PHP Session hell...

Discussion in 'Web Design and Development' started by bigandy, Oct 24, 2006.

  1. bigandy macrumors G3

    bigandy

    Joined:
    Apr 30, 2004
    Location:
    Murka
    #1
    The website I'm currently working on has a kind of "user status" widget at the top of the screen. It says, among other things, "You're not logged in" or "Welcome [username]" depending on if you are logged in or not.

    Previous to this site I did another that worked in exactly the same way - user logged in, their username was stored in a php_session variable, and the message was determined depending on if the username value was empty or not. It's also worthy to note that the whole site header is called externally from a header.php file.

    Thing is, on the previous site it worked fine. But on this new site, the main pages seem to see the session variable information fine, but the header file cannot.

    Is there any reason for that? The only difference between the new and old sites is that one had all the pages in one folder, and this new one has a structure (mainly because it's sooo complicated).

    :confused:
     
  2. seanf macrumors 6502

    Joined:
    Aug 8, 2006
    Location:
    UK
    #2
    Can you post the relevant code and the session configuration details (see phpinfo()) from the new site?

    Sean :)
     
  3. c-Row macrumors 65816

    c-Row

    Joined:
    Jan 10, 2006
    Location:
    Germany
    #3
    I know cookies are very picky about which directory they were created from, but session variables should work everywhere. :confused: I agree with seanf - some source code would be helpful.
     
  4. Knox Administrator

    Knox

    Staff Member

    Joined:
    Jul 1, 2002
    Location:
    UK
    #4
    When using session variables, the first thing to check is whether you are using $_SESSION to access the variable and if not, is register_globals on (phpinfo() will tell you) and are you trying to access the session variable within a function?
     
  5. gwilli macrumors newbie

    Joined:
    Sep 24, 2006
    Location:
    London Town
    #5
    How are you starting your sessions and assigning your session variables? If you're starting your session after your header file is included using session_start() your header file won't read the session data. If it's before the include statement you can access and assign your session data using $_SESSION['user']['wateva'] = 'Hello'; it might be worth running print_r($_SESSION); in your header file and in your main file and have a look at what the session ID's are... from your main file.

    e.g

    /includes/header.php
    PHP:
    print_r($_SESSION);
    main.php
    PHP:
    include './inclides/header.php';
    print_r($_SESSION);
    if their the same then there shouldn't be anything wrong.... if their not then one of your files are opening and using new sessions.
    Your code should look something like this.

    main.php
    PHP:
    session_start();
    $_SESSION['user']['id'] = '2';
    include 
    './inclides/header.php';
    /includes/header.php
    PHP:
    echo $_SESSION['user']['id'];
    Hope that helps.

    Gav
     
  6. bigandy thread starter macrumors G3

    bigandy

    Joined:
    Apr 30, 2004
    Location:
    Murka
    #6
    Ok, first sorry for the time to reply! Second, this is going to be quite a post!

    I'm leaving this up for a short while (my phpinfo). I have a dedicated server, and this seems to be the same for all the virtual servers running on it. (it's cPanel/WHM on FC4)

    Here's the code from the header:
    Code:
    <?php  if ($_SESSION['MM_Username'] != "") { ?>
    welcome, <?php echo $_SESSION['MM_Username']; ?> | <a href="/manage/login/logout.php">logout</a>
    <?php } else { ?>
    You're not logged in. | <a href="/manage/login/index.php">login</a> <hr noshade="noshade" size="1">No account? <a href="/manage/login/signup.php">Signup!</a><?php } ?>
    And here's the code from the login page. It's just standard Dreamweaver 8 login function fayre:
    Code:
    <?php require_once('/Connections/dbc2.php'); ?>
    <?php
    // *** Validate request to login to this site.
    if (!isset($_SESSION)) {
      session_start();
    }
    
    $loginFormAction = $_SERVER['PHP_SELF'];
    if (isset($_GET['accesscheck'])) {
      $_SESSION['PrevUrl'] = $_GET['accesscheck'];
    }
    
    if (isset($_POST['uid'])) {
      $loginUsername=$_POST['uid'];
      $password=$_POST['pwd'];
      $password = md5($password);
      $MM_fldUserAuthorization = "position";
      $MM_redirectLoginSuccess = "/members/index.php";
      $MM_redirectLoginFailed = "loginfailure.php";
      $MM_redirecttoReferrer = false;
      mysql_select_db($database_2pz, $2pz);
      	
