Session Variable Trouble

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Hagar
Forum Newbie
Posts: 18
Joined: Mon May 20, 2002 3:28 am
Location: Johannesburg, South Africa

Session Variable Trouble

Post by Hagar »

I'm having trouble picking up $_SESSION['XXXXX'] from one page to the next. Now I'm using the session_start() function on every page where I want to use $_SESSION['XXXXX'] and what I've noticed is that every page I visit with this function on it creates a new session "file" in my "C:/php/sessiondata".
but the new file doesn't have the session data, it's empty.

I suspect that my $_SESSION['XXXXX'] fails because of the new session file that is created and that is empty.

Am I missing a setting in php.ini or am I supose to pass the session_id() around? Please help!
Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

are you sure you aren't using $_SESSION or something like that before you session_start? (or do session_destroy in other pages?)

Hard to tell as you didn't post any code, session_start is all you need to do, and the rest goes by itself.

I would say this would fit better under Code, but, wth ;)
Hagar
Forum Newbie
Posts: 18
Joined: Mon May 20, 2002 3:28 am
Location: Johannesburg, South Africa

Post by Hagar »

Code: Select all

<?php

//store variables into a session
 
$debug = 1;
ob_start('install');
session_start('install');
//echo ".".$_POST['dom_name']."".$_POST['tld1'].".".$_POST['tld2'].".";
$_SESSION['dbase_name'] 		= $_POST['dbase_name'];
$_SESSION['dbase_server'] 	= $_POST['dbase_server'];
$_SESSION['dbase_username'] 	= $_POST['dbase_username'];
$_SESSION['dbase_password'] 	= $_POST['dbase_password'];
$_SESSION['table_name'] 		= "tusers";
$_SESSION['install_dir'] 		= $_POST['install_dir'];
$_SESSION['time_zone'] 		= $_POST['time_zone'];
$_SESSION['verify_email'] 	= $_POST['verify_email'];
$_SESSION['default_url'] 		= $_POST['default_url'];
$_SESSION['min_pass_len'] 	= $_POST['min_pass_len'];
$_SESSION['max_pass_len'] 	= $_POST['max_pass_len'];
$_SESSION['log_login'] 		= $_POST['log_login'];
$_SESSION['group_number'] 		= $_POST['num_groups'];
$_SESSION['domain']	= ".".$_POST['dom_name']."".$_POST['tld1'].".".$_POST['tld2'].".";
$_SESSION['admin_email']		= $_POST['admin_email'];

if (!$_POST['num_groups'])
{
	header("Location:install_2.php");
}

echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"style.css\">";
include ('header.html');

if (!$_POST['dbase_name'] || !$_POST['dbase_server'] || !$_POST['dbase_username'] || !$_POST['dbase_password'] || 
	!$_POST['install_dir'] || !$_POST['time_zone'] ||  
	!$_POST['default_url'] || !$_POST['min_pass_len'] || !$_POST['max_pass_len'] || !$_POST['dom_name'] || !$_POST['admin_email'])
{
	echo "<p>You must complete all of the fields, please <a href=\"javascript:history.go(-1)\">Go Back </a>and complete all of the fields.</p>";
	exit;
}


?>

<html>

<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<link rel='stylesheet' type='text/css' href='style.css'>
<title>Login - Redirect Installation</title>
</head>

<body>

Enter the names of your Groups:<br>
(Do not use Administrators or Users as a Group Name as there are pre-configured groups)<br>
<form method='POST' action='install_2.php'>
<?php
$i = 1;
while ($i <= $_SESSION['group_number'])
{
echo "<p>Group $i<br><input type='text' name='group".$i." size='20'></p>";
$i++;
}

