Regarding Kevin's PHP Session Tutorial

[baekcho]

I just followed thru Kevin Yang's "Managing Users with PHP Sessions and MySQL" trying to implement session(with web page on intranet at my work)....
I get this message...login.php is accesscontrol.php in his article that handles login and session
----------------------------------
Warning: open(/tmp\sess_bdb9c3afb46e7fc535813fd171299667, O_RDWR) failed: m (2) in ../../phpinclude/login.php on line 5
-----------------------------------


in php.ini file(yes, they are installed on NT), following is changed as seen from default setting(as suggested in the article)
======================
session.save_path = D:\sessions
======================

can anyone help this newbie?

[Anarchos]

Do you have a d drive?

[baekcho]

yes, that's where I installed php, aparche, and mysql

[tehtarik]

"Kevin's Tutorials" is everywhere.
Can anyone guide me there?
(I need the URL)


thanks

[micmar]

Originally posted by tehtarik
"Kevin's Tutorials" is everywhere.
Can anyone guide me there?
(I need the URL)

Managing Users with PHP Sessions and MySQL - By Kevin Yank
http://www.webmasterbase.com/article.php/319

[tehtarik]

Thanks man,

I really love PHP, yeehaa

[timnz]

Is PHP running in CGI or not, because if it is, it will read the php.ini out of the directory where it is installed I think, whereas if it isn't, then it reads it out of, for example: C:\WINNT\ or where ever you have all your .ini's stored.

From the error message it spat out, it shows that it is still thinking that the temporary directory is /tmp one.

So I think it is reading a diffferent php.ini from the one you modified.

[baekcho]

great!...I found one php.ini(perhaps from previous php installation) in "/winnt" folder and changed save_path...it worked.

I don't know how to tell system to use D:/php/php.ini which i wanted to use, so i decided to use the one that works, C:/winnt/php.ini.
---this solved some other problems I was experiencing too.

thanks,

[weirdbeardmt]

Thats great - I had the same problem (but fixed it!).

But new problem. I have followed his script down to a 'T' but now it has been uploaded it is refusing to acknowledge users.

Example..

I create a new user using signup. I know it has been entered cos phpmyadmin says so.

So then I use the login page to try and access it - it brings up the login prompt, I enter the details but then I get the Access Denied - no user found message, when I know the user exists!

I am getting no MySQL or PHP errors, just the default, no user message.

Any ideas? Or anyone else had this problem? Is it a mistake in Kevin's tutorial (never!?) or do i need to modify something?

Thanks

[baekcho]

So then I use the login page to try and access it - it brings up the login prompt, I enter the details but then I get the Access Denied - no user found message, when I know the user exists!

I had a similar problem and it was, in my case, from inconsistency in variable names...I tracked down some variable and fixed the problem

[baekcho]

session is great....
But How Do I Keep Someone from Backing to Secure Page?

for example, when i 'BACK' after sing-off, my browser(ie5) is telling me the page is expired...but if i 'REFRESH' it brings back to the secure page that i loged-off from...

anyone?

[weirdbeardmt]

A good question.. anyone (Kevin?). The only thing I can imagine is that by backing up it isn't actually killing the session - there is still technically a session running - there is a cookie there - so you are still logged in.

Just so you know I fixed my problem - I was being exceptionally thick in forgetting that I was using the PASSWORD command which encrypts the randomly generated password - and was using the password in the database not the one that had been emailed to me. Oops.

[freakysid]

I don't know if this is the best solution but what you can do is use a database table as well.

1) User logs in.
-> start a session.
-> insert a record into the database table with the session ID and the time it will timeout.
-> Also, every time a new user logs in and you run an sql query to garbage collect (delete) expired sessions from the database.

2) Each time a user calls a php page, start the session then query the database to see whether a matching session is current in the database. If not the user is not logged in.

3) The user logs out.
-> delete the user's session from the database.

I'm sure there are better solutions. I would be curious to know, as I basically coded something along the lines of the above recently and would be glad to know of a better solution. My understanding also is that even with seting no-cache meta tags etc, etc, these will have no effect in NS 4.7

[freddydoesphp]

Yes, as freakysid stated I usually store my session data in a databse instead of files, for faster manipulation of session data. With that I wrote my own session handling functions, that basically tell PHP how to handle sessions natively.

When a user logs out I delete the record from the database. So if they use the back button it doesn't matter since I check for a session variable, if its not present I simply send them to the login screen. Here is the session handling functions. They require PHPLIB's mysql class.

PHP Code:

########################## session handling crap ###############################
$sess_lifetime = get_cfg_var("session.gc_maxlifetime");

function sess_open() {
    global $db;
    return $db;
    }

function sess_close() {
    return true;
    }

function sess_read($key) {
    global $db;
    $db->query(sprintf("SELECT value FROM sess WHERE sesskey = '%s' AND expire > %s", $key, time()));
    if ($db->num_rows() > 0) {
        $db->next_record();
        return $db->f(value);
        }
    else {
        return false;
        }
    }

function sess_write($key,$val) {
    global $db, $sess_lifetime;
    $expire = time() + $sess_lifetime;
    $value = addslashes($val);
    $db->query(sprintf("UPDATE sess SET expire = %s, value = '%s' WHERE sesskey = '%s' AND expire > %s", $expire, $value, $key, time()));
    if ($db->affected_rows() < 1) {
        $db->query(sprintf("INSERT into sess SET sesskey = '%s', expire = %s, value = '%s'", $key, $expire, $value));
        }
    return $db->affected_rows();
    }

function sess_destroy($key) {
    global $db;
    $db->query(sprintf("DELETE from sess WHERE sesskey = '%s'", $key));
    return $db->affected_rows();
    }

function sess_gc() {
    global $db, $sess;
    session_unset();
    $db->query(sprintf("DELETE from sess WHERE sesskey = '%s'", $sess));
    return $db->affected_rows();
    }



session_set_save_handler(
    "sess_open",
    "sess_close",
    "sess_read",
    "sess_write",
    "sess_destroy",
    "sess_gc"); 


Here is the db schema

+---------+------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+---------+------------------+------+-----+---------+-------+
| sesskey | varchar(32) | | PRI | | |
| expire | int(11) unsigned | | | 0 | |
| value | text | | | | |
+---------+------------------+------+-----+---------+-------+