PHP Sessions Not working

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

PHP Sessions Not working

Post by QuickSnail »

I do not understand why this is not working at all.
Sessions was working fine, I tried to set it up so it wouldn't use cookies only files on the server.
Yeah.. Didn't work.

I set it up to die() so I could see what exactly was happening.
Notice: Undefined index: active in user.htm on line 60

It goes from Index.htm > login.htm > user.htm.
Passes login.htm only if all checks are clear.
It seems to be setting the session_id but nothing in the session..
Also I have noticed that it creates a new session_id and file EVERY time session_start is called.
I set it up to use cookies and yet for some reason it still doesn't work. :dubious:


I put up a test.htm to see somethings I see that the session is being started. I echoed session_id() it gave a valid sid.
I set a test var it and set it to echo. Worked all fine. But. I did notice that all of the session data seems to be erased when you move to a new page. Like it was a regular variable.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: PHP Sessions Not working

Post by califdon »

Since you haven't showed any of your code, it's hard to guess what's going on. After using session_start();, are you assigning $_SESSION['xxxx'] = $xxx; ?
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: PHP Sessions Not working

Post by QuickSnail »

Correct. as you can see from the error. I am calling $_SESSION['active'] which is set in login.htm. requested in user.htm.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: PHP Sessions Not working

Post by califdon »

QuickSnail wrote:Correct. as you can see from the error. I am calling $_SESSION['active'] which is set in login.htm. requested in user.htm.
Yes, you are calling $_SESSION['active']. What I asked is are you setting $_SESSION['active'] (since the error message is indicating that it has never been set).
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: PHP Sessions Not working

Post by QuickSnail »

Yes I just told you :wink:
It's set in login.htm
and requested in user.htm.
User.htm is where it is giving me the error. Well.. Notice.

EDIT:
Lets see if this info helps:
[Session]
session.save_handler = files
session.save_path = "C:\temp"
session.use_cookies = 0
session.cookie_secure = 1
session.use_only_cookies = 0
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain = .quicksnail.com
session.cookie_httponly = 1
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = 0
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
;session.entropy_length = 16
;session.entropy_file = /dev/urandom
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 1
session.hash_bits_per_character = 5
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: PHP Sessions Not working

Post by califdon »

Sorry, I don't recognize that code. What it takes to set a session variable is something like this:

Code: Select all

$_SESSION['active']='yes';
Not seeing such a line and considering that the error message said quite specifically that "active" is undefined (the ['active'] is known as the index), I have to ask, once again, where did you set a value for the session variable 'active'?
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: PHP Sessions Not working

Post by QuickSnail »

Alright. what I posted a minute ago was the .ini not php code.

(take note I have apache set up to accept .htm as .php)

The index.htm is the main page.
They type a username and password.
It submits to login.htm
login.htm checks it against a database, in this case it's mysql.
If everything is all good it sets $_SESSION['active']='yes'; then it sends the user to user.htm.
Once at user.htm it checks to see if $_SESSION['active'] is set to 'yes'.


login.htm:
if($password==$md5_pass) {
$_SESSION['active']='yes';
}


user.htm:
if(isset($_SESSION['active'])) {
if($_SESSION['active']=='yes'){
}
}


obviously some coding is removed. You get the idea. I don't believe the error is at all in my coding. I believe it's in the .ini. That's what I believe anyway.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: PHP Sessions Not working

Post by califdon »

You know, it's very simple to test that. Using the same .ini configuration, write a 4 or 5 line script that sets a session variable the first time through and reads it the second time. Unless you have turned off Sessions, I doubt that your .ini configuration could have any bearing on the problem you're presenting. Is that the php.ini file, or Apache, or what? Other than your php file associations, why would you need to muck around in the .ini file? The other thing you could do is revert to the default .ini file and see if your script works.
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: PHP Sessions Not working

Post by QuickSnail »

I could. I do have a back up file of the php.ini.
See the only thing is I wanted to try and stop all possibilities of Session id hijacking.
I will try the back up .ini file and fill you in on the result.


