SitePoint Sponsor

User Tag List

Results 1 to 14 of 14

Thread: Session problem

  1. #1
    SitePoint Addict
    Join Date
    Feb 2001
    Location
    Shanghai, China
    Posts
    214
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It seems I'm in trouble with my server. Most of my skripts which actually run fine for the last weeks don't work anymore. One of my problems is this here:
    I have a User-section where I use sessions. It worked fine,the login-skript looks like this ( I got it from Kevin's tutorial "Managing user..." )

    <?php
    include("common.php");
    include("db.php");
    include("dologin.php3");

    session_start();

    if(!isset($uid)) {
    ?>

    // html Form for user-registration


    <?php
    exit;
    }

    session_register("uid");
    session_register("pwd");

    dbConnect("xxx");
    $sql = "SELECT * FROM veranstalter WHERE
    userid = '$uid' AND password = '$pwd'";
    $result = mysql_query($sql);

    if (mysql_num_rows($result) == 0) {
    session_unregister("uid");
    session_unregister("pwd");

    dologin ("Sorry, invalid password");

    exit;
    }

    ?>

    And I put a :
    include("login.php"); ?>
    on the top of every skript in the user-area. This worked fine, but now I can log in the user-area, but when I click to the next page in the user section I see the form again to enter my username and password. So it seems that the sessions do not work. As I didn't change the skrip, and it worked fine until yesterday, it seems that some settings on the server changed. Is there any way the check up the settings or check if the session work ore whatever?

  2. #2
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Put a page up on your server which contains the following code.
    PHP Code:
    <?php php_info() ?>
    php_info() prints out a whole lot of info on the php configeration on the server. There will be a section with all the php session settings. Maybe your host turned sessions off for some reason?!?

    BTW, are you querying the database every time a page which includes that script is accessed (which is how it appears to me). That's not necessary. If it helps at all, here is a really simple script I wrote. index.php is the index page of the protected directory.
    PHP Code:
    <?php
        session_start
    ();
        
        
    $auth false;
        
        if (isset(
    $logout)) {
            
    session_unset();
        }
        
        if (isset(
    $userID) && isset($pw)) {
            include(
    "../dbconnect.php");
            
    $sqlStr "SELECT * FROM user WHERE
                       id='
    $userID' AND password='$pw'";        
            
    $result mysql_query($sqlStr$dbconx)
                    or die( 
    mysql_errno() . " : " mysql_error() );
            
    $numRows mysql_num_rows($result); 
            if(
    $numRows == ) {$auth true;}
        }
        
        if (
    $auth) {
            
    //session_start();
            
    session_register("usid");
            
    $usid substr(md5(time()),0,6);
        }
        
        if ( 
    $auth || isset($usid) ) {
                
        
    // index page content
        
        
    } else {
            echo 
    "
                <http>
                <head><title>Admin - Log In</title>
                <meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'>
                </head>
                <body bgcolor='#FFFFFF' text='#000000' onLoad='document.forms[0].elements[0].focus()'>
                <h1>Log In</h1>
                <p>
                <form name='addItem' method='post' action='
    $PHP_SELF'>
                <input type='text' name='userID' size='12'> User ID<br>
                <input type='password' name='pw' size = '12'> Password<br>
                <input type='submit' value= 'submit'>
                </form>
                </body></html> 
                "
    ;
        }
    ?>
    Then I include this file at the top of all subsequent pages in the protected directory:
    PHP Code:
    <?php
    session_start
    ();
    if (! isset(
    $usid)) {
        echo 
    "
            <html><head>
            <META HTTP-EQUIV='Refresh'
                CONTENT='0; URL=index.php'> 
            </head>        
            <body>
            <a href='index.php'>please log in</a>
            </body></head>
            "
    ;
            exit;
    }
    ?>
    Last edited by freakysid; Apr 30, 2001 at 20:04.

