PHP 4.3 and sessions

frankenstrat

I am having a heck of a time getting sessions to work with a server running
PHP 4.3. I am aware of the new security settings with respect to the
register gobals being turned off. The biggest problem I have at the moment
is destroying the session.

Any help would be greatly appreciated!!!

here is how the script works...

<?php
include "db.php";
include "common.php";

session_name("testsession");
session_start();
if (!isset($SESSION['testsession'])) {
$SESSION['testsession'] = false;
?>

HTML form code for username and password

<?php
exit;
}

dbConnect('cygnal');
if ($_POST[submit]) {

$username = $REQUEST['uid'];
$password = $REQUEST['pwd'];

$authsql = mysql_query("SELECT * FROM users WHERE username = '$username' AND
password = PASSWORD('$password')");

//if there is an error with the database
if (!$authsql) {
error("A database error occurred while checking your ".
"login details.\nIf this error persists, please ".
"contact the system administrator.".mysql_error()."");
}

// if username and password dont' match anything in the database
// ask the user for input again
if (mysql_num_rows($authsql) == 0) {

HTML form code for incorrect username and password

<?php
exit;
}
if (mysql_num_rows($authsql) == 1) {
$_SESSION['cygnalnews'] = true;
}
}

//user clicks on logout link
if ($GET[logout]) {
$SESSION = array();
// Finally, destroy the session.
session_destroy();
header("location: index.php");
}
//EOF
?>

I use the above file at the top of every page that I want secured

eg; include "accesscontrol.php";

Can anyone point me in the right direction here?

Cheers
Ken

chaosdivine

BEFORE YOU READ: This is not helpful info that follows, just the expression of my own problems with sessions....dude I sympathize with you!

------Anyhow------If it makes you feel any better I too am having extremely difficult times making sessions work AT ALL too. I have spend literally one solid week (with sleeps and time to take a pee) straight trying to solve this session and login problems. I have taken endless tutorials on sessions and the like and I am coming to the conlusion that sessions suck huge! I mean I only wanted to use them so I didn't have to rely on cookies and the user's browser disallowing them for whatever reason... It seemed to me sessions are the way to go as they are processed on the server and you don't have to worry about them in your browser cache.

My setup is: PHP v. 4.3.2/Apache 1.3.27/Windows XP/MySQL 4.0.12. Globals OFF in the php.ini. Anyway to make my ramble shorter what I have come to understand is this:

========================================

Updated: Drew, TURN YOUR FIREWALL SETTINGS OFF IN FUTURE DUMBASS! :o He he, I just figured out that I had this kind of 'cookie' or session blocked in Zone Alarm Pro........DOH! Each time it would create an initial session with the variables in it...But on the second page the session start() function would create another blank session and not carry forward the information from the first session...

Man do I ever feel dumb! Anyhow I upgraded my PHP/MySQL to the latest versions...perhaps a slight waste of time but I feel confident now.

The moral of my story is this...if suddenly you are having problems with sessions transfering variables from page to page, make sure you don't have your firewall configured to block cookies and sessions.....

I can't wait for my hair to grow back now! He he...

=======================================

So dude if I can figure this out I will be glad to help you with your login/membership script. I too am trying to create one. I see that you have used a bit of mr. Kevin Yank's (from www.sitepoint.com) code in your own...he he I tried his too but it does not work for me...

Maybe if you can get yours to work you would like to share it with me and the masses who are pulling our hairs out in frustration...

If I master it I will return the favor...

Peaceout,

Drew

frankenstrat

Try this and pay notice that this script also logs the time the user logged in...

