I need some serious help with sessions...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

I need some serious help with sessions...

Post by infolock »

First off, here is what I have:

PHP 4.3.1
Apache 2.0
MySql 3.23.49



Ok now, what I want to do, is create sessions for every page that opens. I know I have to do this by using

Code: Select all

<?php  

session_start(); 
	if(isset($_POST['Username'])=='username' and $_POST['Password'] == 'password') 
	{ 
		$_SESSION['Loggedin'] = True; 
	}
	if(!isset($Post['Username']) and $_POST['Password'])
	{
		print ("Username/Password Incorrect.  Please Retry...");
	}

?>
and then using

Code: Select all

session_start();
at the beginning of every page.

However, when I try and use this method, I get the following errors :

Code: Select all

Warning: session_start() &#1111;function.session-start]: open(/tmp\sess_4abeb9d0dfefce8c6931aec310ed6df5, O_RDWR) failed: No such file or directory (2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 2

Warning: session_start() &#1111;function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\Program Files\Apache Group\Apache2\htdocs\login2.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 2

Warning: session_start() &#1111;function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\Program Files\Apache Group\Apache2\htdocs\login2.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 2

Warning: Cannot modify header information - headers already sent by (output started at C:\Program Files\Apache Group\Apache2\htdocs\login2.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 22

Warning: Unknown(): open(/tmp\sess_4abeb9d0dfefce8c6931aec310ed6df5, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0

Now, I have no idea what all this means.... Can anyone please explain this part that the sticky topic, NOR the manual explains? thanks...
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

just in case... here is the code for my login script...

Code: Select all

<?php

	session_start();
	if(isset($_POST['Username'])=='username' and $_POST['Password'] == 'password') 
	{ 
		$_SESSION['Loggedin'] = True; 
	}
	if(!isset($Post['Username']) and $_POST['Password'])
	{
		print ("Username/Password Incorrect.  Please Retry...");
	}
	
	mysql_connect("localhost") or die("Could not connect to MySQL!!");
	mysql_select_db("secretdb") or die("Could not connect to auth Database!");  

	$sql = "select * from users where password='{$_POST['password']}' and username='{$_POST['username']}'"; 
	$result = mysql_query($sql) or die("Could not query table userinfo!!"); 

	$num = mysql_numrows($result); 

	if ($num == "1") 
	{ 
		header("Location: home/admin/admin.php");
		exit;              
	} 

	if ($num == "0") // End of new lines 
	{ 
          	print ("Username/Password Incorrect"); 
	}
?>
User avatar
phice
Moderator
Posts: 1416
Joined: Sat Apr 20, 2002 3:14 pm
Location: Dallas, TX
Contact:

Post by phice »

Code: Select all

<?php 

   session_start(); 

   if(!$_POST["Username"] || !$_POST["Password"] || empty($_POST["Username"]) || empty($_POST["Password"])) // Slightly more secure
      die("Username/Password Incorrect.  Please Retry...");

   if($_POST["Username"] == "username" && $_POST["Password"] == "password") 
      $_SESSION["Loggedin"] = True; 
    
   mysql_connect("localhost") or die("Could not connect to MySQL!!"); 
   mysql_select_db("secretdb") or die("Could not connect to auth Database!");  

   $sql = "SELECT * FROM `users` WHERE `password` = '{$_POST['password']}' AND `username` = '{$_POST['username']}'"; 

   if($_SESSION["Loggedin"] == TRUE) // More security
     $result = mysql_query($sql) or die($sql."<p>".mysql_error()); 

   $num = mysql_num_rows($result); 

   if ($num == "1")
      header("Location: home/admin/admin.php"); 
   elseif ($num == "0")
             print ("Username/Password Incorrect"); 
?>
I've fixed your coding to where it should work. Compare the earlier version with this one to learn from any mistakes. A few keynote errors that I have found:

Don't use "and" in if() statements; replace them with &&.
mysql_num_rows(), not mysql_numrows()
Use mysql_error() when querying any database table. ;)


Hope this helps.
Image Image
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

thanks, but i'm still getting the session errors :(

Warning: session_start() [function.session-start]: open(/tmp\sess_1e8975b8ed0f899e36314e59aabb028c, O_RDWR) failed: No such file or directory (2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 2

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\Program Files\Apache Group\Apache2\htdocs\login2.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 2

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\Program Files\Apache Group\Apache2\htdocs\login2.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 2

Warning: Cannot modify header information - headers already sent by (output started at C:\Program Files\Apache Group\Apache2\htdocs\login2.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 22

Warning: Unknown(): open(/tmp\sess_1e8975b8ed0f899e36314e59aabb028c, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

Dunno if this will help, but this is my session information from phpinfo();



session
Session Support enabled
Registered save handlers files user

Directive Local Value Master Value

session.auto_start Off Off

session.bug_compat_42 On On

session.bug_compat_warn On On

session.cache_expire 180 180

session.cache_limiter nocache nocache

session.cookie_domain no value no value

session.cookie_lifetime 0 0

session.cookie_path / /

session.cookie_secure Off Off

session.entropy_file no value no value

session.entropy_length 0 0

session.gc_dividend 100 100

session.gc_maxlifetime 1440 1440

session.gc_probability 1 1

session.name PHPSESSID PHPSESSID

session.referer_check no value no value

session.save_handler files files

session.save_path /tmp /tmp

session.serialize_handler php php

session.use_cookies On On

session.use_only_cookies Off Off

session.use_trans_sid Off Off
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Are you on Windows? If so you need to edit:

Code: Select all

session.save_path /tmp
so that it refers to a folder you have created on your computer for holding session files e.g.

