cannot retain session variables

farberama

I have built a site on my machine using PHP 4.1.1. I use session control to control access to the site. Everything works perfectly on my machine, but when I uploaded it to the hosting provider's server, the site no longer retains the session variables from one page to the next. What is even more odd is that every once in a while it does work. The hosting provider uses PHP 4.0.6.

I use the following code at the top of each page:

require_once("tuxnotes_fns.php"); 
session_start();

check_valid_user();

//from tuxnotes_fns.php
function check_valid_user()
// see if somebody is logged in and notify them if not
{
global $valid_user;

if (session_is_registered("valid_user"))
{
return;
}
else
{
// they are not logged in
$error = "You must be logged in to view this page. Please log in and try again.";
include("error.php");
exit;
}

}

Can anyone help me and hopefully keep me from pulling out what's left of my hair!

Thanks in advance.

MrAlaska

It is because you are using session_register() and session_is_registered() which depend on globals being registered which is disabled on recent installations for security purposes. If it works sometimes, that would scare me.

Get rid of all the session register stuff and access and set your variables through the $_SESSION array. Since you have a function set up, it will simplify the task 🙂

if (isset ($_SESSION['valid_user'])) {
//user is good
} else {
// user is bad
}

To set a variable:

$_SESSION['valid_user']='valid';

farberama

I checked and the hosting provider has register_globals turned on.

MrAlaska

Originally posted by farberama
I checked and the hosting provider has register_globals turned on.

All the time?

If you make your code server transparent, it will run anywhere, but this might mean checking not only $_SESSION and $HTTP_SESSION_VARS, but the $GLOBALS[HTTP_SESSION_VARS] array as well.

There might also be problems setting cookies or something in the ini file, the 'occasional' thing still would make me apprehensive. If it was me, I would ditch native session management and manage my own sessions, but then I do that anyway 😃

farberama

I tried your suggestion using $_SESSION and it still did not work. How do you go about managing your own sessions?

MrAlaska

Originally posted by farberama
I tried your suggestion using $_SESSION and it still did not work. How do you go about managing your own sessions?

Did you try using $HTTP_SESSION_VARS? I would also give that a shot, or even $GLOBALS[HTTP_SESSION_VARS].

Building your own: It takes a bit of thought and work to set up, but might end up with a more scalable and efficient solution than using native sessions.

One method is to borrow somebody elses solution. Native sessions borrowed a lot of its methodologies from PHP_LIB which was a popular package that many used for this purpose before PHP introduced $_SESSIONs.
http://homepage.mac.com/ghorwood/php_lib_login/

To build one from the ground up, you try to decide whether to go with a database or file based system then after you decide to go with a database driven system you build a session table in your database to track the various variables you wish to keep track of.

When a user visits or logs into your site, you check if they have a cookie or session ID in the URL they arrived with. If not, you issue one to them and plant a cookie. If they do not accept the cookie every local link they have will have a really long URL and every form will have an extra hidden POST input. $_SESSIONs do this for you right now, but building your own you will need to do it in your code.

Every time they visit a page, you will update the database with the latest timestamp, as opposed to updating a file which $SESSIONs have been doing transparently. If they need to be logged in you can have columns in your table to track their access level or whatever, just as $SESSIONs give you the option of registering variables. Except now you are building your own register() function, or my preference, the OOP aproach $session->register()

If security is an issue, you would also put fields in your session table to record IP, forwarded IP, and browser used to validate against. It is fun!

farberama

Lately it works about 40% of the time. I just don't understand it. I've been playing around with the site and have been putting debugging code in. I logged in using one identity with a userID of 3 which is outputed at the top of the page (valid_user). I went to another page and the userID it outputs is 2. This is the userID from the previous identity I logged in with and subsequently logged out with. Could this be a caching problem with the hosting provider? I don't have this problem when using my local version of the application.

If you have the time you could try it out for yourself.

www.tuxnotes.com/index2.php

The userID for this identity is 3.

MrAlaska

I didn't see any way to catch the user ID, but my login did not last long enough to look much lol

You do seem to have some sort of server problem there. When I first logged in I refused the cookie and it dutifully filled all the links but everything I clicked on came up with 'you need to be logged in' This could have been in your code, though.

