Sessions

twstewart

Hi,

I'm very new to php have a rather odd situation that maybe somebody could shed some light on.

I'm doing a very basic user authentication scheme user profiles, using a mysql database.

The protected pages will be located in mysite/members, however I have a login form on the left column of each page in the public area. The login actually works fine, except for one minor annoyance:

In my index.php page (index page for the public area) I have session_start() at the top. My login code executes when request method == post, and it authenticates the user, and places their userid, username, and authenticated=1 into their session. Then they are redirected to the index page inside of the members directory. As long as they follow the relative links on the page, where url rewriting is working fine, everything's groovy. If they hit the 'back' button on the browser however, going back to the public index page, the session_start() I have at the top starts a new session for them, and they lose their authenticated status. Of course when cookies are used, this is not an issue.. any ideas/suggestions for getting around this? I would like to have the login form in the left column of many of the pages, and once they log in, not have any back/forward button navigation end up causing a new session to replace their existing one.

khaine

One way round it is to see if the variables are set before you start the session. Something like

session_start();
if ( !isset($userid) )
{
session_register('userid');
}

that should stop the variable from being wiped.

Mark.

[deleted]

"the session_start() I have at the top starts a new session for them"

I think you totaly missed the point of sessions.

Sessions are used to contain user data.

every page on your site should have the 'session_start()' function at the top, to activate the session.

Which session is activated depends on wether or not your client sends a sessionid. If he doesn't send a sessionid, a new session is started. If he does send an id, that session is re-activated.

You should configure your PHP to use cookies for the sessionid. Then you can click any link you like on your site, the cookie will always be sent and PHP will always know which session to open.

Note that it does not matter wether peopel are logged in or not, the session must always exist. It's the content of the session data that decides wether a person is logged on or not.

twstewart

Actualy I totally get the point of sesions 🙂

page1.php has session_start() at the top. It also has a login form with a username and a password. I log in on page1, it validates me, registers my userid, username and an authenticated token into the session, then redirects to page2.php referencing that sessionid. page2 also has session_start() at the top, and the variables are picked up just fine. The problem arises when at that point I click the browser's back button, taking me back to page1. The sessionID isn't being sent, and a NEW session is assigned. I've now lost my authenticated session.

I understand that using cookies would prevent this, but I can't force people to accept cookies, so I need an alternative in case they don't.

The question is how to make sure that the correct session id is sent when the 'back' button is pressed by the client.

[deleted]

"but I can't force people to accept cookies so I need an alternative in case they don't"

The point is, the number of people that 'dont
' is too small to worry about.

You can't force them to accept cookies if they have cookies disabled, but it's safe to assume that 99.2% of your users have cookies enabled, and for the remaining 0.8% you can build a small cookie-check and tell them they have to enable cookies to work with your site.

If you want to worry about people who don't match your specs, you should also forget about CSS, frames, javascript, Java, flash, fonts, the list is long.

The only alternative is to put the sessionid in each and every link on your entire site.
Every link would have ?PHPSESSID=75tsdf7645764sd7f587v appended to it.

That works, but it also means that not a single link on your page can be bookmarked. Not one, because the link contains the sessionid. If someone logs on he gets a sessionid. Then he clicks his favourite bookmark, and that bookmark sends a different sessionid and boom, he's logged out again. He'll always have to navigate to his favourite places.

A forum, a FAQ, what else do you need?