session help

destop

whenever i start a session on a new page it always creates a new sess_7834634567856????...... file rather than pick up a new one. It should see that there is already a session open, but it isn't doing so. for example see below code. please someone help me understand why?

one.php

<?
session_start();
$_SESSION["HELLO"] = "hello"
header ("location:path/to/two.php");
exit;
?>

two.php

<?
session_start();
echo "$_SESSION[HELLO]";
?>

two.php starts a new session it does not see $_SESSION[""]

PLEASE HELP!

cahva

Try:

// one.php
<?
session_start();
session_register('hello');
$hello = 'hello';
header ("locationath/to/two.php");
exit;
?>

//two.php
<?
session_start();
echo $_SESSION['hello'];
?>

Maybe your code would have worked just by changing echo "$_SESSION[HELLO]"; to echo $_SESSION['hello'];

Remember that in variables, it isnt the same if using lowercase or uppercase. $HELLO and $hello would be different variables...

MrAlaska

My guess is that you have cookies disabled and PHP is not appending the URL for the header() so it has no way of knowing you belong to the session. Try appending the URL yourself:

<?php
session_start();
$_SESSION['HELLO'] = "hello";
$url="two.php?".SID;
header("Location: $url");
?>

Originally posted by cahva
Try:

// one.php
<?
session_start();
session_register('hello');
[/QUOTE]
There is no reason to ever use session_register() at all, and plenty of reason not to. The only reason PHP still supports it is for legacy code, even the manual discourages its use.

jamie_kerwick

Try changing one.php to

<?
session_start();
$_SESSION["HELLO"] = "hello"
header ("location: path/to/two.php?". session_id());
exit;
?>

It maybe that the session ID is not being passed

destop

Thanks for the help everyone, i havn't tried the suggestions yet but i'll let you know what happens when i do

😃 😉 :p

cahva

There is no reason to ever use session_register() at all, and plenty of reason not to. The only reason PHP still supports it is for legacy code, even the manual discourages its use. [/B]

Ok, I checked those out now and you are right. And the manual says that I should not use them(session_register & $_SESSION) together. But the manual doesnt tell any rational reason why not to use session_register.

But anyway. Today I thought to change one of my sites to use $SESSION instead of session_register. I ran on to a problem.. I thought that the two are mostly the same thing so I changed the session_register to $SESSION. After changing, my login stopped working... Heres the code..(I have taken all Ifs and mysql-thingies out bcos they are not relevant)

session_start();
$sessid=session_id();

$_SESSION['userid'] = $userid;
$_SESSION['sessid'] = $sessid;
redir("blaah.php");

Ok, I have understood that now I can use those variables in page blaah.php after using session_start(). ( Like I did before with session_register )

It doesnt print the values of $SESSION['userid'] and $SESSION['sessid'] at all in the second page(eg. echo $_SESSION['userid']).

Funny, when I change the first code to:

session_start();
$sessid=session_id();

session_register('userid') = $userid;
$_SESSION['sessid'] = $sessid;
redir("blaah.php");

.. It shows both - $SESSION('userid') and $SESSION('sessid').
Why didnt it print sessid in the first code, but it prints it when I register userid? Why does registering 'userid' make $_SESSION('sessid') working?

Ok, I probaply didnt tell this the best way but I hope someone understands the little dilemma Im having now. I shouldnt use session_register at all, but then again it doesnt work with $_SESSION.

MrAlaska

You do not mention how and when you are assiging userid, but it should be before you assign it to a session variable. I am not sure why session_register() would work and not assigning it specifically, but it might have something to do with the global scope of the $_SESSION variables when you use session_register().

The code below works on my machine with globals and cookies turned off, but $_SESSION is unable to read a cookie on my machine on the redirect unless I address the page explicitly by the numeric LAN address. That is one of the reasons I do not like redirects.

First page:

<?php
// test.php
session_start();
$userid = "USER_ID";
$_SESSION['userid'] = $userid;
header( "location: test2.php?".SID );
?>

Second page:

<?php
// test2.php
session_start();
echo $_SESSION['userid'];
?>

The major part of the issue regarding using session_register() is security related. It is difficult to secure a site that has globals registered and uses session_register(). For the manual to really get into it would basically entail giving detailed lessons on how to hack into sites with globals turned on. That might hurt more people than it helped, and it is not needed because we have the $_SESSION array at our disposal which does not carry the same risks. I have only seen one page that gives a comprehensive essay on the sideways approaches to get past security on a site using session_register() and some of the methods described amazed me. That page was subsequently removed, and for good reason in my opinion.