session_start(); does not stay started on all pages

PHP
1

Hello,

I think I am missing something. I am new to php so bear with me as I try to explain.

I have a simple login page that seems to work fine. However I would like it to remember if that person is logged in or not.

So I did this here :

session_start();

if (!(isset($_SESSION['login']) && $_SESSION['login'] != '')) {
header ("Location: login.php");
}

However, when I log in and try to go to another page, the above script is just taking me to the login page no matter what.

Is there something that I am missing on this one.

Thanks for any help or advice,

Paul

2

What is the code you are using to set the login session value? There isn’t anything wrong with that little chunk.

3

I am just using

session_start();

Should I be using something more than this?

4

He means, where is $_SESSION['login'] getting set? You’ll need to make sure it’s being set correctly in the first place, e.g., by sticking a var_dump() right after session_start():


<?php
    session_start();
    var_sump($_SESSION);

    if (...) {
        header(...);
    }
5

I don’t have that anywhere. Should that be on all the pages or just one?

6

It’s just a debugging tip. If you’re trying to figure out why you’re being redirected, the first thing you have to do is figure out why that if() condition is evaluating to true. A quick way to do that is to dump out the contents of $_SESSION to make sure it contains what you think it contains. Since it doesn’t, the most likely spot that it’s failing is where you’re logging the user in.

What does your login code look like, i.e., the code that your login form submits to?

7

Well, basically I have this :

<?php

session_start();

if (!(isset($_SESSION['login']) && $_SESSION['login'] != '')) {
header ("Location: login.php");
}


ini_set ('display_errors', 1);
error_reporting (E_ALL & ~E_NOTICE);



$host="localhost"; // Host name
$username="*****"; // Mysql username
$password="*****"; // Mysql password
$db_name="*****"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");


// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection 
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
    
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo include('wrong_username.htm');
}
?>

however when I go to login now, It logs me in but I get this at the top of each page

array(2) {   ["myusername"]=>   NULL   ["mypassword"]=>   NULL }

Whats more, after I go to my log out page which kills the session, I can still get to those internal pages now.

Any advice on this would be great.

Thanks

Paul

8

tombempty: you might be missing some key concepts here…

#1 HTTP requests don’t share data between them, so, a variable set in one, will not be set in another.
That means, you need a session_start(); on all your pages, before any output (including headers).

#2 After your session_start();, you can populate your $_SESSION with variables.

#3 Also, after your session_start();, you can retrieve variables from your $_SESSION.

#4 Sessions are stored on the server (just session ID on the client PC), so users can’t change it. But they can change the session ID and take over the session of some other user.

#5 There is no need to pass the user and the password, you already validated the user on login, so just pass the userId.

Here is an example:
page1.php


session_start();
# Validate the user name and pass, and get whatever user logged in
$_SESSION['userId'] = 123;

page2.php


session_start();
# make sure the user has a session here
if (!iisset($_SESSION['userId'])) {
  header('Location: /');
  exit;
}
# rest of your page
9

put exit after header.

10

Your login script is setting different session variables than those your checking for…
Your checking for ‘login’ and your setting ‘myusername’ and ‘mypassword’…

11

Well now with the right session variables in there

if (!(isset($_SESSION[‘myusername’]) && $_SESSION[‘mypassword’] != ‘’)) {
header (“Location: login.php”);
}

I no longer get that error on the top of the page

array(2) { [“myusername”]=> NULL [“mypassword”]=> NULL }

But now I am back to square one where it will not show any of the pages, it just keeps going to the login screen.

what else am I doing wrong here, it is driving me crazy.

12

Vali,

Thanks so much for your help with this. I am just starting out with php and miss a ton as I code all this as fast as I can. :lol:

Thanks everyone for all your help and efforts, I will keep you posted as to where I get with all this,

Paul