  3. #3
    SitePoint Addict
    Join Date
    Feb 2001
    Location
    Shanghai, China
    Posts
    214
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey freakysid
    It should be:
    PHP Code:
    phpinfo(); 
    and not:
    PHP Code:
    php_info(); 
    ,
    What I got there is this here
    Directive Local Value Master Value
    session.auto_start
    Off Off
    session.cache_expire
    180 180
    session.cache_limiter
    nocache nocache
    session.cookie_domain
    no value no value
    session.cookie_lifetime
    0 0
    session.cookie_path
    / /
    session.entropy_file
    no value no value
    session.entropy_length
    0 0
    session.gc_maxlifetime
    1440 1440
    session.gc_probability
    1 1
    session.name
    PHPSESSID PHPSESSID
    session.referer_check
    no value no value
    session.save_handler
    files files
    session.save_path
    /tmp /tmp
    session.serialize_handler
    php php
    session.use_cookies
    On On
    But what does it mean or how should it look like? Should "session auto start" be set on "ON"?

    For the log in skript:I can not see the basic difference. In both cases we check if there is a session "userid", if not we return the form and query the database. So it's just querying the db once, not on every page. Please correct me if I'm wrong.

  4. #4
    SitePoint Addict
    Join Date
    Feb 2001
    Location
    Shanghai, China
    Posts
    214
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just saw another point in the list I forgott to copy:

    Session Support: enabled
    Hmm, this looks like the solution to my session-problem.

  5. #5
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OK - those session settings look to be the standard/default set up. There should not be a problem there. Also, check the configer command and make sure that track_vars is enabled. You need that to be able to access things like cookie values directly as you do when you refer to $uid in your code.

    Hehe - this is the point when someone expert at using php sessions and cookies is supposed to jump in. I just tried to get the ball rolling.

  6. #6
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well to check if sessions are even working try printing the $PHPSESSID after you call session_start(); if you get a value then you know sessions are working. Next thing to do is to attempt to run your script manually, then when you think it has run successfully take that string that was printed out($PHPSESSID), and go into the /tmp folder, look for the file with your session id in the name, open it and you should see some serialized data, in it should be your $userID make sure it has a value. Another good way to debug session data is to put this on every page for debugging

    PHP Code:
    session_start();
    foreach(
    $HTTP_SESSION_VARS as $key => $val) {
    print 
    "$key = $val<br>";

    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  7. #7
    SitePoint Addict
    Join Date
    Feb 2001
    Location
    Shanghai, China
    Posts
    214
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As $PHPSESSID I get a value, so sessions are working.
    For the second way I found the file in the /tmp directory, but I can not open ore copy it, and it is not possible to change the permission of this directory.

  8. #8
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would suggest using mysql to store session data, its really easy to setup, all you have to do is create a table in your database and then include about 5 functions that will change the way PHP natively handles sessions from files to a db. Here are the functions you will need to include on every page you want to use sessions. This way it will be much easier to debug you can just look in the sessions table of your db to see what vars are getting set and which aren't


    PHP Code:
    <?

    ########################## session handling crap ###############################
    $db mysql_connect("****""******""*******");
    mysql_select_db("****");
    $sess_lifetime get_cfg_var("session.gc_maxlifetime");

    function 
    sess_open() {
        global 
    $db;
        return 
    $db;
        }

    function 
    sess_close() {
        return 
    true;
        }

    function 
    sess_read($key) {
        global 
    $db;
        
    $result mysql_query(sprintf("SELECT value FROM sessions WHERE sesskey = '%s' AND expire > %s"$keytime()));
        if (
    mysql_num_rows($result) > 0) {
            
    $row mysql_fetch_array($result);
            return 
    $row["value"];
            }
        else {
            return 
    false;
            }
        }

    function 
    sess_write($key,$val) {
        global 
    $db$sess_lifetime;
        
    $expire time() + $sess_lifetime;
        
    $value addslashes($val);
        