EDIT:
Alright. well..... No luck.
The error must be in my coding I guess.. hm. Let me run a quick test.

EDIT:EDIT:
I made a page. in this case test.htm.
this is the code
session_start();
$_session['test']="yes";
echo $_SESSION['test'];


THEN
I loaded it.

then removed the line
$_SESSION['test']="yes";

then refreshed the page.

AND THE RESULT!

Notice: Undefined index: test in C:\webdocs\55605\index\test.htm on line 3
Paul Arnold
Forum Contributor
Posts: 141
Joined: Fri Jun 13, 2008 10:09 am
Location: Newcastle Upon Tyne

Re: PHP Sessions Not working

Post by Paul Arnold »

Code: Select all

 
$_session['test']="yes";
 
try changing this to

Code: Select all

 
$_SESSION['test']="yes";
 
sj15
Forum Newbie
Posts: 2
Joined: Mon Oct 27, 2008 7:07 am

Re: PHP Sessions Not working

Post by sj15 »

Hi,
even i have the same prob.
even coookies are also not working for me.
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Re: PHP Sessions Not working

Post by Stryks »

So ... if you copy this into a new file ... open it, and then refresh, you just get repeated 'SETTING SESSION'?

Code: Select all

<?php
session_start();
 
if(!isset($_SESSION['test'])) {
    echo 'SETTING SESSION';
    $_SESSION['test'] = "I'm a session variable ... and I'm OK with that.";
} else 
    echo $_SESSION['test'];
?>
 
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: PHP Sessions Not working

Post by califdon »

In case this will be of any use to you, for comparing line-by-line, I will attach the [session] section of my php.ini file (which I have never modified, other than assigning pathnames when I installed PHP).
Attachments
my_php.ini.zip
(2.45 KiB) Downloaded 20 times
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: PHP Sessions Not working

Post by QuickSnail »

Yessssssssssssssssssssssssss. Sessions working again. Thanks so much. whew that was a rather annoying battle.

Now as you know (because it's running on your settings). It's set up to use cookies. Isn't that dangerous?
Now grant I have a ip check that if the same account logs on with a different ip both people are logged off.
Once the person logs back on that ip is logged and the process starts again.
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Re: PHP Sessions Not working

Post by Stryks »

QuickSnail wrote:It's set up to use cookies. Isn't that dangerous?
Whichever way you use sessions, the session ID is exposed to the user. It's either sent in a cookie or as a part of the URL. Personally, I'll take the cookie any day of the week and twice on Sundays. The reason it is exposed to the user is because, HTTP being a stateless protocol, there is no way to know from one request to the next if a user is the same user as a previous view. So, when you do session_start(), a session token is created and all your $_SESSION data is stored in an associated location on the server side. That session token is created as a cookie on the user-side, or it is appended to every URL (&PHPSESSID=##############) for that user once logged in.

Either method contains the same vulnerabilities, where one user might gain access to another users token and use that to impersonate that user. My take is that this is a much bigger issue when a user can say, log in, pass their URL containing their session ID to a friend, and both be logged in on the same account. This is possible if they share the password but imagine a user accidentally posting that on a forum somewhere. The same is still possible with the cookies of course, but it is a little more complex and is not really going to happen by accident.

You can reduce the impact of session hijacking by taking a number of steps. Regenerating the session ID on each permission level change is a good idea. Depending on how vital your data is you could also force the user to re-enter their password before major actions, regenerating the session as you go. Set your sessions to timeout in a shorter amount of time (10 - 15 minutes say), and avoid using a system that logs a user back in on every visit (forums are probably a good example of an exception to this rule, as people visit often, but a false user will likely not be able to cause too much damage). SSL is also a great option if security is a large concern.

Also, I'd really advise loosing the IP check, assuming that an IP match failure will cause a person to be logged out. It is too unreliable to use as an identifier as an IP can change for a legit user mid session, and multiple users can share the same IP (schools and workplace networks often fall into this category). Do a search in here for IP checking and you should find a bunch of threads counting the issues.

You can use other information to create a fingerprint, but IP is not the best choice in my opinion.

Anyhow, good luck.
Post Reply