Session problem

[smorb]

It seems I'm in trouble with my server. Most of my skripts which actually run fine for the last weeks don't work anymore. One of my problems is this here:
I have a User-section where I use sessions. It worked fine,the login-skript looks like this ( I got it from Kevin's tutorial "Managing user..." )

<?php
include("common.php");
include("db.php");
include("dologin.php3");

session_start();

if(!isset($uid)) {
?>

// html Form for user-registration


<?php
exit;
}

session_register("uid");
session_register("pwd");

dbConnect("xxx");
$sql = "SELECT * FROM veranstalter WHERE
userid = '$uid' AND password = '$pwd'";
$result = mysql_query($sql);

if (mysql_num_rows($result) == 0) {
session_unregister("uid");
session_unregister("pwd");

dologin ("Sorry, invalid password");

exit;
}

?>

And I put a :
include("login.php"); ?>
on the top of every skript in the user-area. This worked fine, but now I can log in the user-area, but when I click to the next page in the user section I see the form again to enter my username and password. So it seems that the sessions do not work. As I didn't change the skrip, and it worked fine until yesterday, it seems that some settings on the server changed. Is there any way the check up the settings or check if the session work ore whatever?

[freakysid]

Put a page up on your server which contains the following code.

PHP Code:

<?php php_info() ?>

php_info() prints out a whole lot of info on the php configeration on the server. There will be a section with all the php session settings. Maybe your host turned sessions off for some reason?!?

BTW, are you querying the database every time a page which includes that script is accessed (which is how it appears to me). That's not necessary. If it helps at all, here is a really simple script I wrote. index.php is the index page of the protected directory.

PHP Code:

<?php
    session_start();
    
    $auth = false;
    
    if (isset($logout)) {
        session_unset();
    }
    
    if (isset($userID) && isset($pw)) {
        include("../dbconnect.php");
        $sqlStr = "SELECT * FROM user WHERE
                   id='$userID' AND password='$pw'";        
        $result = mysql_query($sqlStr, $dbconx)
                or die( mysql_errno() . " : " . mysql_error() );
        $numRows = mysql_num_rows($result); 
        if($numRows == 1 ) {$auth = true;}
    }
    
    if ($auth) {
        //session_start();
        session_register("usid");
        $usid = substr(md5(time()),0,6);
    }
    
    if ( $auth || isset($usid) ) {
            
    // index page content
    
    } else {
        echo "
            <http>
            <head><title>Admin - Log In</title>
            <meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'>
            </head>
            <body bgcolor='#FFFFFF' text='#000000' onLoad='document.forms[0].elements[0].focus()'>
            <h1>Log In</h1>
            <p>
            <form name='addItem' method='post' action='$PHP_SELF'>
            <input type='text' name='userID' size='12'> User ID<br>
            <input type='password' name='pw' size = '12'> Password<br>
            <input type='submit' value= 'submit'>
            </form>
            </body></html> 
            ";
    }
?>

Then I include this file at the top of all subsequent pages in the protected directory:

PHP Code:

<?php
session_start();
if (! isset($usid)) {
    echo "
        <html><head>
        <META HTTP-EQUIV='Refresh'
            CONTENT='0; URL=index.php'> 
        </head>        
        <body>
        <a href='index.php'>please log in</a>
        </body></head>
        ";
        exit;
}
?>

[smorb]

Hey freakysid
It should be:

PHP Code:

phpinfo(); 


and not:

PHP Code:

php_info(); 


,
What I got there is this here

Directive Local Value Master Value
session.auto_start
Off Off
session.cache_expire
180 180
session.cache_limiter
nocache nocache
session.cookie_domain
no value no value
session.cookie_lifetime
0 0
session.cookie_path
/ /
session.entropy_file
no value no value
session.entropy_length
0 0
session.gc_maxlifetime
1440 1440
session.gc_probability
1 1
session.name
PHPSESSID PHPSESSID
session.referer_check
no value no value
session.save_handler
files files
session.save_path
/tmp /tmp
session.serialize_handler
php php
session.use_cookies
On On

But what does it mean or how should it look like? Should "session auto start" be set on "ON"?

For the log in skript:I can not see the basic difference. In both cases we check if there is a session "userid", if not we return the form and query the database. So it's just querying the db once, not on every page. Please correct me if I'm wrong.

[smorb]

Just saw another point in the list I forgott to copy:

Session Support: enabled

Hmm, this looks like the solution to my session-problem.

[freakysid]

OK - those session settings look to be the standard/default set up. There should not be a problem there. Also, check the configer command and make sure that track_vars is enabled. You need that to be able to access things like cookie values directly as you do when you refer to $uid in your code.

Hehe - this is the point when someone expert at using php sessions and cookies is supposed to jump in. I just tried to get the ball rolling.