    $result1 mysql_query(sprintf("UPDATE sessions SET expire = %s, value = '%s' WHERE sesskey = '%s' AND
     expire > %s"
    $expire$value$keytime()));
        if (
    mysql_affected_rows($result1) < 1) {
            
    $result2 mysql_query(sprintf("INSERT into sessions SET sesskey = '%s', 
    expire = %s, value = '%s'"
    $key$expire$value));
            }
        return 
    mysql_affected_rows($result2);
        }

    function 
    sess_destroy($key) {
        global 
    $db;
        
    $result mysql_query(sprintf("DELETE from sessions WHERE sesskey = '%s'"$key));
        return 
    mysql_affected_rows($result);
        }

    function 
    sess_gc() {
        global 
    $db$PHPSESSID;
        
    session_unset();
        
    $result mysql_query(sprintf("DELETE from sessions WHERE sesskey = '%s'"$PHPSESSID));
        return 
    mysql_affected_rows($result);
        }



    session_set_save_handler(
        
    "sess_open",
        
    "sess_close",
        
    "sess_read",
        
    "sess_write",
        
    "sess_destroy",
        
    "sess_gc");


        

    ?>
    Here is the databvase table schema

    Code:
    CREATE TABLE sessions (
      sesskey varchar(32) DEFAULT '' NOT NULL,
      expire int(11) unsigned,
      value text,
      PRIMARY KEY (sesskey)
    );
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  9. #9
    SitePoint Addict
    Join Date
    Feb 2001
    Location
    Shanghai, China
    Posts
    214
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey, this looks good. But is it just a makeshift ore do you generally prefer this way. I mean, the one I use worked really fine (until some days ago) and it doesn't need any database querys.
    Hey, by the way, what's your hourly rate, I'm sure I would get poor If I had to pay you

  10. #10
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Email me at freddy@bereminded.com on the hourly rate thing. No that code is not a makeshift anything, I use everyday for something. It is one of the cool features of PHP, how you can customize how php handles sessions.

    yes it is extra queries, but its probably faster than having to open a file and read/write from it. Again, I use this code on a daily basis, and I know it works great.
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  11. #11
    SitePoint Enthusiast
    Join Date
    Jul 2000
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Then I include this file at the top of all subsequent pages in the protected directory:

    PHP Code:
    <?php
    session_start
    ();
    if (! isset(
    $usid)) {
        echo 
    "
            <html><head>
            <META HTTP-EQUIV='Refresh'
                CONTENT='0; URL=index.php'> 
            </head>        
            <body>
            <a href='index.php'>please log in</a>
            </body></head>
            "
    ;
            exit;
    }
    ?>
    But what if someone try this: script.php?$usid=anything.
    Would they still be able to get in?

  12. #12
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What I usually do is register $SESSION as session var when I validate the user, then I assign the userid to $SESSION["userid"], in fact I assign all session vars in tothe array $SESSION, that is pretty hard to recreate from a get string, then you can check for
    PHP Code:
    if ($SESSION["usid"] == "") {
    header("Location: index.php");

    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  13. #13
    SitePoint Enthusiast
    Join Date
    Jul 2000
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    BTW, are you querying the database every time a page which includes that script is accessed (which is how it appears to me). That's not necessary.
    I believe that it IS necessary to query the database every time a page is accessed. Querying is done to check if the username and password are valid. If you don't do this then it will be very easy to fool the script by using something like this:

    "script.php?$username=anything&$password=nothing".

    If you don't query the database, then you will only be able to check if the variables $username and $password are set. With the example above, they ARE set.

    Does anyone agree with me? If you don't query the database with every page request, then there will be a security problem.

  14. #14
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    nasio,

    How are you going to trick the server, with my example it would be very difficult to pass $SESSION["usid"] in a get string, don't you agree, however using a database to hold session data, does mean that the db gest queried with every request, but not to revalidate usernames and passwords but to grab session data.
    Please don't PM me with questions.
    Use the forums, that is what they are here for.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •