Page 1 of 1

PHP Session Issue

Posted: Mon Dec 21, 2009 10:56 pm
by Virendra Maloo
Hi,

I have developed an (PHP)application which has been tested on different development servers.

So when I login to the app and navigate to a specific page just after loggin-in, the app logs-out and I have to re-enter the user credentials. But after loggin-in again, it works fine(and doesn't shows the log-in screen until we log-out). I wonder why it works in such an unpredictable way.!!

I have used session for security reasons and am quite eager to know if this is something to do with cache.

I am using the below code on almost all the pages of the app.(so that the user just can't enter the URL of the page and start accessing the application)

---------------------

session_start();

header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");

/*
The app matches the current session-ID with the session ID which previous page has sent and if it doesn't matches, LOG-Out.
*/

try {
if(($_GET['session'])==(session_id())){
// do nothing
}else{
echo '<script type="text/javascript">parent.location="../index.php";</script>';
}
}catch(Exception $e){
echo '<script type="text/javascript">parent.location="../index.php";</script>';
}


---------------
I strongly feel that if the app performs well on one server then it shud work perfectly fine on the other system.

I, however have no idea of the php.ini file on the server which throws this issue of loggin-out. but I can certainly find out the details if it is something to do with php.ini file.

If there's any modification I need to do in the cache setting, lemme know.


Any help/suggestion would be appreciated.
Virendra Maloo.

Re: PHP Session Issue

Posted: Tue Dec 22, 2009 2:41 am
by cpetercarter
Where does $_GET['session'] come from?

If you echo the values of $_GET['session']and session_id(), you should be able to see whether they contain different values or whether (more probable) $_GET['session'] does not exist. That should give you a clue about where the problem lies.

More generally, I am puzzled about why you are trying to validate your page in this way. session_start() will resume an existing session, and pick up the session id from the session cookie sent by the browser. It adds nothing for the browser to send the session id a second time as a $_GET. A more normal process would be:

- log-in page, session_start(), enter and check name and password
- on successful login, regenerate_session_id(), and set a session variable eg $_SESSION['login'] = true;
- move to another page, session_start()
- check whether there is a session variable 'login' and that its value is 'true'
- if yes, proceed; if no, back to login

Re: PHP Session Issue

Posted: Tue Dec 22, 2009 3:12 am
by s.dot
Most likely the problem you are experiencing has to do with the session cookie being set. A cookie can be set but is not usable until the next page request after it is set.

My guess is if when you first log in, the cookie is being set then and detects that you are not logged in (because your session cookie can't be read until the next page request), thus prompting you to login. On your next login attempt, you have reloaded the session cookie and it is available for your script to see and check against.

Re: PHP Session Issue

Posted: Tue Dec 22, 2009 3:37 am
by Virendra Maloo
When I redirect my app to a certain page using link, what I do for that link is this :=
====
Page1.php?session=<?php echo session_id(); ?>
====
and the code which I had sent in the original thread is pasted on page1.php, which checks if the current session is equal to the session rec.


I wonder if I can set the session cookie right from the first login?!?
Is there any way of doing it? or modification in php.ini is reqd?

Re: PHP Session Issue

Posted: Tue Dec 22, 2009 7:44 am
by kaisellgren
Log everytime the script sends you a redirection and then see where this unexpected redirection occurs.

Re: PHP Session Issue

Posted: Tue Dec 22, 2009 10:41 am
by cpetercarter
Maybe you are making other checks to see whether the session is logged in. But if the only thing you do is to check the session id against the value of $_GET['session'], your site can be hacked easily - http://www.yoursite.com/page1?session=[ ... ter_string] will get me in.

Re: PHP Session Issue

Posted: Wed Dec 23, 2009 12:38 am
by Virendra Maloo
"When I log-in for the first time and redirect the user to a certain page, the page expires and subsequent login-redirection works fine."
This is because the session-id I pass through the link is different than the session-id on the redirected page(only for the first time access!!!).
(I checked it by echo-ing it on screen)