Code: Select all

session.save_path C:\php\sessstuff
All of the errors are being caused because there is no /tmp directory.

Mac
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

yeah, i'm on windows. sweeeeeeeeeeeeeeet. so, are you considering the file that the script above belongs to, a session file ? Thanks for the help :)


edit:

I edited my php.ini file in c:\windows, but it is still giving me the same errors. Also, when I checked the phpinfo() page, it's still reading session.savepath as \tmp instead of the directory i specified... Is there something I'm missing? Do you have to recompile php somehow in order for the changes to php.ini to take effect? and if so, how ?


edit:

WHOOOOOOOOOOOOOOOOOOOOOT, first of all, i was copying the above code into the wrong script ( *smack head* ). SEcondly, after putting the code in the correct file, and then restarting my apache server, the errors have disappeared....

However, there is still the problem with this :

Code: Select all

Username/Password Incorrect. Please Retry.
I'm getting htis message every time I try and log on... I have mysql loaded, apache and everything. I've tried all my login's that I have on the database, but it's still reading them as incorrect. Can someone tell me what's wrong in the above code that would make it do this? thanks..


last edit:

I figured out what the problem was..... jesus I'm slow this morning..

the script was checking to see if the username and password matched the username and password... but it wasn't even checking the database until later.

So, I just had it do a

Code: Select all

<?php
   if(!isset($_POST['username']) || !isset($_POST['password']))
	die("Username/Password Incorrect.  Please Retry...");
   else
   	$_SESSION['Loggedin'] = True;
?>

and it works fine now. Thanks to everyone for their help, I appreciate it.
lcidw
Forum Commoner
Posts: 58
Joined: Mon Apr 28, 2003 8:55 am
Location: Netherlands

Post by lcidw »

Tried stripslashes() or addslashes() for passing the username and password on a check on the database?

Anyway, what i wanted to ask was.. on a pagestart, you check if $_SESSION['password'] is set, and then you set $_SESSION['loggedin'].

Why not check if $_SESSION['loggedin'] is set?

(i'm actually building the same thing here..)
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

if i was going to ask, I'd say the biggest thing is making sure what YOU, the developer, are setting to session is true before actually initializing the session. I'm not 100% sure about this, but from what I can tell about this, it helps you out as far as security is concerned ( that way, someone can't just set session to true whenever they feel llike it, and view pages they aren't suposed to ).

as far as stripslashes() or addslashes() , I have never used them before. What are they, and how do you use them? Yeah, I know, manual manual manual, but I find it better when someone explains it that has used it ( meaning examples are better then descriptions any day for me ).
lcidw
Forum Commoner
Posts: 58
Joined: Mon Apr 28, 2003 8:55 am
Location: Netherlands

Post by lcidw »

If you don't just check $_SESSION['loggedin'] is TRUE, then why do you set it anyway, are you going to use it somewhere?

addslashes..

$variable = 'super"man';
echo $variable;
$variable = addslashes($variable);
echo $variable;

echo is..

super"man -> this could bring a problem using "" in passing the vars or something
super\"man -> this sets an escape in front of the " so it is not passed as a string-sign, but as a simple character.

but now i'm not sure if it would really help you with your problem..
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

Oooooooo, I see where you are talking about. Yeah, I had that in the first script, but it has been revised about another post or 2 down bye phice. I had to change some of the code he put in there to fit my needs, but other then that it works great now.

Thanks for that snplet of code. That helped me out a lot. I think that would definately be a better way of handling echo statments that use "'s ( such as in building <form>'s ) .

Here is what the code looks like now :

Code: Select all

<?php

/*   Commented this out.  May come in use later...
   if(!$_POST['Username'] || !$_POST['Password'] || empty($_POST['Username']) || empty($_POST['Password'])) // Slightly more secure 
      die("Username/Password Incorrect.  Please Retry..."); 

   if($_POST['Username'] == 'username' && $_POST['Password'] == 'password') 
      $_SESSION['Loggedin'] = True;
   else
   {
      die("Username/Password Incorrect.  Please Retry..."); 
   }
*/
session_start();

   if(!isset($_POST['username']) || !isset($_POST['password']))
	die("Username/Password Incorrect.  Please Retry...");
   else
   {
   	$_SESSION['Loggedin'] = True;
   }

   mysql_connect("localhost") or die("Could not connect to MySQL!!"); 
   mysql_select_db("secretdb") or die("Could not connect to auth Database!");  

   $sql = "SELECT * FROM `users` WHERE `password` = '{$_POST['password']}' AND `username` = '{$_POST['username']}'"; 

   if($_SESSION['Loggedin'] == TRUE) // More security 
     $result = mysql_query($sql) or die($sql."<p>".mysql_error()); 

   $num = mysql_num_rows($result); 

   if ($num == "1") 
      header("Location: home/admin/admin.php"); 
   elseif ($num == "0") 
             print ("Username/Password Incorrect"); 

?>
lcidw
Forum Commoner
Posts: 58
Joined: Mon Apr 28, 2003 8:55 am
Location: Netherlands

Post by lcidw »

Looks better indeed.

I just don't understand yet why

Code: Select all

<?php
if($_SESSION['Loggedin'] == TRUE) // More security 
     $result = mysql_query..
?>
is more secure.. cause the whole script dies if the the

Code: Select all

<?php
if(!isset($_POST['username']) || !isset($_POST['password'])) 
?>
Fails..
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

again, it's just for security. You are baiscally checking to see if the session is started before you go any further a second time. a hacker could start a session and take control of a page, but if you use this method, he has to know exactly where to put more then just one session in order to get that access...

I think... :?
Post Reply