However, it quit prompting me for a cookie, and quit injecting the URL's. It acted like somebody had suddenly turned Sessions off. Very strange behavior if you ask me.

farberama

the userID is located at the top left of the page in black. it is hard to see if you dno't know its there. if you log in and get to the memberHome page and then click on another link somtimes it works and sometimes it doesn't. if it doesn't work i go back and it will tell you to refresh the page. sometimes after i've done this the other links work. It's just so strange!

MrAlaska

I see the user_id now lol

When I first log in it would set to '3', but subsequent links would not show me any number and I would get the 'need to be logged in' page. My session ID would remain intact, though.

It is possible that with my previous problem with cookies I might have clicked 'yes' by accident to one of them. I was very careful this time and that error did not repeat itself.

If the links sometimes work for you, then that is strange indeed. I don't know what to tell ya, sorry! I was not able to get past the first page whether I accepted the cookie or not.

MrAlaska

Hmm. Interesting. I just opened a new window which took me to the main page. Since I had the cookie in my browser, I clicked on 'mission statement' this time and it showed my number as '3'.

Before when I logged in then tried to get 'mission statement' it would show the number as not existing.

However, when I clicked on another link, I lost the user id.

I feel like I am missing something obvious, but I can't think of what 😃

farberama

I appreciate all your help anyway. Thanks.

Anyone else out there have an idea of what is going on?

MrAlaska

One more oddity to report before I give up lol

I went there a couple more times, and all of a sudden the HTTP_SESSION_VARS showed a number. I tried to go to another page and lost it, then when I came back the HTTP number was gone. I refreshed a couple times and it came back. Then, just once, I was able to open another page.

Were you playing with it? Something almost worked for a second there.

farberama

I fell the same way MrAlaska! Like I said earlier, it works perfectly on my local machine. I added debugging code that pulls the value from $HTTP_SESSIOn_VARS and still sometimes its there and sometimes not!

farberama

I added that code only to the memberHome page

farberama

i'm talking about the value being there sometimes and sometimes not.

farberama

I added the $HTTP_SESSION_VARS debugging code to the other main pages as well.

MrAlaska

I see that. Just for the hell of it, I used the cheap globals exploit to change my user number to 5 (I couldn't remember the tricky eploit to actually register myself, and too lazy to look it up)

When I went to the page, it showed me as user number 5 every time I refreshed but the page would not show. However, every once in a while the HTTP_SESSION_VARS would show me as 3 (because the cookie is still on my machine) and the page would show.

It certainly appears to be some sort of server problem, but it is escaping me what it might be. The server manages to pass the session ID, but somehow seems to lose the variables. I would be looking at managing my own sessions at this point, or even a new host lol

Maybe somebody will drop by with the answer that has me slapping my forehead. I hope so!

farberama

I removed the HTTP_SESSION_VARS code from showing on the page and added variable dumps that show as html comments if you view the source. It shows that the PHPSESSID still exists but the session variables vanish, but we already knew this. Again, I really appreciate all of your help. Thanks.

farberama

I think the problem might be with the duration of the session. I created a test that registers a session variable and increments is by 5 each time you go back and forth from the first page to the second. to unregister the variable you go to the 3rd page. The code for these pages are below. What I've noticed with this test is after about a minute of going back and forth from test.php to test2.php the variable either jumps to some add number or displays " not registered". Does anyone have any idea of what is going on?

You can test these pages yourself at www.tuxnotes.com/test.php

test.php>>>
<?
require_once("tuxnotes_fns.php");
session_start();

if(!isset($valid_user))
{
$valid_user=0;
session_register("valid_user");
}

if(session_is_registered("valid_user"))
{
	$valid_user += 5;
	echo $valid_user;
}
else
	echo "not registered";

?>
<br>
<a href="test2.php">test2</a>
<a href="test3.php">test3</a>

</body>
</html>

test2.php>>>
<?
require_once("tuxnotes_fns.php");
session_start();

$valid_user += 5;

include("testInclude.php");

?>
<br>
<a href="test.php">test</a>
<a href="test3.php">test3</a>

</body>
</html>

test3.php>>>
<?
require_once("tuxnotes_fns.php");
session_start();

session_unregister("valid_user");
session_destroy();
include("testInclude.php");

?>
<br>
<a href="test.php">test</a>
<a href="test3.php">test3</a>

</body>
</html>

testInclude.php>>>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<?

if(session_is_registered("valid_user"))
	echo $valid_user;
else
	echo "not registered";