      $LoginRS__query=sprintf("SELECT username, password, position FROM users WHERE username='%s' AND password='%s'",
      get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 
       
      $LoginRS = mysql_query($LoginRS__query, $2pz) or die(mysql_error());
      $loginFoundUser = mysql_num_rows($LoginRS);
      if ($loginFoundUser) {
        
        $loginStrGroup  = mysql_result($LoginRS,0,'position');
        
        //declare two session variables and assign them
        $_SESSION['MM_Username'] = $loginUsername;
        $_SESSION['MM_UserGroup'] = $loginStrGroup;	      
    
        if (isset($_SESSION['PrevUrl']) && false) {
          $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
        }
        header("Location: " . $MM_redirectLoginSuccess );
      }
      else {
        header("Location: ". $MM_redirectLoginFailed );
      }
    }
    ?>
    
    And this is from my members page, and it does work...
    Code:
    <?php print_r($_SESSION); ?>
    - it outputs this for me, for example:
    Array ( [MM_Username] => andy [MM_UserGroup] => 0 )

    I don't think I am. I'm not that advanced with PHP to know - hence using the Dreamweaver option :rolleyes:

    Register_globals is off. I was wandering if you were going to say turn it on, but that makes no difference. So it's back off. :)

    As you'll see above, I'm starting sessions using the standard way via Dreamweaver. And the same way I've done it before :(



    Hope someone can shed some light on this, I'm really confuzzled! :confused:
     
  7. bigandy thread starter macrumors G3

    bigandy

    Joined:
    Apr 30, 2004
    Location:
    Murka
    #7
    Just FYI, here's the corresponding code from the previous website:

    header.php
    Code:
    <?php  if ($_SESSION['MM_Username'] != "") { ?>
    welcome, <?php echo $_SESSION['MM_Username']; ?> | <a href="/" class="toplink">home</a> | <a href="javascript:toggleLayer('logoutask');" class="toplink">logout</a>
    <?php } else { ?>
    You're not logged in. <a href="/" class="toplink">home</a> | <a href="javascript:toggleLayer('loginform');" class="toplink">login</a><?php } ?>
    login.php
    Code:
    <?php require_once('Connections/pxl.php'); ?>
    <?php
    mysql_select_db($database_pxl, $pxl);
    $query_login = "SELECT * FROM `user`";
    $login = mysql_query($query_login, $pxl) or die(mysql_error());
    $row_login = mysql_fetch_assoc($login);
    $totalRows_login = mysql_num_rows($login);
    ?><?php
    // *** Validate request to login to this site.
    if (!isset($_SESSION)) {
      session_start();
    }
    
    $loginFormAction = $_SERVER['PHP_SELF'];
    if (isset($_GET['accesscheck'])) {
      $_SESSION['PrevUrl'] = $_GET['accesscheck'];
    }
    
    if (isset($_POST['uid'])) {
      $loginUsername=$_POST['uid'];
      $password=$_POST['pwd'];
      $MM_fldUserAuthorization = "";
      $MM_redirectLoginSuccess = "manage.php?msg=loggedin";
      $MM_redirectLoginFailed = "login.php?msg=fail";
      $MM_redirecttoReferrer = false;
      mysql_select_db($database_pxl, $pxl);
      
      $LoginRS__query=sprintf("SELECT uid, pwd FROM user WHERE uid='%s' AND pwd='%s'",
        get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 
       
      $LoginRS = mysql_query($LoginRS__query, $pxl) or die(mysql_error());
      $loginFoundUser = mysql_num_rows($LoginRS);
      if ($loginFoundUser) {
         $loginStrGroup = "";
        
