Sessions, back button.

Anon

I decided that using a session may be what I needed to keep track of authentication and search string, but I lost the functionality of the browser's back button. It now says that data is missing from a POST operation (no matter if the form is GET or POST). For maximum usability, I would like to have the back buttons work with no problems.

Also, when using a session variable to show whether the user has logged in, I can access the variable in every page but the initial page. It seems that it gets redeclared or something, but I can't imagine where or how!

Anon

yep! thats quite common with sessions. back button and sessions just dont get along very well.

what i can think of is, a page that includes $register_session() (function sysntax may be wrong). so if you click Back button, this function is restarted again, without destroying the old one, and so the old one just remains somewhere in the middle.

well, i am not expert in sessions, so may be someone else can tell us whats wrong with these -1 in history and sessions...

Anon

It seems that whenever I register a variable, the problem occurs. I have my registers done in a if (!(session_is_registered('var'))). It doesn't happen on the pages without register commands. I'm not quite sure why this would cause a problem. The register command isn't (afaik) getting called more than once a session.

hmm...

Anon

I've done a little more fiddling. I've come up with some sort of conclusion. (:

Ok, if I use a get method, it works just fine (which is odd, because it didn't seem to before). I don't really need to worry about security when passng my parameters, they're only search fields, and besides, can't I just pass them as session variables anyway if I don't like the query strings?

I have a POST form that takes care of admin login (it sets a hidden value to one so I can run the HTTP authenticate stuff. Perhaps there is an inherently better way to do that, I don't know, but I don't want that button to use GET, but then I lose back functionality.

argh

any help would be appreciated.

Anon

Try this by including auth.inc.php on each page.

-- begin auth.inc.php ---
<?php
/
File: auth.inc.php
Description: prompts user for http authentication and checks
input against MySQL

/

$auth="false";
session_start();
while ($auth=="false")
{
if (!isset($PHP_AUTH_USER))
{
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="Secure Area"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
} else {
$server = "localhost";
$database = "dbname";
$dbuser = "dbuser";
$dbpassword = "dbpassword";
$conn=mysql_connect($server, $dbuser, $dbpassword);
mysql_select_db($database);
$password=$PHP_AUTH_PW;
// Formulate the query
$sql = "SELECT
FROM user_tbl
WHERE
login_name = '$PHP_AUTH_USER' AND
password = '$password'";
// Execute the query and put results in $result
$result = mysql_query( $sql );
// Get number of rows in $result.
$num = mysql_numrows( $result );
if ( $num != 0 )
{
/ echo "<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>
The authorization type is: $PHP_AUTH_TYPE</p>"; */
$auth="true";
$login_name=$PHP_AUTH_USER;
session_register(auth);
session_register(login_name);
} else {
// if we don't unset the $PHP_AUTH_USER variable we will while loop forever
unset ($PHP_AUTH_USER);
}
}
}

?>
--- end auth.inc.php ---

Brian Snipes

Anon

what you are encountering had nothing to do with the sessions, but rather the difference between get and post. and when the content ot the page was set to expre.

get was designed for when you want to ask for some information to be sent to you. if you went back to that page using a browser back, if the page had not expired, the browser displayed it to you from cache. if it had expired, it sent the request in again and the server sent fresh content back, as you discovered no problem.

post was designed for "posting" data to the server. like as in "posting" the general ledger if you are familiar with that terminology. for example, you keep your checkbook on the server, you write a check and then sit down and bring up the check entry page on your personal web site and "post" the check to the server which records it in your computer check book and deducts the amount of the check from your balance. if using your browser back or forward button, due to problems with the check being posted multiple times and the resulting bank balance being too low. (and it could be worse, what if you were posting a bill to be paid electronicaly and somebody got paid again, in real money from your checking account, each time your browser when forward or backward through that page). to overcome the problem of poorly written server applications that would pay the same bill even though it had already been paid, or post a check with the same number and date and amount that had already been posted, the browser people took matters in there own hands and put up a message, asking you if they should resend the posted information or not, whenever you try to refresh the page. does that help?