<?php
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");

session_start();
//files to connect to database
include "db.php";
include "common.php";

if(! isset($POST['userid']) and ! isset($SESSION['userid'])) {

?>

<html>

<head>

<title> Please Log In for Access</title>

<LINK REL="StyleSheet" HREF="css/ics.css" type="text/css">
<script language="JavaScript" src="scripts/.js" type="text/javascript"></script>
</head>

<BODY BGCOLOR="#FFFFFF" LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0" onload="document.Login.userid.focus();">
<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post" name="Login">
<B>Sales Access</B><br>
<B>Email Address:</B> <input type="Text" name="userid" value="" SIZE="25" CLASS="text"><br>
<B>Password:</B> <input type="password" name="passwd" value="" SIZE="25" CLASS="text"><br>
<INPUT TYPE="submit" NAME="submit" VALUE="Login" CLASS="button" onMouseOver="temp=this.style.color; this.style.color='#ffd700';" onMouseOut="this.style.color=temp;"><br>
</FORM>
</body>

</html>
<?php
exit;
}

if(! isset($SESSION['userid'])) {
$userid = $POST['userid'];
$passwd = $POST['passwd'];
$SESSION['userid'] = $userid;
$SESSION['passwd'] = $passwd;
} else {
$userid = $SESSION['userid'];
$passwd = $_SESSION['passwd'];
}

dbConnect('sales');

$authsql = mysql_query("SELECT * FROM sales_reps WHERE email_address = '$userid' AND password = PASSWORD('$passwd') AND userstatus != '1' ");

if (!$authsql) {
error("A database error occurred while checking your ".
"login details.\nIf this error persists, please ".
"contact the system administrator.".mysql_error()."");
}

if (mysql_num_rows($authsql) == 1) {
$loggedsql = mysql_fetch_array($authsql);
extract ($loggedsql);
if ($loggedin=='0') {
$loginsql = mysql_query("UPDATE sales_reps SET lastlogin=CURRENT_TIMESTAMP, loggedin='1' WHERE email_address = '$userid'");
}
}

if (mysql_num_rows($authsql) == 0) {

unset($SESSION['userid']);
unset($SESSION['passwd']);
session_destroy();

<html>

<head>

<title> Please Log In for Access</title>

<LINK REL="StyleSheet" HREF="css/ics.css" type="text/css">
</SCRIPT>
</head>

<BODY BGCOLOR="#FFFFFF" LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0" onload="document.Login.userid.focus();">
<form action="<?php echo $SERVER['PHP_SELF'] ?>" method="post" name="Login">
<B>Sales Access</B><br>
Your user ID or password is incorrect, or you are not a registered user on this site.<br>
<B>Email Address:</B><input type="Text" name="userid" value="<?php print $userid; ?>" SIZE="25" CLASS="text"><br>
<B>Password:</B><input type="password" name="passwd" value="" SIZE="25" CLASS="text"><br>
<INPUT TYPE="submit" NAME="submit" VALUE="Login" CLASS="button" onMouseOver="temp=this.style.color; this.style.color='#ffd700';" onMouseOut="this.style.color=temp;"><br>
</FORM>
</body>

</html>

<?php
exit;
}
$SESSION['sales'] = mysql_result($authsql,0,"email_address");
?>

chaosdivine

Hey thanks for letting me vent, I feel much better but now I am bald...(hair's all pulled out now) 😉

But seriously now, I like what you've done with your code. Except I don't see how it passes your 'logged in' status to another page. There is no redirect header() or meta refresh or link for that matter to another page saying 'BINGO, it works'. That page would also have to verify the session login status as well. And this would be my point earlier. This new way of doing sessions does not seem to work. You code simply checks to see if form data is present, if not then shows a form so you can gather user data, then checks that data against a database all in the same page, if there are results it starts a session with variables...then what?

I don't think you're logged in anywhere?!?!? Am I missing something?

But thank you again for posting your code, I think you're on to something...

