PHP Session hell...

bigandy

macrumors G3
Original poster
Apr 30, 2004
8,852
0
Murka
The website I'm currently working on has a kind of "user status" widget at the top of the screen. It says, among other things, "You're not logged in" or "Welcome [username]" depending on if you are logged in or not.

Previous to this site I did another that worked in exactly the same way - user logged in, their username was stored in a php_session variable, and the message was determined depending on if the username value was empty or not. It's also worthy to note that the whole site header is called externally from a header.php file.

Thing is, on the previous site it worked fine. But on this new site, the main pages seem to see the session variable information fine, but the header file cannot.

Is there any reason for that? The only difference between the new and old sites is that one had all the pages in one folder, and this new one has a structure (mainly because it's sooo complicated).

:confused:
 

c-Row

macrumors 65816
Jan 10, 2006
1,193
1
Germany
bigandy said:
Is there any reason for that? The only difference between the new and old sites is that one had all the pages in one folder, and this new one has a structure (mainly because it's sooo complicated).
I know cookies are very picky about which directory they were created from, but session variables should work everywhere. :confused: I agree with seanf - some source code would be helpful.
 

Knox

Administrator
Staff member
Jul 1, 2002
1,267
1
UK
When using session variables, the first thing to check is whether you are using $_SESSION to access the variable and if not, is register_globals on (phpinfo() will tell you) and are you trying to access the session variable within a function?
 

gwilli

macrumors newbie
Sep 24, 2006
28
0
London Town
How are you starting your sessions and assigning your session variables? If you're starting your session after your header file is included using session_start() your header file won't read the session data. If it's before the include statement you can access and assign your session data using $_SESSION['user']['wateva'] = 'Hello'; it might be worth running print_r($_SESSION); in your header file and in your main file and have a look at what the session ID's are... from your main file.

e.g

/includes/header.php
PHP:
print_r($_SESSION);
main.php
PHP:
include './inclides/header.php';
print_r($_SESSION);
if their the same then there shouldn't be anything wrong.... if their not then one of your files are opening and using new sessions.
Your code should look something like this.

main.php
PHP:
session_start();
$_SESSION['user']['id'] = '2';
include './inclides/header.php';
/includes/header.php
PHP:
echo $_SESSION['user']['id'];
Hope that helps.

Gav
 

bigandy

macrumors G3
Original poster
Apr 30, 2004
8,852
0
Murka
Ok, first sorry for the time to reply! Second, this is going to be quite a post!

Can you post the relevant code and the session configuration details (see phpinfo()) from the new site?
I'm leaving this up for a short while (my phpinfo). I have a dedicated server, and this seems to be the same for all the virtual servers running on it. (it's cPanel/WHM on FC4)

Here's the code from the header:
Code:
<?php  if ($_SESSION['MM_Username'] != "") { ?>
welcome, <?php echo $_SESSION['MM_Username']; ?> | <a href="/manage/login/logout.php">logout</a>
<?php } else { ?>
You're not logged in. | <a href="/manage/login/index.php">login</a> <hr noshade="noshade" size="1">No account? <a href="/manage/login/signup.php">Signup!</a><?php } ?>
And here's the code from the login page. It's just standard Dreamweaver 8 login function fayre:
Code:
<?php require_once('/Connections/dbc2.php'); ?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['uid'])) {
  $loginUsername=$_POST['uid'];
  $password=$_POST['pwd'];
  $password = md5($password);
  $MM_fldUserAuthorization = "position";
  $MM_redirectLoginSuccess = "/members/index.php";
  $MM_redirectLoginFailed = "loginfailure.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_2pz, $2pz);
  	
  $LoginRS__query=sprintf("SELECT username, password, position FROM users WHERE username='%s' AND password='%s'",
  get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 
   
  $LoginRS = mysql_query($LoginRS__query, $2pz) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
    
    $loginStrGroup  = mysql_result($LoginRS,0,'position');
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>
And this is from my members page, and it does work...
Code:
<?php print_r($_SESSION); ?>
- it outputs this for me, for example:
Array ( [MM_Username] => andy [MM_UserGroup] => 0 )

When using session variables, the first thing to check is whether you are using $_SESSION to access the variable and if not, is register_globals on (phpinfo() will tell you) and are you trying to access the session variable within a function?
I don't think I am. I'm not that advanced with PHP to know - hence using the Dreamweaver option :rolleyes:

Register_globals is off. I was wandering if you were going to say turn it on, but that makes no difference. So it's back off. :)

How are you starting your sessions and assigning your session variables? If you're starting your session after your header file is included using session_start() your header file won't read the session data. If it's before the include statement you can access and assign your session data using $_SESSION['user']['wateva'] = 'Hello'; it might be worth running print_r($_SESSION); in your header file and in your main file and have a look at what the session ID's are... from your main file.
As you'll see above, I'm starting sessions using the standard way via Dreamweaver. And the same way I've done it before :(



