by monkeymafia
Hi

i have a login form , once logged in it takes the users to another page (useraccount.php). ive set the session, however i can still access useraccount.php without logging in. why is this happening

login form code:

Code: Select all

session_start();
include 'dbconnect.php';


if(isset($_POST['submit'])) {
if(mysql_num_rows(mysql_query("SELECT fk_memberid, password FROM members WHERE fk_memberid = '".$_POST['username']."' && password = '".$_POST['password']."' ")) > 0) {

         $_SESSION['logged'] = true;
         
         $_SESSION['username'] = $_POST['username'];
         $memberid = $_POST['username'];
         header('Location: http://www.kumar.adsl24.co.uk/Storm%20B ... memberid=' . $memberid);
exit;

}else{ //username/password doesn't exist
    header('Location: http://www.kumar.adsl24.co.uk/Storm%20B ... ogin.html');
    
}
}
?>

useraccount code

Code: Select all

//ob_start allows header location work at the bottom. it bypasses it.

session_start();
ob_start();

if (!isset($_SESSION['logged'])
    || $_SESSION['logged'] !== true) {

    // not logged in, move to login page
    header('Location: login.php');
    exit;
}
any help greatly appreciated. thanks

Posted: Wed Oct 24, 2007 4:41 pm
by nathanr
lots of reasons..

session hasn't finished writing perhaps? try using a session_write_close followed by ob_end_flush to finish writing the session and then force it to send to the browser
verify that sessions are indeed being saved on the server (as in saved in files in a tmp dir or similar.. also check php/apache has permission to write to the dir)
try adding in a sleep(1) before sending the header redirect
if all else fails (which would be strange) send the session info in cookies through the header manually

Posted: Wed Oct 24, 2007 5:05 pm
by feyd
session_write_close() may be of interest. Also, your code still lacks SQL protection.

Posted: Wed Oct 24, 2007 5:56 pm
by monkeymafia
its still not working. ive placed the code in the useraccount.php like so:

Code: Select all

<?php
session_start();

ob_start();


if (!isset($_SESSION['logged'])
    || $_SESSION['logged'] !== true) {

    // not logged in, move to login page
    header('Location: myaccount.php');
    exit;
} 
session_write_close();
ob_end_flush();

?>
have i done it right?

Posted: Wed Oct 24, 2007 6:02 pm
by feyd
Did you put session_write_close() in the other script(s) that are setting data and redirecting?

Posted: Wed Oct 24, 2007 6:03 pm
by nathanr
try..

Code: Select all

<?php
session_start();
include 'dbconnect.php';


if(isset($_POST['submit'])) {
if(mysql_num_rows(mysql_query("SELECT fk_memberid, password FROM members WHERE fk_memberid = '".$_POST['username']."' && password = '".$_POST['password']."' ")) > 0) {

#note below
    ob_start();
############
         $_SESSION['logged'] = true;
         
         $_SESSION['username'] = $_POST['username'];
#2 lines below
    session_write_close();
    ob_end_flush();
############
         $memberid = $_POST['username'];
         header('Location: http://www.kumar.adsl24.co.uk/Storm%20B ... memberid=' . $memberid);
exit;

}else{ //username/password doesn't exist
    header('Location: http://www.kumar.adsl24.co.uk/Storm%20B ... ogin.html');
   
}
}
?>

Posted: Wed Oct 24, 2007 6:13 pm
by monkeymafia
thanks for the reply.

if i use the code you presented i get the following error when logging in:

Warning: Cannot modify header information - headers already sent by (output started at /home/kumar/public_html/Storm Broadband/myaccount.php:15) in /home/kumar/public_html/Storm Broadband/myaccount.php on line 16


line 15 is:
ob_end_flush();

Posted: Wed Oct 24, 2007 8:48 pm
by Stryks
I don't know that you need to be using ob_start() at all to be honest.

I think you'd be better off putting your processing code at the top of the screen, and only have output at the bottom.

Unlike the examples from your other thread concerning this, these pages should already work quite happily without ob_start().