Cheers,

frankenstrat

Include the following at the top of every page you want to secure, including your index.php

<?PHP
include "accesscontrol.php";
?>

Cheers
Frankenstrat

frankenstrat

Create a separate file and call it logout.php and put the following in it;

<?php
include "db.php";
dbConnect();
// logout.php - destroy session
$loginsql = mysql_query("UPDATE sales_reps SET loggedin='0' WHERE email_address = '$GET[logoutemail]'");
// destroy session variables and send back to login page
session_start();
$SESSION= array();
unset($_GET[session_name()]);
session_destroy();
header("Location:index.php");
?>

and I call it with the following
<A HREF="javascript:logout('logout.php?logoutemail=<?php print $email_address; ?>');">logout</A>

and here is the javascript function;

function logout(url) {
if (confirm("Are you sure you want to logout?")) {
document.location=url;
}
}

Let me know how it works for ya

frankenstrat

I had a problem creating and destroying sessions on win32, make sure that you have the tmp directory setup or otherwise none of the above will work...

chaosdivine

Well I think you have some great code actually and I have come to the conlusion that its my PHP setup on my laptop here thats giving me the grief. I have seen some great tutorials on sessions now and I thought they were flawed...

two such URLs worth mentioning for straight and to the point help:
http://www.codemain.com/modules.php?name=News&file=article&sid=2

and

http://www.codemain.com/modules.php?name=News&file=article&sid=7

I have come to this conclusion using this code (from one of the above pages-just can't remember which one:

//pageone.php

<?php
      session_start();
      $_SESSION['global_name'] = "This is in the global_name now";
   ?>
   <html>
   <head><title>Page Title</title></head>
   </body>
   This is link on the page:
   <a href="secondpage.php"> LINK TO NEXT PAGE </a>
   </body>
   </html>

and

//secondpage.php
<?php
      session_start();
?>
   <html>
   <head><title>Page Title</title></head>
   <body>
   <?php echo $_SESSION['global_name']; ?>
   </body>
   </html>

Anyhow this should pass the variable at least from one page to the next...it does NOT work in my case. I get a big fat glaring white empty page. Looks like my head now that I pulled out all my 'do' (both head and armpits 😉 ).

So thank you for your time and effort posting your code. I will see if I can uninstall PHP from my laptop rig and try it all again using version 4.3.2 instead of 4.3.1.

I dunno what else to do. I have tried and tried but the simpliest thing here got me...it HAS to be the setup.

I hope to try your ideas in future...till then,

Adios,

chaosdivine

========================================

Updated: Drew, TURN YOUR FIREWALL SETTINGS OFF IN FUTURE DUMBASS! He he, I just figured out that I had this kind of 'cookie' or session blocked in Zone Alarm Pro........DOH! Each time it would create an initial session with the variables in it...But on the second page the session start() function would create another blank session and not carry forward the information from the first session...

Man do I ever feel dumb! Anyhow I upgraded my PHP/MySQL to the latest versions...perhaps a slight waste of time but I feel confident now.

I can't wait for my hair to grow back now! :p He he... And to try your code! 😃 Thanks for posting it here, I hope others can find it useful too!

=======================================

Hoangsta

in ur code:

//pageone.php 

<?php 
      session_start(); 
      $_SESSION['global_name'] = "This is in the global_name now"; 
   ?> 
   <html> 
   <head><title>Page Title</title></head> 
   </body> 
   This is link on the page: 
   <a href="secondpage.php"> LINK TO NEXT PAGE </a> 
   </body> 
   </html> 


//secondpage.php 
<?php 
      session_start(); 
?> 
   <html> 
   <head><title>Page Title</title></head> 
   <body> 
   <?php echo $_SESSION['global_name']; ?> 
   </body> 
   </html> 


try tis....

//pageone.php 

<?php 
      session_start(); 
     // Register the input with the value 
$_SESSION['user_name'] = $_POST['user_name'];

where user_name is the variable in your form....for example

<FORM ACTION="$php_self" METHOD="POST">
<P CLASS="bold">Username<BR>
<INPUT TYPE="TEXT" NAME="user_name" VALUE="" SIZE="10" MAXLENGTH="15"></P>
<P CLASS="bold">Password<BR>
<INPUT TYPE="password" NAME="password" VALUE="" SIZE="10" MAXLENGTH="15"></P>
<P><INPUT TYPE="SUBMIT" NAME="submit" VALUE="Login"></P>
</FORM>
   ?> 
   <html> 
   <head><title>Page Title</title></head> 
   </body> 
   This is link on the page: 
   <a href="secondpage.php"> LINK TO NEXT PAGE </a> 
   </body> 
   </html> 

on ur second page:

