Managing Users with PHP Sessions and MySQL

[MichDenn]

I have read kevins article and other articles on the net but i cannot get kevins script or any of my other script to write to my databases. I am useing the latest downloads of apache php and mysql.

If you can help I would be grateful.

I will just give you the addresses of the pages for now so that you can see if it works from out there, but it isn't working on my machine. I can enter the information into the fields press send and it just brings the page back up with no chages or no additions to my database.

Http://169.254.81.197/accesscontrol.php <-- Comes up with error warning messages.

Warning: open(/tmp\sess_e9e65d8d90017889720d4ad85c73d684, O_RDWR) failed: No such file or directory (2) in c:\apache\htdocs\accesscontrol.php on line 6

Warning: open(/tmp\sess_e9e65d8d90017889720d4ad85c73d684, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0

http://169.254.81.197/signup.php
Pulls up fine with the form, when you try to submit it it goes back to the form and does nothing.
You can enter just a name and it still comes to the same blank form. Does not error out like it is suppose to!
http://169.254.81.197/db.php
Pulls but does nothing
http://169.254.81.197/common.php
Pulls but does nothing
http://169.254.81.197/connect.php
Works file connects to all the databases i am working with and list the contents of the databases.
http://169.254.81.197/admin.php
Is the control panel page for me and works.
http://169.254.81.197/products.php & orders.php & resellers.php & customers.php
Shows the individual entries in the resepctive database and ofers a link to edit or delete.
cannot get any to edit or delete.
http://169.254.81.197/default.php
Works and is still being writen this is the template of the first page. You can get a feel of what i am tring to do.
http://169.254.81.197/newprod.php
Pulls the form but does not enter information into the database.
If I can figure out how to get the accesscontrol and the edit and del working than I may be able to do the rest... I have only been working with php and mysql for about a week and I think that I am getting the dreft of things, but I can seem to get this working. Can someone tell me what I am doing wrong or tell me why its not working?? Thanks.

[Kevin Yank]

The error messages you're seeing indicate that your session.save_path setting is not set correctly in php.ini. Be sure to set this to a directory that exists on your server.

[Jump]

That article was great but from last year. Has the script been updated for recent PHP changes such as Globals and such?

[Jump]

I get this error code and it wont connect to the db.

Warning: Cannot send session cookie - headers already sent by (output started at /home/uname/public_html/programdirectory/index2.php:2) in /home/uname/public_html/programdirectory/accesscontrol.php on line 6

Warning: Cannot send session cache limiter - headers already sent (output started at /home/uname/public_html/programdirectory/index2.php:2) in /home/uname/public_html/programdirectory/accesscontrol.php on line 6

[Jump]

Ok, I had a space at the begining of "index2.php." But I still get "failed to connect to database" When all the settings are correct.

[Jump]

I had to use a different way to connect.

What I would like to know is how do you get it to "Remember Me" like so many sites do?

[Kevin Yank]

The 'remember me' feature involves setting a cookie in the user's browser that saves the person's username (and if you're not too concerned about security, their password). Your site should then check for that cookie and automatically fill in the username field in the login form (or log them in entirely, if you store their password in the cookie).

[Jump]

Well I did this

PHP Code:

ini_set( 'session.cookie_lifetime', 31536000);
session_start(); 


and it does what I need.

No security is not really a big factor. Everything I am doing now is for a game clan and our game site. So we just need to keeep out fellow gamers, but who really cares.

The real issue for me is that I learn something new.

[Kevin Yank]

Jump,

That php.ini setting will cause the session ID to be retained in the browser for up to 31536000 seconds; however, it does not affect the lifetime of the session on the server (by default, after 1440 seconds). As a result, the sessions will time out on the server and when the browser returns at a later date with the old cookie, the server will judge it to be an invalid session ID and the auto-login will fail.

You could set an identical session lifetime on the server (with session.gc_maxlifetime); however, this will lead to an unneccessary buildup of session data in your server's temporary directory, and also decreases the security of your site (by increasing the number of potentially guessable session IDs that are active on your server at once).

Instead, you should leave the session cookie and session lifetimes alone in your php.ini file and set a separate cookie in the browser to store the auto-login information (using PHP's set_sookie function). Yes, it's more work, but PHP's session facility was never intended to work as a persistent login mechanism.

Of course, if you're happy living with the weaknesses I've outlined above, by all means: simply adjust your session lifetime accordingly.

[Jump]

Your right. The auto login failed. I was recomended by someone here to use the above. This is what I had tried before.

PHP Code:

$expiry = 60*60*24*100; // 100 days

session_start();
setcookie(session_name(), session_id(), time()+$expiry, "/"); 


Not sure how to do what you described above though. Anything else I should add to it?

[Jump]

Would I need to add

PHP Code:

session_register("uid");
session_register("pwd") 


to the setcookie?