Hope someone can shed some light on this, I'm really confuzzled! :confused:
 

bigandy

macrumors G3
Original poster
Apr 30, 2004
8,852
0
Murka
Just FYI, here's the corresponding code from the previous website:

header.php
Code:
<?php  if ($_SESSION['MM_Username'] != "") { ?>
welcome, <?php echo $_SESSION['MM_Username']; ?> | <a href="/" class="toplink">home</a> | <a href="javascript:toggleLayer('logoutask');" class="toplink">logout</a>
<?php } else { ?>
You're not logged in. <a href="/" class="toplink">home</a> | <a href="javascript:toggleLayer('loginform');" class="toplink">login</a><?php } ?>
login.php
Code:
<?php require_once('Connections/pxl.php'); ?>
<?php
mysql_select_db($database_pxl, $pxl);
$query_login = "SELECT * FROM `user`";
$login = mysql_query($query_login, $pxl) or die(mysql_error());
$row_login = mysql_fetch_assoc($login);
$totalRows_login = mysql_num_rows($login);
?><?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['uid'])) {
  $loginUsername=$_POST['uid'];
  $password=$_POST['pwd'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "manage.php?msg=loggedin";
  $MM_redirectLoginFailed = "login.php?msg=fail";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_pxl, $pxl);
  
  $LoginRS__query=sprintf("SELECT uid, pwd FROM user WHERE uid='%s' AND pwd='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 
   
  $LoginRS = mysql_query($LoginRS__query, $pxl) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>
They really are so similar. The only difference to me seems to be the locations of the files - in this one everything was flat (there were only about 7 files). Because of the complications of the new project everything's been laid out into folders, but this really shouldn't make a difference, should it?

the locations are like this:

/manage/login/index.php <-- login file
/members/index.php <-- home once logged in
/static/php/header.php <-- the header file causing all the trouble
 

c-Row

macrumors 65816
Jan 10, 2006
1,193
1
Germany
That's probably a shot in the blue, but you could try to put the session_start() function in front of everything else. It usually works everywhere as long as there has been no header sent, but you never know...

I'd also combine these into one chunk of PHP, like this:

Code:
<?php

// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();

 require_once('/Connections/dbc2.php');
...
Might be that there is just one single blank space in between the "?>" and the adjacent "<?php" of your original source code, but that could already count as a header since the browser displays this as a blank space as well.
 

angelneo

macrumors 68000
Jun 13, 2004
1,541
0
afk
Just to make sure, are you using IE 7 beta 1? (it's hard to believe, but yes, IE 7 beta 1 causes php session to bug out)

EDIT: Ignore this, since you are saying other files view the session correctly. The only reason I can come up with off the top of my head now is most likely that your session_start() is placed in the incorrect place.
 

bigandy

macrumors G3
Original poster
Apr 30, 2004
8,852
0
Murka
Just to make sure, are you using IE 7 beta 1? (it's hard to believe, but yes, IE 7 beta 1 causes php session to bug out)
most certainly not. i don't even own a Windies box :D

Thanks for the replies guys, I'll give it a shot and report back when I'm at my G5 in an hour or two :D
 

bigandy

macrumors G3
Original poster
Apr 30, 2004
8,852
0
Murka
well it was a little more than an hour, but i tried this:

That's probably a shot in the blue, but you could try to put the session_start() function in front of everything else. It usually works everywhere as long as there has been no header sent, but you never know...

I'd also combine these into one chunk of PHP, like this:

#code...

Might be that there is just one single blank space in between the "?>" and the adjacent "<?php" of your original source code, but that could already count as a header since the browser displays this as a blank space as well.
nope. :(

I'm truly stumped. I don't really know what to do in this case. I'm going to go and cry, then I think I might see if including the header files in a different way (for example from a .tpl file or something) and see if that works.

Grr.
 

exabytes18

macrumors 6502
Jun 14, 2006
287
0
Suburb of Chicago
I had a bunch of problems when I switched my site over to use sessions exclusively. If you access your site from http://www.somewebsite.com, a session is created. However, if you go to somewebsite.com, the browser doesn't recognize the session previously created.

I'm a newbie at this, so this might just be crazy talk.
 

nightelf

macrumors 6502
Mar 25, 2003
269
0
Hello, I did not read all your posts :p but I think this could be the problem.

You mentioned that in the first site, everything worked fine, and that every page was in the same folder, but in the second site, that is organized by folder the include is not working well?

If you have something like this, the includes should be like:

/manage/login/index.php <-- include('../../static/php/header.php');
/members/index.php <-- include('../static/php/header.php');
/static/php/header.php

You cannot use absolute path when using PHP functions because it will go the the root of the server, not the domain.

Do not turn Globals On because is very unsecure. People could write this at the end of your site and get a registered user access.

http://www.yoursite.com/?MM_Username=nightelf

Basically, with globals on, any type of variable can get "overwrite" by another. In this case im telling the system to replace your $_SESSION['MM_Username'] with my $_GET['MM_Username'];

Hope this work.
 

nightelf

macrumors 6502
Mar 25, 2003
269
0
I had a bunch of problems when I switched my site over to use sessions exclusively. If you access your site from http://www.somewebsite.com, a session is created. However, if you go to somewebsite.com, the browser doesn't recognize the session previously created.

I'm a newbie at this, so this might just be crazy talk.
You are right. Sessions are based on the address.

something.com
http://www.something.com
subdomain.something.com

All of them would have different sessions.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.