session variables and redirection problems

mfacer

hi,

I have some session variables which are set once the users login details have been validated. The page looks like this:

session_start();
session_register("status");
session_register("username");

//do all checking for username/pasword
//if pass ok...
$_SESSION['status'] = "1";
$_SESSION['username'] = "$username";
header("Location: ../../admin.php");

else

$_SESSION['status'] = "0";
echo "no such username";

This seems to be ok if I simply didnt use the header: location part. But when the admin page is loaded, it looses the values stored in the session variables.

Any ideas or pointers where I'm going wrong?! I've tried this on my local machine (IIS 5, WinXP and IE6) and on a W2K server. It must work on the w2k server, and apache unix/linux servers.....

thanks guys in advance....

RoadKingHD

In your admin.php page, are you calling

session_start();

mfacer

yeh, sorry... admin.php looks like this:

session_start();
if ($_SESSION['status'] != "1"){
echo "You do not have access to this page<BR>";
exit();
}

Weedpacket

Mixing session_register() and $_SESSION is a guaranteed way of getting into a mess. I reckon the manual ought to make a special point of warning people about this when it discusses sessions. More than once, to make sure it gets through.

session_register("username");
...
$_SESSION['username']=$username;

All this does is set the username stored in the session to the username stored in the session. If $username had any value before session_register("username") was called, it was immediately lost and replaced with the username value stored in the session (that's what session_register() does).

Solution. Consign session_register() to the outer darkness. Forget it exists. Just use $_SESSION[] to interact with session variables.

session_start();

//do all checking for //username/password

//if pass ok...
$_SESSION['status'] = 1;
$_SESSION['username'] = $username;
header("Location: ../../admin.php");

(Of course, if $username is coming from a form, the Right Thing would be for it to be referred to as $_POST['username'] anyway.)

mfacer

hey...

thanks for the tips... I have done what you said and it still didnt work... although at least it is more efficiently coded!!

I have actually found what the problem was..... I subsituted the $status variable to $security and everything worked!! So in my code somewhere I must use $status as another variable!!

I noticed that the $username was still being stored.. but the status was dissapearing....!!

Thanks for the help guys!!

Next time I'll check the code a little closer!! lol!! :rolleyes: