Page 1 of 1
I need some serious help with sessions...
Posted: Fri May 16, 2003 7:57 pm
by infolock
First off, here is what I have:
PHP 4.3.1
Apache 2.0
MySql 3.23.49
Ok now, what I want to do, is create sessions for every page that opens. I know I have to do this by using
Code: Select all
<?php
session_start();
if(isset($_POST['Username'])=='username' and $_POST['Password'] == 'password')
{
$_SESSION['Loggedin'] = True;
}
if(!isset($Post['Username']) and $_POST['Password'])
{
print ("Username/Password Incorrect. Please Retry...");
}
?>
and then using
at the beginning of every page.
However, when I try and use this method, I get the following errors :
Code: Select all
Warning: session_start() їfunction.session-start]: open(/tmp\sess_4abeb9d0dfefce8c6931aec310ed6df5, O_RDWR) failed: No such file or directory (2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 2
Warning: session_start() їfunction.session-start]: Cannot send session cookie - headers already sent by (output started at C:\Program Files\Apache Group\Apache2\htdocs\login2.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 2
Warning: session_start() їfunction.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\Program Files\Apache Group\Apache2\htdocs\login2.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 2
Warning: Cannot modify header information - headers already sent by (output started at C:\Program Files\Apache Group\Apache2\htdocs\login2.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 22
Warning: Unknown(): open(/tmp\sess_4abeb9d0dfefce8c6931aec310ed6df5, O_RDWR) failed: No such file or directory (2) in Unknown on line 0
Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0
Now, I have no idea what all this means.... Can anyone please explain this part that the sticky topic, NOR the manual explains? thanks...
Posted: Fri May 16, 2003 8:06 pm
by infolock
just in case... here is the code for my login script...
Code: Select all
<?php
session_start();
if(isset($_POST['Username'])=='username' and $_POST['Password'] == 'password')
{
$_SESSION['Loggedin'] = True;
}
if(!isset($Post['Username']) and $_POST['Password'])
{
print ("Username/Password Incorrect. Please Retry...");
}
mysql_connect("localhost") or die("Could not connect to MySQL!!");
mysql_select_db("secretdb") or die("Could not connect to auth Database!");
$sql = "select * from users where password='{$_POST['password']}' and username='{$_POST['username']}'";
$result = mysql_query($sql) or die("Could not query table userinfo!!");
$num = mysql_numrows($result);
if ($num == "1")
{
header("Location: home/admin/admin.php");
exit;
}
if ($num == "0") // End of new lines
{
print ("Username/Password Incorrect");
}
?>
Posted: Fri May 16, 2003 8:21 pm
by phice
Code: Select all
<?php
session_start();
if(!$_POST["Username"] || !$_POST["Password"] || empty($_POST["Username"]) || empty($_POST["Password"])) // Slightly more secure
die("Username/Password Incorrect. Please Retry...");
if($_POST["Username"] == "username" && $_POST["Password"] == "password")
$_SESSION["Loggedin"] = True;
mysql_connect("localhost") or die("Could not connect to MySQL!!");
mysql_select_db("secretdb") or die("Could not connect to auth Database!");
$sql = "SELECT * FROM `users` WHERE `password` = '{$_POST['password']}' AND `username` = '{$_POST['username']}'";
if($_SESSION["Loggedin"] == TRUE) // More security
$result = mysql_query($sql) or die($sql."<p>".mysql_error());
$num = mysql_num_rows($result);
if ($num == "1")
header("Location: home/admin/admin.php");
elseif ($num == "0")
print ("Username/Password Incorrect");
?>
I've fixed your coding to where it
should work. Compare the earlier version with this one to learn from any mistakes. A few keynote errors that I have found:
Don't use "and" in if() statements; replace them with &&.
mysql_num_rows(), not mysql_numrows()
Use mysql_error() when querying any database table.
Hope this helps.
Posted: Fri May 16, 2003 8:47 pm
by infolock
thanks, but i'm still getting the session errors
Warning: session_start() [function.session-start]: open(/tmp\sess_1e8975b8ed0f899e36314e59aabb028c, O_RDWR) failed: No such file or directory (2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 2
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\Program Files\Apache Group\Apache2\htdocs\login2.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 2
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\Program Files\Apache Group\Apache2\htdocs\login2.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 2
Warning: Cannot modify header information - headers already sent by (output started at C:\Program Files\Apache Group\Apache2\htdocs\login2.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\login2.php on line 22
Warning: Unknown(): open(/tmp\sess_1e8975b8ed0f899e36314e59aabb028c, O_RDWR) failed: No such file or directory (2) in Unknown on line 0
Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0
Posted: Fri May 16, 2003 8:59 pm
by infolock
Dunno if this will help, but this is my session information from phpinfo();
session
Session Support enabled
Registered save handlers files user
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_dividend 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /tmp /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid Off Off
Posted: Sat May 17, 2003 3:54 am
by twigletmac
Are you on Windows? If so you need to edit:
so that it refers to a folder you have created on your computer for holding session files e.g.
Code: Select all
session.save_path C:\php\sessstuff
All of the errors are being caused because there is no /tmp directory.