        //declare two session variables and assign them
        $_SESSION['MM_Username'] = $loginUsername;
        $_SESSION['MM_UserGroup'] = $loginStrGroup;	      
    
        if (isset($_SESSION['PrevUrl']) && false) {
          $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
        }
        header("Location: " . $MM_redirectLoginSuccess );
      }
      else {
        header("Location: ". $MM_redirectLoginFailed );
      }
    }
    ?>
    They really are so similar. The only difference to me seems to be the locations of the files - in this one everything was flat (there were only about 7 files). Because of the complications of the new project everything's been laid out into folders, but this really shouldn't make a difference, should it?

    the locations are like this:

    /manage/login/index.php <-- login file
    /members/index.php <-- home once logged in
    /static/php/header.php <-- the header file causing all the trouble
     
  8. c-Row macrumors 65816

    c-Row

    Joined:
    Jan 10, 2006
    Location:
    Germany
    #8
    That's probably a shot in the blue, but you could try to put the session_start() function in front of everything else. It usually works everywhere as long as there has been no header sent, but you never know...

    I'd also combine these into one chunk of PHP, like this:

    Code:
    <?php
    
    // *** Validate request to login to this site.
    if (!isset($_SESSION)) {
      session_start();
    
     require_once('/Connections/dbc2.php');
    ...
    Might be that there is just one single blank space in between the "?>" and the adjacent "<?php" of your original source code, but that could already count as a header since the browser displays this as a blank space as well.
     
  9. angelneo macrumors 68000

    Joined:
    Jun 13, 2004
    Location:
    afk
    #9
    Just to make sure, are you using IE 7 beta 1? (it's hard to believe, but yes, IE 7 beta 1 causes php session to bug out)

    EDIT: Ignore this, since you are saying other files view the session correctly. The only reason I can come up with off the top of my head now is most likely that your session_start() is placed in the incorrect place.
     
  10. bigandy thread starter macrumors G3

    bigandy

    Joined:
    Apr 30, 2004
    Location:
    Murka
    #10
    most certainly not. i don't even own a Windies box :D

    Thanks for the replies guys, I'll give it a shot and report back when I'm at my G5 in an hour or two :D
     
  11. bigandy thread starter macrumors G3

    bigandy

    Joined:
    Apr 30, 2004
    Location:
    Murka
    #11
    well it was a little more than an hour, but i tried this:

    nope. :(

    I'm truly stumped. I don't really know what to do in this case. I'm going to go and cry, then I think I might see if including the header files in a different way (for example from a .tpl file or something) and see if that works.

    Grr.
     
  12. exabytes18 macrumors 6502

    Joined:
    Jun 14, 2006
    Location:
    Suburb of Chicago
    #12
    I had a bunch of problems when I switched my site over to use sessions exclusively. If you access your site from www.somewebsite.com, a session is created. However, if you go to somewebsite.com, the browser doesn't recognize the session previously created.

    I'm a newbie at this, so this might just be crazy talk.
     
  13. nightelf macrumors 6502

    Joined:
    Mar 25, 2003
    #13
    Hello, I did not read all your posts :p but I think this could be the problem.

    You mentioned that in the first site, everything worked fine, and that every page was in the same folder, but in the second site, that is organized by folder the include is not working well?

    If you have something like this, the includes should be like:

    /manage/login/index.php <-- include('../../static/php/header.php');
    /members/index.php <-- include('../static/php/header.php');
    /static/php/header.php

    You cannot use absolute path when using PHP functions because it will go the the root of the server, not the domain.

    Do not turn Globals On because is very unsecure. People could write this at the end of your site and get a registered user access.

    http://www.yoursite.com/?MM_Username=nightelf

    Basically, with globals on, any type of variable can get "overwrite" by another. In this case im telling the system to replace your $_SESSION['MM_Username'] with my $_GET['MM_Username'];

    Hope this work.
     
  14. nightelf macrumors 6502

    Joined:
    Mar 25, 2003
    #14
    You are right. Sessions are based on the address.

    something.com
    www.something.com
    subdomain.something.com

    All of them would have different sessions.
     
  15. Knox Administrator

    Knox

    Staff Member

    Joined:
    Jul 1, 2002
    Location:
    UK
    #15
    However, if it's a issue you can change it using the session_cookie_domain config option in php.ini or via ini_set. Setting it to .something.com (note the initial dot) would mean the cookie was available to all the sub-domains.
     

Share This Page