//secondpage.php 
<?php 
      session_start(); 
?> 
   <html> 
   <head><title>Page Title</title></head> 
   <body> 
   <? echo $_SESSION['user_name']; ?>
   </body> 
   </html>

hope that help...i'm working on a way to stop non members from coming to member page...if u have one, let me know.

minorgod

You really don't need a call to session_destroy(). All you need to do is set your session array to NULL and you kill all the registered session vars like so...

$_SESSION=NULL;

rachelkoh

Hi guys,

I guess you guys are pretty good with session controls etc. I hope someone can help me. After I've upgraded from PHP4.1.1 to PHP4.3.3, I'm having this warning message everytime I login:

Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0

I'm a student doing a project for my school. They are not going to turn on register globals nor off the sessions bug etc for me. How can I solve this problem?

Here's the code where I register the session:

<?php

  // include function files for this application
  require_once("all_functions.php");
  session_start();

  $username = $HTTP_POST_VARS["username"];
  $password = $HTTP_POST_VARS["password"];

  if ($username && $password)
  // they have just tried logging in
  {
    if(login($username, $password))
    {
      // if they are in the database register the username
      $valid_user = $username;     

      session_register("valid_user");  

    }
    else
    {
      // unsuccessful login
      do_html_header("Problem:");
      echo "You could not be logged in. <br>
            You must be logged in to view this page. <br>
            Please go back and try again.<p>";
      do_html_url("index.php","Login");  

      do_html_footer();
      exit;
    }
  }

  do_html_header("Members - Home");
  //check_valid_user
  if (session_is_registered("valid_user"))
  {   

      display_publisher_menu();
      echo "Logged in as $valid_user.";
      echo "<br>";
  }
  else
  {
     // they are not logged in 
     do_html_heading("Problem:");
     echo "You are not logged in.<br>";
     do_html_url("index.php", "Login");
     do_html_footer();
     exit;
  }    

  do_html_footer();

?>

minorgod

This should be posted on a new topic, but here's a quick rewrite of your code using the new proper session syntax for PHP. I don't know if it will work any better for you, but it shouldn't cause any warnings about globals. I don't know what's in your include files, but if you've been using any variables that you used with session_register(), then you should change all your variables to $_SESSION['variable_name'] and remove all your session_register() statements. All you have to do to set a session variable is start your session and then say

$_SESSION['my_variable']='somevalue';

So anyway, try this code...

<?php 

  // include function files for this application 
  require_once("all_functions.php"); 
  session_start(); 

  if ($_POST["username"]!='' && _POST["password"]!='') 
  // they have just tried logging in 
  { 
    if(login($_POST["username"], $_POST["password"])) 
    { 
      // if they are in the database register the username 
      $_SESSION['valid_user'] = $_POST["username"];         

    } 
    else 
    { 
      // unsuccessful login 
      do_html_header("Problem:"); 
      echo "You could not be logged in. <br> 
            You must be logged in to view this page. <br> 
            Please go back and try again.<p>"; 
      do_html_url("index.php","Login");   

      do_html_footer(); 
      exit; 
    } 
  } 

  do_html_header("Members - Home"); 
  //check_valid_user 
  if (isset($_SESSION['valid_user'])) 
  {    

      display_publisher_menu(); 
      echo "Logged in as $_SESSION[valid_user]."; 
      echo "<br>"; 
  } 
  else 
  { 
     // they are not logged in 
     do_html_heading("Problem:"); 
     echo "You are not logged in.<br>"; 
     do_html_url("index.php", "Login"); 
     do_html_footer(); 
     exit; 
  }     

  do_html_footer(); 

?>

rachelkoh

Hi minorgod,

Thanks for the solution. Yup, it solves my problem!

For anyone interest, turning session.bug_compat_42 or session.bug_compat_warn to off will turn off the warning but generate more errors.