Seriously, while I'll admit that using ob_stat() can prevent that headers error, you're better off leaving the message because it is telling you something important. It's saying "Hey ... your code is structured so that you're writing something and then trying to redirect ... so ... nobody will see the output".

And if you think about it, the code block at the top makes sense. I mean, there's nothing that is processed at the end that could not be done at the start.

Also, I'd seriously recommend making those changes regarding storing hashed passwords and not plain text versions.

Cheers

Posted: Thu Oct 25, 2007 4:34 am
by monkeymafia
hey stryks.

i restructured the code which eliminates the need for ob_start. but still no luck redirecting non logged users to logged in page.
that aside. i looked into the hashed passwords.

Am i right in thinking that I would actually have to send the passwords using md5. via a php form. for example a customer create form. Is there no way that this can just be done in myphpadmin altering the password field in some way? im only creating part of a system you see, but if that is the only way ill have to sort something out. thanks again :)

Posted: Thu Oct 25, 2007 8:08 am
by Stryks
Now that you've reworked the page and removed all the ob_* calls, what is that latest code revision from nathanr giving (minus the ob_end_flush() of course)?

For the passwords, you should hash them and then send to the database. You'll need a column especially for it matched in length to whatever hash type you go for.

I think you can do a straight md5 on a field using phpMyAdmin, however I'd recommend using the salt method I mentioned in the previous thread.

If you're working around someone elses database structure, or if there is already password data stored, I'd just create a new password column (say ... pass_hash) - varchar with a length of 64 for an md5 - and then just set up a script to pull the all the userid's and unencrypted passwords, and then make a salted hash and update all records with the appropriate hash. You could delete the original password column, or just keep it, but set it to NULL when updating.

As soon as you do you'll need to have all login methods using the more secure version of course, but it seems that this is your department.

Let us know where you're at with this session issue though ... interested to know what it's doing with just the ob calls removed.

Cheers

Posted: Thu Oct 25, 2007 1:09 pm
by monkeymafia
thanks for the reply.

this is my code i have placed for the login page:

Code: Select all

<?php

session_start();
include 'dbconnect.php';


if(isset($_POST['submit'])) {
if(mysql_num_rows(mysql_query("SELECT fk_memberid, password FROM members WHERE fk_memberid = '".$_POST['username']."' && password = '".$_POST['password']."' ")) > 0) {

         $_SESSION['logged'] = true;
         $_SESSION['username'] = $_POST['username']; 
         $memberid = $_POST['username'];
         session_write_close();
          
         header('Location: http://www.kumar.adsl24.co.uk/Storm%20B ... memberid=' . $memberid);
exit;

}else{ //username/password doesn't exist
    header('Location: http://www.kumar.adsl24.co.uk/Storm%20B ... ogin.html');
    $_SESSION['notlogged'] = true;  
}

}
?>

this is the code i have placed at the top of my user area page:

Code: Select all

<?php
session_start();

if (!isset($_SESSION['logged'])
    || $_SESSION['logged'] !== true) {

    // not logged in, move to login page
    header('Location: http://www.kumar.adsl24.co.uk/Storm%20B ... count.php');
    exit;
} 
session_write_close();


//if(!isset($_SESSION['logged']) || (trim($_SESSION['logged'])=='')) {
	//	header("location: access-denied.php");
	//	exit();
//	}

?>
just dont understand why it doesnt redirect users to login page if their not logged in :?

Posted: Fri Oct 26, 2007 1:24 am
by Stryks
Well, I've run the code here and the basic logic appears to work for me.

Are you sure your sessions are loaded and working? Can you pass simple values between pages with sessions?

There was a recent THREAD on session issues that has a pretty complete set of troubleshooting methods.

Give it a look and see if you can find any issues there. Also, just in passing, I mentioned this somewhere else too, but if the sessions are in fact working, and you are putting $username into the session, then you dont need to redirect to useraccount.php&memberid=$memberid, you can just redirect to useraccount.php and pull the username of the viewer from the session.

Of course, sessions need to be working for you to do this, and theres something screwy going on.