Make session vars accessible in a class

pgosse

Hi all. I'm running into a problem with session variables and classes which I'm unable to figure out. I’ve looked at a ton of posts here but can't seem to find the answer I need.

Here's the situation:

I’m building a series of 6 web applications plus 1 administrative application, and I'm doing authentication for all the apps with a class I wrote.

I've found a small bug in that if someone is logged into an app, logs out and then hits the back button on their browser, they are taken to the last page of the app where they were, and the authorization script tries to execute and the following error is returned:

Fatal error: Call to a member function on a non-object in c:\phpdev\www\authentication\auth.inc.php on line 90

This happens since when the doAuth() method is called it's passed a few session variables which don't exist anymore since the user has logged out, so the method is buggering up.

So, I figure all I need is to call a method to check for the existence of the session variables before I call the doAuth() method. So I'd be calling:

$auth->checkSession(); // check for session vars
$auth->doAuth(app_id,clr_req,$sess_user_id,$sess_clearance); // validate user

at the top of my script, and if the session vars aren't registered then checkSession() should kill the script before it gets to doAuth().

Here's a very bare-bones checkSession() method which just looks for one session var, $sess_user:

function checkSession()
{
if (!session_is_registered($sess_user))
{
die("Your session has expired, or you have logged out. <a href=\"/webapps/index.html\" target=\"_top\">Please click here to login</a>.");
}
}

Now, when I call this method via the code I've shown above, it doesn't see $sess_user as being registered, even though it is.

The session is started before the class is invoked, and if I remove the checkSession() method from the script, everything works fine (with the exception of the back-button error which I hope getting the checkSession() method working will alleviate), but whenever I use the checkSession() method, it ALWAYS tells me that the session has expired, even if I’ve just logged in.

Sooooooo, how do I make the session variables I create when someone logs in available inside the classes which I access throughout the applications?

If anyone could provide a hand here it would be GREATLY appreciated.

Thanks in advance,

Anon

Let me see the code for your login script.

Also, are you passing the PHP constant SID in the redirect after logging in or are you relying on cookies for sessions?

~Mark

pgosse

Hey Mark. Code is explained below.

I'm using cookies for the sessions. The reason for this is that I work in an institution where everybody's computers are set up the same, so I know for a fact that everyone has cookies turned on (at least everyone who will be administering the applications I'm building)

This is the php code for the login page. The page submits to itself, so if the $method var isn't set (or isn't set properly), it just outputs the login form. Otherwise it does the login:

<?php
if (isset($method)) {
if ($method == "login") {
include_once("../authentication/auth.inc.php");
$auth = new Auth;
if ($auth->doLogin($username,$password,"mysql") == true) {
session_start();
session_register("sess_allow");
$sess_allow = "true";
session_register("sess_user_id");
$sess_user_id = $auth->usr_info['user_id'];
session_register("sess_user");
$sess_user = $auth->usr_info['username'];
session_register("sess_email");
$sess_email = $auth->usr_info['email'];
session_register("sess_user_type");
$sess_user_type = $auth->usr_info['type'];
session_register("sess_clearance");
$sess_clearance = $auth->usr_info['clearance'];
header("Location:select_app.php");
}
} else {
die("Illegal call");
}
} else {
?>

So you can see here, I simply invoke a new case of the auth class, then access the doLogin() method, passing along the appropriate info from the login form, and if doLogin() returns true, then I register the appropriate session variables, setting the values to the result set returned within the doLogin() method.

Here's the code for the doLogin() method:

function doLogin($username,$password,$db_def) // validate user login
{
if (!isset($db_def)) { // if $db_def not set, load default database definition file
include_once("../authentication/db_def.php");
} else {
define("db_type",$db_def);
}

#error_reporting(E_ALL); // error catching
#include_once("../adodb/adodb-errorhandler.inc.php"); // error catching

include_once("../adodb/adodb.inc.php"); // load code common to ADOdb

$ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; // set ADOdb fetch mode

define ("username",trim($_username)); // define user username
define ("password",trim($_password)); // define user password

define ("webapps_user","webapps_login"); // define username to query user info tables
define ("webapps_pass","getuserinfo"); // define password to query user info tables

$conn = &ADONewConnection(db_type); // create adodb connection class and database type

$conn->PConnect('localhost',webapps_user,webapps_pass,'communic'); // create persistent connection

define ("sql","select u.user_id, u.username, u.email, u.clearance, ut.type from users u, user_types ut where u.username = '".username."' and u.password = '".password."' and u.clearance = ut.clearance"); // create query