Mac
Posted: Sat May 17, 2003 11:47 am
by infolock
yeah, i'm on windows. sweeeeeeeeeeeeeeet. so, are you considering the file that the script above belongs to, a session file ? Thanks for the help
edit:
I edited my php.ini file in c:\windows, but it is still giving me the same errors. Also, when I checked the phpinfo() page, it's still reading session.savepath as \tmp instead of the directory i specified... Is there something I'm missing? Do you have to recompile php somehow in order for the changes to php.ini to take effect? and if so, how ?
edit:
WHOOOOOOOOOOOOOOOOOOOOOT, first of all, i was copying the above code into the wrong script ( *smack head* ). SEcondly, after putting the code in the correct file, and then restarting my apache server, the errors have disappeared....
However, there is still the problem with this :
Code: Select all
Username/Password Incorrect. Please Retry.
I'm getting htis message every time I try and log on... I have mysql loaded, apache and everything. I've tried all my login's that I have on the database, but it's still reading them as incorrect. Can someone tell me what's wrong in the above code that would make it do this? thanks..
last edit:
I figured out what the problem was..... jesus I'm slow this morning..
the script was checking to see if the username and password matched the username and password... but it wasn't even checking the database until later.
So, I just had it do a
Code: Select all
<?php
if(!isset($_POST['username']) || !isset($_POST['password']))
die("Username/Password Incorrect. Please Retry...");
else
$_SESSION['Loggedin'] = True;
?>
and it works fine now. Thanks to everyone for their help, I appreciate it.
Posted: Sat May 17, 2003 12:52 pm
by lcidw
Tried stripslashes() or addslashes() for passing the username and password on a check on the database?
Anyway, what i wanted to ask was.. on a pagestart, you check if $_SESSION['password'] is set, and then you set $_SESSION['loggedin'].
Why not check if $_SESSION['loggedin'] is set?
(i'm actually building the same thing here..)
Posted: Sat May 17, 2003 1:10 pm
by infolock
if i was going to ask, I'd say the biggest thing is making sure what YOU, the developer, are setting to session is true before actually initializing the session. I'm not 100% sure about this, but from what I can tell about this, it helps you out as far as security is concerned ( that way, someone can't just set session to true whenever they feel llike it, and view pages they aren't suposed to ).
as far as stripslashes() or addslashes() , I have never used them before. What are they, and how do you use them? Yeah, I know, manual manual manual, but I find it better when someone explains it that has used it ( meaning examples are better then descriptions any day for me ).
Posted: Sat May 17, 2003 1:17 pm
by lcidw
If you don't just check $_SESSION['loggedin'] is TRUE, then why do you set it anyway, are you going to use it somewhere?
addslashes..
$variable = 'super"man';
echo $variable;
$variable = addslashes($variable);
echo $variable;
echo is..
super"man -> this could bring a problem using "" in passing the vars or something
super\"man -> this sets an escape in front of the " so it is not passed as a string-sign, but as a simple character.
but now i'm not sure if it would really help you with your problem..
Posted: Sat May 17, 2003 1:40 pm
by infolock
Oooooooo, I see where you are talking about. Yeah, I had that in the first script, but it has been revised about another post or 2 down bye phice. I had to change some of the code he put in there to fit my needs, but other then that it works great now.
Thanks for that snplet of code. That helped me out a lot. I think that would definately be a better way of handling echo statments that use "'s ( such as in building <form>'s ) .
Here is what the code looks like now :
Code: Select all
<?php
/* Commented this out. May come in use later...
if(!$_POST['Username'] || !$_POST['Password'] || empty($_POST['Username']) || empty($_POST['Password'])) // Slightly more secure
die("Username/Password Incorrect. Please Retry...");
if($_POST['Username'] == 'username' && $_POST['Password'] == 'password')
$_SESSION['Loggedin'] = True;
else
{
die("Username/Password Incorrect. Please Retry...");
}
*/
session_start();
if(!isset($_POST['username']) || !isset($_POST['password']))
die("Username/Password Incorrect. Please Retry...");
else
{
$_SESSION['Loggedin'] = True;
}
mysql_connect("localhost") or die("Could not connect to MySQL!!");
mysql_select_db("secretdb") or die("Could not connect to auth Database!");
$sql = "SELECT * FROM `users` WHERE `password` = '{$_POST['password']}' AND `username` = '{$_POST['username']}'";
if($_SESSION['Loggedin'] == TRUE) // More security
$result = mysql_query($sql) or die($sql."<p>".mysql_error());
$num = mysql_num_rows($result);
if ($num == "1")
header("Location: home/admin/admin.php");
elseif ($num == "0")
print ("Username/Password Incorrect");
?>
Posted: Sat May 17, 2003 2:31 pm
by lcidw
Looks better indeed.
I just don't understand yet why
Code: Select all
<?php
if($_SESSION['Loggedin'] == TRUE) // More security
$result = mysql_query..
?>
is more secure.. cause the whole script dies if the the
Code: Select all
<?php
if(!isset($_POST['username']) || !isset($_POST['password']))
?>
Fails..
Posted: Sat May 17, 2003 2:40 pm
by infolock
again, it's just for security. You are baiscally checking to see if the session is started before you go any further a second time. a hacker could start a session and take control of a page, but if you use this method, he has to know exactly where to put more then just one session in order to get that access...
I think...
