Yet Another Session Question

knelson

here goes:

environment: apache 2.042, solaris 8, php 4.2.3
register_globals are on (small intranet implementation, security risk low)
/tmp directory is owned by apache user (nobody)
sessions are enabled, session.auto_start is off

session_name('creative_auth_session');
session_start();
session_register('$basic_access');
session_register('$admin_access');
session_register('$user_dept');
session_register('$user_logon');
session_register('$user_id');

header("Location:../copy/index.php");

redirection to template page, with the first lines as the following:

session_name();
session_start();

if (!$basic_access)

{
header("login_retry_page.php");
}

elseif ($basic_access == "0")

{
header("login_retry_page.php");
}

else
{
echo "the proper page";
}

the cookie is being set, but the variables set with session_register are not, apparently, because authentication if failing and redirecting to login page. this has been successfully done without sessions and just cookies, so the DB results are fine.

any clues, obvious silly oversights? thanks once again for your time.

knelson

fnbcprog

Try this. I have used this in my script and it works well. The session variables are assigned from a mysql_query and the result set.

// Register Seesion Variables
session_register(SessionID);
session_register(user);
session_register(user_name);
session_register(password);
session_register(access_level);

// Set the Value of these Variable equal to the mysql_query string
list($user,$user_name,$password,$access_level) = mysql_fetch_row($result);

knelson

no dice, unfortunately. here's the modification:

session_name('creative_auth_session');
session_start();
session_register(basic_access);
session_register(admin_access);
session_register(user_dept);
session_register(user_logon);
session_register(user_id);

list($basic_access, $admin_access, $user_dept, $user_logon, $user_id) =
						mysql_fetch_row($sql_result);

header("Location:../copy/index.php");

knelson

entry in the session id file comes out like this:

knelson

is there something wrong with the way I'm returning results that would cause the variables to not be set?

$row = mysql_fetch_array($sql_result);

$user_priv = $row["user_priv"];
$user_admin = $row["user_admin"];
$user_dept = $row["user_dept"];
$user_logon = $row["user_logon"];
$user_passwd = $row["user_passwd"];
$user_id = $row["user_id"];

session_name('creative_auth_session');
session_start();

session_register('$user_priv');
session_register('$user_admin');
session_register('$user_dept');
session_register('$user_logon');
session_register('$user_id');


header("Location:../copy/index.php?");

it seems like i've tried every possible thing to make this work. thanks again.

suntra

Try not using session_register(), just use $_SESSION["variable_name"] = "value";

fnbcprog

Try removing the quotes from the $row variables.

$row[column_name];

Weedpacket

Originally posted by fnbcprog
Try removing the quotes from the $row variables.

$row[column_name];

Very Bad Advice.

See here for why.

Suntra has given the best advice I've seen yet (at least, it's the advice I'd've given if it hadn't been already). Then you wouldn't be at risk of making a mistake and writing

session_register('$user_logon');

instead of

session_register('user_logon');

fnbcprog

I was talking about the variables set above the session variables. Right after the result set has been retrieved.

$row[column_name] -> NO QUOTES

knelson

thanks to everyone for the comments. i'm not at work today, so I can't modify anything. however, I' will try your suggestions on thursday..

according to the manual, you can't register resource variables using session_register, which is obviously the source of this headache.
so late yesterday i took the result set, saved it into an array, split it again into variables using list & array_splice, and then registered the variables.

this time, the actual session file was saving the variable values--but I still saw nothing when I tried to display them or use them for security.

so in addition to being an ugly workaround, it still didn't work.

anyway, thanks again. knelson

Weedpacket

Originally posted by fnbcprog
I was talking about the variables set above the session variables. Right after the result set has been retrieved.

$row[column_name] -> NO QUOTES

Exactly. Very Bad Advice. See here for why.

Weedpacket

Originally posted by knelson
according to the manual, you can't register resource variables using session_register, which is obviously the source of this headache.

Ah, resource variables - that would be tricky; it's a bit hard to session such things, because they exist only in relation to other things on the system (the things they're resourcing). If you sessioned a database connection, for example, does the dbms release its end or not when the script finishes? If it doesn't right away, when should it? And if it does and the script tries to use it again, what happens? When should the server release the resource - whether it be database connection, file, or something else?