$rs = &$conn->Execute(sql); // execute query to validate user info

if ($rs->RecordCount() == 1) { // check number of results
  $this->usr_info = $rs->fields;
  return true;
} else {
  $this->usr_err_msg .= "<li>Invalid username/password combination.</li><br>";
  $this->checkUserErrors();
}

$rs->Close(); // close recordset
$conn->Close(); // close connection

}

Now, the thing is the problem (as far as I can see at least) does not lie with the doLogin() method, but with the checkSession() method, the code for which is below:

function checkSession()
{
if (!session_is_registered($sess_user)) {
die("Your session has expired, or you have logged out. <a href=\"/webapps/index.html\" target=\"_top\">Please click here to login</a>.");
}
}

This is a very abbreviated version of the checkSession() method, as once I have it working I'll be checking a number of session vars, not just $sess_user.

So what's happening is when I call the checkSession() method before the doAuth() method (another method which checks that the user has proper authorization to access a specific application) it doesn't recognize the session var as being registered, even though it is, since if I remove the checkSession() method everything works.

Here's the code for the doAuth method:

function doAuth($app_id,$clr_req,$cur_usr,$cur_usr_clr)
{
if (!isset($db_def)) { // if $db_def not set, load default database definition file
include_once("../../authentication/db_def.php");
} else {
define("db_type",$db_def);
}

include_once("../../adodb/adodb.inc.php"); // load code common to ADOdb

$ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; // set ADOdb fetch mode

define ("webapps_user","webapps_login"); // define username to query user info tables
define ("webapps_pass","getuserinfo"); // define password to query user info tables

$conn = &ADONewConnection(db_type); // create adodb connection class and database type

$conn->PConnect('localhost',webapps_user,webapps_pass,'communic'); // create persistent connection

define ("usr_info","select user_id, clearance from users where user_id = ".$_cur_usr." and clearance = ".$_cur_usr_clr); // 
define ("app_info","select app_users from user_apps where app_id = ".$_app_id." and status = 1");

$usr_rs = &$conn->Execute(usr_info); // execute query to verify user info
$app_rs = &$conn->Execute(app_info); // execute query to get application users

if ($app_rs->RecordCount() != 1) {
  die("You are attempting to access an application which is not yet available to the public.<br><br>If you feel this message is an error, ".strtolower($this->notifyadmin));
} 

if ($usr_rs->RecordCount() == 1 && strstr($app_rs->fields['app_users'],$usr_rs->fields['user_id'])) {
  return true;
} else {
  die("You do not have authorization to access this application.<br><br>If you feel this message is an error, ".strtolower($this->notifyadmin));
}

$rs->Close(); // close recordset
$conn->Close(); // close connection

}

I hope this makes sense. Thanks very much for taking a look at this.

Pablo.

pgosse

Also, the line in the doLogin() method which has a bullet in it isn't supposed to be like that.

It outputs an error message encased in <li></li> tags, so the forum scripts here interpreted that as html code. Should've used < and >

Sorry 'bout that.

Anon

Okay, I am going to start with the simplest suggestion... it worked for me... it seems to be associated with using session cookies and redirecting:

Try putting session_start(); at the top of the login page and have it run without condition (so that a session is started as soon as the login page is visited, NOT when the form is submitted). You can register the session variables how they are now.

Also, just to state the obvious, be sure there is no extra lines or spaces outside of your <?php ?> tags anywhere... don't forget to check your file includes, also.

Example:

===currently you have:===

======

===try the following:===

<?php
session_start(); // start session here!

if (isset($method)) {
if ($method == "login") {
include_once("../authentication/auth.inc.php");
$auth = new Auth;
if ($auth->doLogin($username,$password,"mysql") == true) {

session_register("sess_allow");
$sess_allow = "true";

======

~Mark

pgosse

Argh, tried it, but it didn't work Mark.

The problem isn't on the login page itself, but rather on pages where I'm calling the checkSession() method.

While the session vars are registered and accessible within the applications, I simply can't access them within the instances of the class to do the checking that I'm creating within the applications.

Any other suggestions?

Anon

Hmm... is checkSession() inside the class? Or is it just a function?

If it is part of the class, I would suggest just adding it as a separate function and running that on its own until you figure it out...

I'm sorry I couldn't be of more help... let me know what you decide to do.

pgosse

GRRRRRRRR!!!!!!!!!!!!!!!!!!

It's a damn good thing there's only 2.5 hours left in this work week, 'cause if there were more I might freak ;o)

I figured it out, and boy oh boy do I feel like a complete doofus.

session_is_registered($varname) == BAD

session_is_registered("varname") == GOOD

Calling the function from within the class now and all works well.

Peace out.

Anon

LOL, I've done that quite a few times ;-)

I'm glad you figured it out.

~Mark