if ($debug <> 0){
	 echo "db Name: ".$_POST['dbase_name']."<br>" ; 
	 echo 'dbase server: '.$_POST['dbase_server']."<br>" ;
	 echo 'dbase username: '.$_POST['dbase_username']."<br>" ;
	 echo 'Password: '.$_POST['dbase_password']."<br>" ;
	 echo 'Install Dir: '.$_POST['install_dir']."<br>" ;
	 echo 'Time Zone: '.$_POST['time_zone']."<br>" ;
	 echo 'default URL: '.$_POST['default_url']."<br>" ;
	 echo 'min pass Lenght: '.$_POST['min_pass_len']."<br>" ;
	 echo 'max password Lenght: '.$_POST['max_pass_len']."<br>" ;
	 echo 'Dom Name: '.$_POST['dom_name']."<br>" ;
	 echo 'Admin Email: '.$_POST['admin_email']."<br>" ;
	 
	echo "Sess db Name: ".$_SESSION['dbase_name']."<br>";
	echo 'Sess dbase server: '.$_SESSION['dbase_server']."<br>";
	echo 'Sess Password: '.$_SESSION['dbase_username']."<br>";
	echo 'Sess Password: '.$_SESSION['dbase_password']."<br>";
	echo 'Sess Table Name: '.$_SESSION['table_name']."<br>";
	echo 'Sess Install Dir: '.$_SESSION['install_dir']."<br>";
	echo 'Sess Time Zone: '.$_SESSION['time_zone']."<br>";
	echo 'Sess Verify EMail: '.$_SESSION['verify_email']."<br>";
	echo 'Sess default URL: '.$_SESSION['default_url']."<br>";
	echo 'Sess min pass Lenght: '.$_SESSION['min_pass_len']."<br>";
	echo 'Sess max password Lenght: '.$_SESSION['max_pass_len']."<br>";
	echo 'Sess Log in: '.$_SESSION['log_login']."<br>";
	echo 'Sess Group Number: '.$_SESSION['group_number']."<br>";
	echo 'Sess Dom Name: '.$_SESSION['domain']."<br>";
	echo 'Sess Admin Email: '.$_SESSION['admin_email']."<br>";
}
?>

<p><input type="submit" value="Submit" name="B1"></p>
</form>		


</body>

</html>
install_1.php

Here is the page where I pass the variables that has been passed from the POST to the $SESSION['xxxx'] and I do get the echos to return the session varialble to the page.


Code: Select all

<?php

session_start();
	echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"style.css\">";
	echo $_SESSION['table_name'];
include ('header.html');

$group_array = array();

//echo "Group Number: \"$_SESSION['group_number']\";

$i = 1;

while ($i <= $_SESSION['group_number'])
{
	$group = "group".$i;
	array_push($group_array, $_POST[$group]);
	$i++;
}

$i = 1;

//test connection to dbase verifing dbase name, server, username and password

$connection = @mysql_connect($_SESSION['dbase_server'], $_SESSION['dbase_username'], $_SESSION['dbase_password'])
				or die(mysql_error());
				
$db = @mysql_select_db($_SESSION['dbase_name'],$connection)
				or die(mysql_error());
				
//create a message to be displayed at the end of the installation
if ($db)
{
	echo "Connection to Database ".$_SESSION['dbase_name'] ."Successful.<br>";
}else{
	echo "<p>There was an error connecting to the database.</p>";
	echo "<p><a href='javascript:history.go(-2)'>Please go back and check your Database information.</a></p>";
	exit;
}
?>
install_2.php

In this code I'm wanting to echo $SESSION['table_name'].

Then the browser returns:
NOTICE: Undefined index table_name in C:\Apache Group\Apache2\www\install\install_2.php on line 5
NOTICE: Undefined index table_name in C:\Apache Group\Apache2\www\install\install_2.php on line 14
Access denied for user 'ODBC'@'localhost' (using paasword:NO)
Now those errors tell me that it is not picking up the variables that was set in the previous page.

[/quote]
Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

I see you are using headers, do note that using headers will discard sessioncookies under certain circumstances. (as the sessionid could be lost)

try doing a temporary workaround and see if that is it.
Post Reply