[freddydoesphp]

Well to check if sessions are even working try printing the $PHPSESSID after you call session_start(); if you get a value then you know sessions are working. Next thing to do is to attempt to run your script manually, then when you think it has run successfully take that string that was printed out($PHPSESSID), and go into the /tmp folder, look for the file with your session id in the name, open it and you should see some serialized data, in it should be your $userID make sure it has a value. Another good way to debug session data is to put this on every page for debugging

PHP Code:

session_start();
foreach($HTTP_SESSION_VARS as $key => $val) {
print "$key = $val<br>";
} 


[smorb]

As $PHPSESSID I get a value, so sessions are working.
For the second way I found the file in the /tmp directory, but I can not open ore copy it, and it is not possible to change the permission of this directory.

[freddydoesphp]

I would suggest using mysql to store session data, its really easy to setup, all you have to do is create a table in your database and then include about 5 functions that will change the way PHP natively handles sessions from files to a db. Here are the functions you will need to include on every page you want to use sessions. This way it will be much easier to debug you can just look in the sessions table of your db to see what vars are getting set and which aren't

PHP Code:

<?

########################## session handling crap ###############################
$db = mysql_connect("****", "******", "*******");
mysql_select_db("****");
$sess_lifetime = get_cfg_var("session.gc_maxlifetime");

function sess_open() {
    global $db;
    return $db;
    }

function sess_close() {
    return true;
    }

function sess_read($key) {
    global $db;
    $result = mysql_query(sprintf("SELECT value FROM sessions WHERE sesskey = '%s' AND expire > %s", $key, time()));
    if (mysql_num_rows($result) > 0) {
        $row = mysql_fetch_array($result);
        return $row["value"];
        }
    else {
        return false;
        }
    }

function sess_write($key,$val) {
    global $db, $sess_lifetime;
    $expire = time() + $sess_lifetime;
    $value = addslashes($val);
    $result1 = mysql_query(sprintf("UPDATE sessions SET expire = %s, value = '%s' WHERE sesskey = '%s' AND
 expire > %s", $expire, $value, $key, time()));
    if (mysql_affected_rows($result1) < 1) {
        $result2 = mysql_query(sprintf("INSERT into sessions SET sesskey = '%s', 
expire = %s, value = '%s'", $key, $expire, $value));
        }
    return mysql_affected_rows($result2);
    }

function sess_destroy($key) {
    global $db;
    $result = mysql_query(sprintf("DELETE from sessions WHERE sesskey = '%s'", $key));
    return mysql_affected_rows($result);
    }

function sess_gc() {
    global $db, $PHPSESSID;
    session_unset();
    $result = mysql_query(sprintf("DELETE from sessions WHERE sesskey = '%s'", $PHPSESSID));
    return mysql_affected_rows($result);
    }



session_set_save_handler(
    "sess_open",
    "sess_close",
    "sess_read",
    "sess_write",
    "sess_destroy",
    "sess_gc");


    

?>

Here is the databvase table schema

Code:

CREATE TABLE sessions (
  sesskey varchar(32) DEFAULT '' NOT NULL,
  expire int(11) unsigned,
  value text,
  PRIMARY KEY (sesskey)
);

[smorb]

Hey, this looks good. But is it just a makeshift ore do you generally prefer this way. I mean, the one I use worked really fine (until some days ago) and it doesn't need any database querys.
Hey, by the way, what's your hourly rate, I'm sure I would get poor If I had to pay you

[freddydoesphp]

Email me at freddy@bereminded.com on the hourly rate thing. No that code is not a makeshift anything, I use everyday for something. It is one of the cool features of PHP, how you can customize how php handles sessions.

yes it is extra queries, but its probably faster than having to open a file and read/write from it. Again, I use this code on a daily basis, and I know it works great.

[nasio]

Then I include this file at the top of all subsequent pages in the protected directory:

PHP Code:

<?php
session_start();
if (! isset($usid)) {
    echo "
        <html><head>
        <META HTTP-EQUIV='Refresh'
            CONTENT='0; URL=index.php'> 
        </head>        
        <body>
        <a href='index.php'>please log in</a>
        </body></head>
        ";
        exit;
}
?>

But what if someone try this: script.php?$usid=anything.
Would they still be able to get in?

[freddydoesphp]

What I usually do is register $SESSION as session var when I validate the user, then I assign the userid to $SESSION["userid"], in fact I assign all session vars in tothe array $SESSION, that is pretty hard to recreate from a get string, then you can check for

PHP Code:

if ($SESSION["usid"] == "") {
header("Location: index.php");
} 


[nasio]

BTW, are you querying the database every time a page which includes that script is accessed (which is how it appears to me). That's not necessary.

I believe that it IS necessary to query the database every time a page is accessed. Querying is done to check if the username and password are valid. If you don't do this then it will be very easy to fool the script by using something like this:

"script.php?$username=anything&$password=nothing".

If you don't query the database, then you will only be able to check if the variables $username and $password are set. With the example above, they ARE set.

Does anyone agree with me? If you don't query the database with every page request, then there will be a security problem.

[freddydoesphp]

nasio,

How are you going to trick the server, with my example it would be very difficult to pass $SESSION["usid"] in a get string, don't you agree, however using a database to hold session data, does mean that the db gest queried with every request, but not to revalidate usernames and passwords but to grab session data.