session information lost on page refresh
Posted: Thu Oct 01, 2009 3:18 pm
so im assuming this is a scripting problem on my behalf because it doesn't matter the browser i am using or anything. i am just testing a very basic login script right now and can't get it to work, to test it what i am doing is calling the login function, then immediately calling the function to check if logged in. doing so says that everything is shiny, however if i then edit the script to tell it to just check if i am logged in (it should still be logged in from the last refresh) it does not work, the script requires that $_SESSION['id'] be set, and then compares that sessionid against what is stored in the database, from one refresh to the next the $_SESSION{'id'] information is lost.
i will post my code and results:
this first one is the file i am accessing directly, username and password are supplied to it via URL (thats not how i plan to do it in the end its just for testing purposes)
the line is enabled for first run, then disabled for second run as i should still be logged in from the first run.
this is my login function, what it does is checks to make sure the username and password match those in the database, i wont show that function as it just returns boolean and it works. if the information is good then inserted into the database is the users nick, the session id, the time of login, the users ip, this information is used to compare against later to make sure a user is logged in. at this stage a session is also created using the shown function. the session id is echo'd just for testing purposes, it echos the $_SESSION['id'] just fine, and returns it, which is then put into the database just fine
at this stage the user is logged in, returning now to my first code, which is the file that i am accessing, it runs the function login_check immediately after performing the login.
the code for that function is as follows
so the login is done, then the login is checked to make sure that the user is logged in... that works perfectly. however if i go back to the first code and remove the line which performs the login, the $_SESSION should still be set, the session information is still stored in the database... so a login_check() should still work and pass the user as logged in, however "if(isset($_SESSION['id']) && $_SESSION['loggedin'] == 1)" fails... i wondered why that is and tested again with an echo of the $_SESSION['id'] before running login_check in the first code, if i have JUST logged in then it echos the session id, however if i delete the login line and refresh the page, it echo's nothing, $_SESSION['id'] is gone....
so thats my problem in a nutshell, $_SESSION information is lost between one page and the other, my login script is forced to run every page and create the session but it is my understanding that the $_SESSION should remain active between pages
any tips or pointers?
i will post my code and results:
this first one is the file i am accessing directly, username and password are supplied to it via URL (thats not how i plan to do it in the end its just for testing purposes)
Code: Select all
<?php
foreach (glob("core/*.php") as $filename)
{
require_once($filename);
}
$conn = dbconn::connect();
$nick = $_GET['nick'];
$pass = $_GET['pass'];
if (!$nick)
{
$message = 'you must specify a nick!';
die($message);
}
if (!$pass)
{
$message = 'you must specify a password!';
die($message);
}
auth::login($nick, $pass);
echo "session id:".$_SESSION['id'];
echo "status: ";
if(auth::login_check())
{
echo "You are logged in\n";
} else {
echo "You are not logged in\n";
}
?>Code: Select all
auth::login($nick, $pass);this is my login function, what it does is checks to make sure the username and password match those in the database, i wont show that function as it just returns boolean and it works. if the information is good then inserted into the database is the users nick, the session id, the time of login, the users ip, this information is used to compare against later to make sure a user is logged in. at this stage a session is also created using the shown function. the session id is echo'd just for testing purposes, it echos the $_SESSION['id'] just fine, and returns it, which is then put into the database just fine
Code: Select all
public function login($nick, $pass)
{
$nick = mysql_real_escape_string($nick);
$pass = mysql_real_escape_string($pass);
//get users IP
if($_SERVER['HTTP_X_FORWARD_FOR'])
{
$ip = $_SERVER['HTTP_X_FORWARD_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
//prune old users
$query = "DELETE FROM logged_in WHERE ltime < UNIX_TIMESTAMP()-(15*60)";
$result = mysql_query($query);
//compare the supplied username and password against those in the database
if (auth::comparePass($nick, $pass))
{
//if the comparison is good then they are ok to log in, their info gets stored in the database
$info = array( nick => $nick,
ltime => time(),
ip => $ip,
//create the session for the user and store the sid in the database
sid => auth::login_session($nick));
if(dbconn::insert($info, 'logged_in'))
{
//return true once the session information is stored in the database
return true;
}
else
{
dbconn::update($info, 'logged_in', "nick='".$nick."'");
return true;
}
}
//our passwords did not match, we return false.
return false;
}
/**
* creates the session for the user
* @param $nick nickname to create session for.
* @return session id
*/
public function login_session($nick)
{
if(!isset($_SESSION['id']))
{
session_start();
$_SESSION['id'] = session_id();
}
$_SESSION['nick'] = $nick;
$_SESSION['loggedin'] = 1;
echo "session id:".$_SESSION['id'];
return $_SESSION['id'];
}
at this stage the user is logged in, returning now to my first code, which is the file that i am accessing, it runs the function login_check immediately after performing the login.
the code for that function is as follows
Code: Select all
/**
* checks if a user is logged in and valid.
* this is accomplished by:
* 1) pruneing out of date users
* 2) checking users session is set and logged in
* 3) getting users nick from the session variables
* 4) getting users ip
* 5) selecting the sessions in the database for that nick
* 6) compareing the ip and session id (sid) to make sure they match
* what is in the database
* 7) if they dont match then the session in the database is removed
* .
* @return boolean if user is logged in ok
*/
public function login_check()
{
$query = "DELETE FROM logged_in WHERE ltime < UNIX_TIMESTAMP()-(15*60)";
$result = mysql_query($query);
if(isset($_SESSION['id']) && $_SESSION['loggedin'] == 1)
{
$nick = mysql_real_escape_string($_SESSION['nick']);
if($_SERVER['HTTP_X_FORWARD_FOR'])
{
$ip = $_SERVER['HTTP_X_FORWARD_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
$query = "SELECT * FROM logged_in WHERE nick='".$nick."'";
$results = dbconn::dbQuery($query);
foreach($results as $result)
{
if($result['ip'] == $ip && $_SESSION['id'] == $result['sid'])
{
return true;
} else {
$query = "DELETE FROM logged_in WHERE nick='".$nick."' and ip='".$result['ip']."'";
mysql_query($query);
}
}
}
else {
echo "session id not set\n";
}
return false;
}
}so thats my problem in a nutshell, $_SESSION information is lost between one page and the other, my login script is forced to run every page and create the session but it is my understanding that the $_SESSION should remain active between pages
any tips or pointers?