SitePoint Sponsor |
|
User Tag List
Results 1 to 14 of 14
Thread: Session problem
-
Apr 30, 2001, 04:22 #1
- Join Date
- Feb 2001
- Location
- Shanghai, China
- Posts
- 214
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
It seems I'm in trouble with my server. Most of my skripts which actually run fine for the last weeks don't work anymore. One of my problems is this here:
I have a User-section where I use sessions. It worked fine,the login-skript looks like this ( I got it from Kevin's tutorial "Managing user..." )
<?php
include("common.php");
include("db.php");
include("dologin.php3");
session_start();
if(!isset($uid)) {
?>
// html Form for user-registration
<?php
exit;
}
session_register("uid");
session_register("pwd");
dbConnect("xxx");
$sql = "SELECT * FROM veranstalter WHERE
userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);
if (mysql_num_rows($result) == 0) {
session_unregister("uid");
session_unregister("pwd");
dologin ("Sorry, invalid password");
exit;
}
?>
And I put a :
include("login.php"); ?>
on the top of every skript in the user-area. This worked fine, but now I can log in the user-area, but when I click to the next page in the user section I see the form again to enter my username and password. So it seems that the sessions do not work. As I didn't change the skrip, and it worked fine until yesterday, it seems that some settings on the server changed. Is there any way the check up the settings or check if the session work ore whatever?
-
Apr 30, 2001, 19:48 #2
- Join Date
- Jun 2000
- Location
- Sydney, Australia
- Posts
- 3,798
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Put a page up on your server which contains the following code.
PHP Code:<?php php_info() ?>
BTW, are you querying the database every time a page which includes that script is accessed (which is how it appears to me). That's not necessary. If it helps at all, here is a really simple script I wrote. index.php is the index page of the protected directory.PHP Code:<?php
session_start();
$auth = false;
if (isset($logout)) {
session_unset();
}
if (isset($userID) && isset($pw)) {
include("../dbconnect.php");
$sqlStr = "SELECT * FROM user WHERE
id='$userID' AND password='$pw'";
$result = mysql_query($sqlStr, $dbconx)
or die( mysql_errno() . " : " . mysql_error() );
$numRows = mysql_num_rows($result);
if($numRows == 1 ) {$auth = true;}
}
if ($auth) {
//session_start();
session_register("usid");
$usid = substr(md5(time()),0,6);
}
if ( $auth || isset($usid) ) {
// index page content
} else {
echo "
<http>
<head><title>Admin - Log In</title>
<meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'>
</head>
<body bgcolor='#FFFFFF' text='#000000' onLoad='document.forms[0].elements[0].focus()'>
<h1>Log In</h1>
<p>
<form name='addItem' method='post' action='$PHP_SELF'>
<input type='text' name='userID' size='12'> User ID<br>
<input type='password' name='pw' size = '12'> Password<br>
<input type='submit' value= 'submit'>
</form>
</body></html>
";
}
?>PHP Code:<?php
session_start();
if (! isset($usid)) {
echo "
<html><head>
<META HTTP-EQUIV='Refresh'
CONTENT='0; URL=index.php'>
</head>
<body>
<a href='index.php'>please log in</a>
</body></head>
";
exit;
}
?>Last edited by freakysid; Apr 30, 2001 at 20:04.
-
May 1, 2001, 13:47 #3
- Join Date
- Feb 2001
- Location
- Shanghai, China
- Posts
- 214
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Hey freakysid
It should be:
PHP Code:phpinfo();
PHP Code:php_info();
What I got there is this here
Directive Local Value Master Value
session.auto_start
Off Off
session.cache_expire
180 180
session.cache_limiter
nocache nocache
session.cookie_domain
no value no value
session.cookie_lifetime
0 0
session.cookie_path
/ /
session.entropy_file
no value no value
session.entropy_length
0 0
session.gc_maxlifetime
1440 1440
session.gc_probability
1 1
session.name
PHPSESSID PHPSESSID
session.referer_check
no value no value
session.save_handler
files files
session.save_path
/tmp /tmp
session.serialize_handler
php php
session.use_cookies
On On
For the log in skript:I can not see the basic difference. In both cases we check if there is a session "userid", if not we return the form and query the database. So it's just querying the db once, not on every page. Please correct me if I'm wrong.
-
May 1, 2001, 14:18 #4
- Join Date
- Feb 2001
- Location
- Shanghai, China
- Posts
- 214
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Just saw another point in the list I forgott to copy:
Session Support: enabled
-
May 1, 2001, 22:24 #5
- Join Date
- Jun 2000
- Location
- Sydney, Australia
- Posts
- 3,798
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
OK - those session settings look to be the standard/default set up. There should not be a problem there. Also, check the configer command and make sure that track_vars is enabled. You need that to be able to access things like cookie values directly as you do when you refer to $uid in your code.
Hehe - this is the point when someone expert at using php sessions and cookies is supposed to jump in. I just tried to get the ball rolling.
-
May 1, 2001, 22:34 #6
- Join Date
- Aug 2000
- Location
- San Diego, CA
- Posts
- 5,460
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Well to check if sessions are even working try printing the $PHPSESSID after you call session_start(); if you get a value then you know sessions are working. Next thing to do is to attempt to run your script manually, then when you think it has run successfully take that string that was printed out($PHPSESSID), and go into the /tmp folder, look for the file with your session id in the name, open it and you should see some serialized data, in it should be your $userID make sure it has a value. Another good way to debug session data is to put this on every page for debugging
PHP Code:session_start();
foreach($HTTP_SESSION_VARS as $key => $val) {
print "$key = $val<br>";
}
Please don't PM me with questions.
