Problems with login script and registering sessions

RobinDoh

I have a login form:

<p align="center">
<form action="index.php?page=login2" method="post">
<table>
<tr><td align="right"><p>Email:</p></td><td><input type="text" name="email" size="18" class="formfield" /></td></tr>
<tr><td align="right"><p>Password:</p></td><td><input type="password" name="password" size="18" class="formfield" /></td></tr>
<tr><td></td><td align="center"><input class="formfield" type="submit" value="Login &raquo;" /></td></tr>
</table>
</form>
</p>

I then have a page which checks password etc and sets a session to be used within the member area:

<?php

$email = $_POST['email'];
$password = $_POST['password'];

if ($HTTP_SERVER_VARS['REQUEST_METHOD'] !== "POST") { print "<h1>No h4x0ring please</h1>"; }
else {

include("a123.php");
$result = mysql_query("SELECT id FROM users WHERE email = '$email'");
if (mysql_num_rows($result) == 0) { $do = "login_no_blob"; }
else {
$md5_input_pass = md5($password);
while ($row = mysql_fetch_array($result) ) {
if ($row[password] == $md5_input_pass) { 

$playerid = $row[id];
$playername = $row[name];
$playerpass = $md5_input_pass;

$now = date("j M y h:i A");



mysql_query( "UPDATE users SET lastlogin='$now' WHERE id='$playerid'" );


session_start();
session_register( "playerid" );
session_register( "playername" );
session_register( "playerpass" );

print '<script>window.location="members/index.php"</script>';

}
else { $do = "login_wrong_password"; }
}
}
include("z456.php");


if (isset($do)) { print '<script>window.location="index.php?page='.$do.'"</script>'; }

}

?>

The problem is that the session created always consists of just:

playerid|N;playername|N;playerpass|N;

Anyone see the problem? 😕

RobinDoh

By the way it's running on a Windows 2000 machine and my php.ini settings are as follows:

[Session]
; Handler used to store/retrieve data.
session.save_handler = files

; Argument passed to save_handler.  In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this 
; variable in order to use PHP's session functions.
session.save_path = C:\apache\sessions

; Whether to use cookies.
session.use_cookies = 1

; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.
; session.use_only_cookies = 1

; Name of the session (used as cookie name).
session.name = PHPSESSID

; Initialize session on request startup.
session.auto_start = 0

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

; The path for which the cookie is valid.
session.cookie_path = /

; The domain for which the cookie is valid.
session.cookie_domain = localhost

; Handler used to serialize data.  php is the standard serializer of PHP.
session.serialize_handler = php

; Percentual probability that the 'garbage collection' process is started
; on every session initialization.
session.gc_probability = 1

; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
; WARNING: Your filesystem must store access times.  Windows FAT does
;          not.  So, see session_set_save_handler() and write your own
;          session handler with a different mechanism for cleaning up sessions.
session.gc_maxlifetime = 1440

; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =

; How many bytes to read from the file.
session.entropy_length = 0

; Specified here to create the session id.
session.entropy_file =

;session.entropy_length = 16

;session.entropy_file = /dev/urandom

; Set to {nocache,private,public} to determine HTTP caching aspects.
session.cache_limiter = nocache

; Document expires after n minutes.
session.cache_expire = 180

; trans sid support is disabled by default.
; Use of trans sid may risk your users security. 
; Use this option with caution.
; - User may send URL contains active session ID
;   to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
;   in publically accessible computer.
; - User may access your site with the same session ID
;   always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0

url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

VoiD

check the error line for haxoring...

!== should be !=

RobinDoh

That seems to be working fine. I don't think that's the problem.

I thought == was the equality testing operator and = was the assignment operator. Unless it's changed :p

VoiD

You can always try 😉

RobinDoh

Bump: anyone else got any suggestions?

Mega

 session_start();
session_register( "playerid" );
session_register( "playername" );
session_register( "playerpass" );

shudnt you have assigned some values to them if you want them to have some?

and using !== tests for an identical non-match and === does the opposite 🙂

using != or !== will work in this case 🙂

RobinDoh

Thanks for clearing up the operator issue but I already assigned values:

$playerid = $row[id];
$playername = $row[name];
$playerpass = $md5_input_pass;

...

Kenderized

Please pardon me Im very much a newbie to PHP but I thought that you had to put the session_start() first thing in your script after <?. with no lines else the headers get sent without your session info in them?

Kenderized

RobinDoh

Well I'm no expert but I think it's okay to have it after some code, as long as you don't output data to the user before the session is started. The session needs to be the first thing sent to the browser.
Any experts who can confirm this?

Mega

session_start() shud be the very first thing after <?php

sirblack

session_start();
session_register( "playerid" );
session_register( "playername" );
session_register( "playerpass" );

.. if you want to enter the values you assigned to the variables.. should you specify is the following way:

session_start();
session_register( "$playerid" );
session_register( "$playername" );
session_register( "$playerpass" );

Kenderized

I thought that you could only session_register() the name of your variable, isnt using something like session_register ("$playerid") trying to session_register the value of that variable?

I always do mine like this for ease of use.

$_Session ['playerid'] = $playerid;

Kenderized

sirblack

Sorry, I thought that's what you were tryign to do.. to assign the value of the variable.. My mistake.

I'll look into your inquiry a bit further..

intenz

Try...

session_start();
$_SESSION['playerid'] = $playerid;
$_SESSION['playername'] = $playername;
$_SESSION['playerpass'] = $playerpass;

Good luck.

RobinDoh

I have tried all of your suggestions but none of them have made any difference. I now have a file that just contains:

<?php

session_start();

$var1 = 'this is variable1';
$var2 = 'this is variable2';

session_register("var1");
session_register("var2");

?>

and the sessions that it creates are still

var1|N;var2|N;

so I'm now quite sure that it is to do with my php.ini configuration (see second post in thread). The problem is I can't find an error in my config. :rolleyes:

RobinDoh

Hmm, I just fixed it, it needed to be session_register("$var"); with a $. I've never done it like that before and it's always worked. Mind you I've never used Windows 2000 before. Maybe it changed in PHP 4.3.0-dev (which is what I'm using), it worked in PHP 4.2.x though.

Thanks sirblack!

RobinDoh

Ignore that, if the $ is in there it puts in the value of the variable as the variable...

this is variable 1|N;

etc

RobinDoh

I'm now using the

$_SESSION['var'] = $var;

method, which seems to be working...

Weedpacket

Glad it's working - it was probably failing before because you were session_registering variables after you giving them their - their sessioned values (if they had any) would then overwrite the values you just gave them.

Forgetting about registering session variables and using $_SESSION[] instead is generally a safer approach 🙂