[okrogius]

PArt of my lgoin script after all login variables are checked:

PHP Code:

                if ( !empty($_POST['cookiet']) ) {
                    cnum($_POST['cookiet']);
                    $cooktime = (3600 * $_POST['cookiet']);
                } else {
                    $cooktime = 604800; //default one week
                }
    
                setcookie('rememberme_u', $result->fields['username'], time() + $cooktime);
                setcookie('rememberme_p', $result->fields['password'], time() + $cooktime); 


Note about above: cookiet is a user preference for how long someone should be remembered. Also for the sake of security the password that's set in rememberme_p cookie is md5() hashed. cnum() is my own function to check whether the parameter is a number and if not die with an error.

The code in the logout script:

PHP Code:

            setcookie ('rememberme_u', '', time() - 99999999999);
            setcookie ('rememberme_p', '', time() - 99999999999); 


Now a part of the code that's included on all pages.

PHP Code:

if ( empty($_SESSION['username']) ) {

    if ( !empty($_COOKIE['rememberme_u']) AND !empty($_COOKIE['rememberme_p'])  ) {
        
//verify cookie details

        if ( ($log_result->RecordCount() == 1) AND ($_COOKIE['rememberme_p'] == $log_result->fields['password']) ) {
            $_SESSION['userid']   = $log_result->fields['userid'];
            $_SESSION['username'] = $log_result->fields['username'];
            $_SESSION['password'] = $log_result->fields['password'];
            $_SESSION['email']    = $log_result->fields['email'];
            $_SESSION['ip']       = $_SERVER['REMOTE_ADDR'];
            $_SESSION['agent']    = $_SERVER['HTTP_USER_AGENT'];

            Header('Location: ' . $_SERVER['PHP_SELF']);
            die();
        } else {
            setcookie ('rememberme_u', '', time() - 99999999999);
            setcookie ('rememberme_p', '', time() - 99999999999);

        }
    }
} 


ANother note that you should keep in mind that the above code has major chunks removed to show only relevant info.

[Jump]

Well, I'm using Kevin Yanks script from his article. I wouldn't know where to begin with all that. But I'll lookup all the terms and learn something hopefully.

[Kevin Yank]

Jump,

For your purposes, all you should need to do is register cookies called 'uid' and 'pwd' on the user's browser. You should not have to store the session ID or anything like that at all.

[Jump]

Something like?

PHP Code:

setcookie('uid', 'pwd', time()+$expiry, "/"); 


And where should I put that in accesscontrol.php? After the login part or up by the session_start()?

[Kevin Yank]

No -- more like:

setcookie('uid', $uid, time()+$expiry, "/");
setcookie('pwd', $pwd, time()+$expiry, "/");

It's been awhile since I've worked on the script in question, but I think you can put this up near session_start(). Be sure to check it works correctly both with a correct username/password and an incorrect one.

[Jump]

Well when I put that in either place and login with an incorrect pwd or uid the link to try again no longer works you just stay on the error page.

[Jump]

And that happens wit Mozzilla, Opera and IE.

[Kevin Yank]

In the segment of code that handles the 'incorrect username/password' case by unregistering the appropriate session variables, you also need to delete the cookies (by setting them with an expiry time more that 24 hours in the past).

[Jump]

tried

PHP Code:

setcookie('uid', $uid, time()-999999, "/");
setcookie('pwd', $pwd, time()-999999, "/"); 


but still the same.

[Kevin Yank]

Show us your full accesscontrol.php code.

[Jump]

PHP Code:

<?php // accesscontrol.php

include("common.php");
include("db.php");
$expiry = 60*60*24*365; // 365 days

session_start();
setcookie(session_name(), session_id(), time()+$expiry, "/");



if(!isset($uid)) {
  ?>
  <html>
  <head>
  <title> Please Log In for Access </title>
  <LINK REL=STYLESHEET TYPE="text/css" HREF="stocksol.css">
  </head>
  <body>
  <h1> Login Required </h1>
  <p>blahblah  .., <a href="signup.php">click here</a> blah .</p>
  <p><form method="post" action="<?=$PHP_SELF?>">
    Pilot Name: <input type="text" name="uid" size="8"><br>
    Password: <input type="password" name="pwd" SIZE="8"><br>
    <input type="submit" value="Log in">
  </form></p>
  </body>
  </html>
  <?php
  exit;
}

session_register("uid");
session_register("pwd");


dbConnect("dbname");
$sql = "SELECT * FROM user WHERE userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
  error("A database error occurred while checking your ".
        "login details.\\nIf this error persists, please ".
        "contact [email][/email].");
}

if (mysql_num_rows($result) == 0) {
  session_unregister("uid");
  session_unregister("pwd");


  ?>
  <html>
  <head>
  <title> Access Denied </title>
  <LINK REL=STYLESHEET TYPE="text/css" HREF="stocksol.css">
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your Pilot Name or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$PHP_SELF?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}

$username = mysql_result($result,0,"userid");
$squad = mysql_result($result,0,"squad");
$faction = mysql_result($result,0,"faction");
$userlvl = mysql_result($result,0,"userlvl");
?>

[Kevin Yank]

Your code contains this line, which I told you to remove,

PHP Code:

setcookie(session_name(), session_id(), time()+$expiry, "/"); 


and none of the other code we dicussed.

[Jump]

This is the original code.

[Kevin Yank]

Correct. So give us the latest code you're working on. We're not going to do all the work for you!