Use the forums, that is what they are here for.
-
May 2, 2001, 09:14 #7
- Join Date
- Feb 2001
- Location
- Shanghai, China
- Posts
- 214
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
As $PHPSESSID I get a value, so sessions are working.
For the second way I found the file in the /tmp directory, but I can not open ore copy it, and it is not possible to change the permission of this directory.
-
May 2, 2001, 09:28 #8
- Join Date
- Aug 2000
- Location
- San Diego, CA
- Posts
- 5,460
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I would suggest using mysql to store session data, its really easy to setup, all you have to do is create a table in your database and then include about 5 functions that will change the way PHP natively handles sessions from files to a db. Here are the functions you will need to include on every page you want to use sessions. This way it will be much easier to debug you can just look in the sessions table of your db to see what vars are getting set and which aren't
PHP Code:<?
########################## session handling crap ###############################
$db = mysql_connect("****", "******", "*******");
mysql_select_db("****");
$sess_lifetime = get_cfg_var("session.gc_maxlifetime");
function sess_open() {
global $db;
return $db;
}
function sess_close() {
return true;
}
function sess_read($key) {
global $db;
$result = mysql_query(sprintf("SELECT value FROM sessions WHERE sesskey = '%s' AND expire > %s", $key, time()));
if (mysql_num_rows($result) > 0) {
$row = mysql_fetch_array($result);
return $row["value"];
}
else {
return false;
}
}
function sess_write($key,$val) {
global $db, $sess_lifetime;
$expire = time() + $sess_lifetime;
$value = addslashes($val);
$result1 = mysql_query(sprintf("UPDATE sessions SET expire = %s, value = '%s' WHERE sesskey = '%s' AND
expire > %s", $expire, $value, $key, time()));
if (mysql_affected_rows($result1) < 1) {
$result2 = mysql_query(sprintf("INSERT into sessions SET sesskey = '%s',
expire = %s, value = '%s'", $key, $expire, $value));
}
return mysql_affected_rows($result2);
}
function sess_destroy($key) {
global $db;
$result = mysql_query(sprintf("DELETE from sessions WHERE sesskey = '%s'", $key));
return mysql_affected_rows($result);
}
function sess_gc() {
global $db, $PHPSESSID;
session_unset();
$result = mysql_query(sprintf("DELETE from sessions WHERE sesskey = '%s'", $PHPSESSID));
return mysql_affected_rows($result);
}
session_set_save_handler(
"sess_open",
"sess_close",
"sess_read",
"sess_write",
"sess_destroy",
"sess_gc");
?>
Code:CREATE TABLE sessions ( sesskey varchar(32) DEFAULT '' NOT NULL, expire int(11) unsigned, value text, PRIMARY KEY (sesskey) );
Please don't PM me with questions.
Use the forums, that is what they are here for.
-
May 2, 2001, 10:03 #9
- Join Date
- Feb 2001
- Location
- Shanghai, China
- Posts
- 214
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Hey, this looks good. But is it just a makeshift ore do you generally prefer this way. I mean, the one I use worked really fine (until some days ago) and it doesn't need any database querys.
Hey, by the way, what's your hourly rate, I'm sure I would get poor If I had to pay you
-
May 2, 2001, 10:18 #10
- Join Date
- Aug 2000
- Location
- San Diego, CA
- Posts
- 5,460
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Email me at freddy@bereminded.com on the hourly rate thing. No that code is not a makeshift anything, I use everyday for something. It is one of the cool features of PHP, how you can customize how php handles sessions.
yes it is extra queries, but its probably faster than having to open a file and read/write from it. Again, I use this code on a daily basis, and I know it works great.Please don't PM me with questions.
Use the forums, that is what they are here for.
-
May 2, 2001, 12:21 #11
- Join Date
- Jul 2000
- Posts
- 32
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Then I include this file at the top of all subsequent pages in the protected directory:
PHP Code:<?php
session_start();
if (! isset($usid)) {
echo "
<html><head>
<META HTTP-EQUIV='Refresh'
CONTENT='0; URL=index.php'>
</head>
<body>
<a href='index.php'>please log in</a>
</body></head>
";
exit;
}
?>
Would they still be able to get in?
-
May 2, 2001, 12:28 #12
- Join Date
- Aug 2000
- Location
- San Diego, CA
- Posts
- 5,460
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
What I usually do is register $SESSION as session var when I validate the user, then I assign the userid to $SESSION["userid"], in fact I assign all session vars in tothe array $SESSION, that is pretty hard to recreate from a get string, then you can check for
PHP Code:if ($SESSION["usid"] == "") {
header("Location: index.php");
}
Please don't PM me with questions.
Use the forums, that is what they are here for.
-
May 3, 2001, 05:44 #13
- Join Date
- Jul 2000
- Posts
- 32
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
BTW, are you querying the database every time a page which includes that script is accessed (which is how it appears to me). That's not necessary.
"script.php?$username=anything&$password=nothing".
If you don't query the database, then you will only be able to check if the variables $username and $password are set. With the example above, they ARE set.
Does anyone agree with me? If you don't query the database with every page request, then there will be a security problem.
-
May 3, 2001, 09:04 #14
- Join Date
- Aug 2000
- Location
- San Diego, CA
- Posts
- 5,460
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
nasio,
How are you going to trick the server, with my example it would be very difficult to pass $SESSION["usid"] in a get string, don't you agree, however using a database to hold session data, does mean that the db gest queried with every request, but not to revalidate usernames and passwords but to grab session data.Please don't PM me with questions.
Use the forums, that is what they are here for.
Bookmarks