Totaly Confused!!!

earthlingzed

I am having trouble with a login script that registers a session variable called username. There is an include file included in all login protected pages that checks for that var being set and if it is not, it bounces the user back to the login page. The problem is that the user logs in and still gets bounced. If they log in again they can get through. What the hell am I doing wrong?

This is the access check include that is doing the bouncing:

<?php

session_start();

if(!empty($username)) {
   $logged = "<span style='text-transform:capitalize'>".$username." </span>logged in";
}else{
    header("Location:index.php");
}

?>

This is the code I am using to register the session var after testing to see if the login is correct:

# begin session, register user name
   session_start();
   session_register("username");

HalfaBee

Don't use session_register()

To set the variable use $_SESSION['username']='$user;

To test if the varaiable is set use

if( isset( $_SESSION['username'] ) )

To access the info use

$_SESSION['username'];
or
$username

HalfaBee

PS from the manual
If you want your script to work regardless of register_globals, you need to use the $SESSION array. All $SESSION entries are automatically registered. If your script uses session_register(), it will not work in environments where register_globals is disabled.

earthlingzed

If I do have register globals turned on in my server config is the it still better to use the session array?

Is there something about session_register() or the way I am using it that does not start the session or register the session var on the first attempt?

Weedpacket

The problem with session_register() in your case is that you're not using it - $username is empty when you first test to see if it's empty.

Go with HalfABee's suggestion; $SESSION[] works like an ordinary array - it's always available in PHP4.1 and later no matter what the setting of register_globals, and you don't need to session_register() stuff. (All session_register('foo') does anyway is "$foo =& $SESSION['foo'];").

Since your problem looks like a missing session_register(), and when using $_SESSION[] you don't use session_register() anyway, it may well solve your problem (more elegantly than putting the session_register() in, that is).

earthlingzed

As per your suggestion, I changed the code to use the $_session array as follows:

   
# begin session, register user name
   session_start();
   $_SESSION['username']=$username;

Access check include file that protects private pages:

 if( isset( $_SESSION['username'] ) ) { 
   $logged = "<span style='text-transform:capitalize'>".$_SESSION['username']." </span>logged in";
}else{
    header("Location:index.php");

}

I am still gettign the same symptom - the user is bounced to the login page. Am I not registering the session at the right place or am I just an idiot (rhetorical)?

HalfaBee

Not knowing exactly how you have it set up, I will give you a quick run down.

Page 1
Get user / password
submit to page2

Page2
session_start();
if( user and password correct )
$_SESSION['username']=$user;
goto page3

PAGE 3
session_start();
if( isset( $SESSION['username'] ) ) {
$logged = "<span style='text-transform:capitalize'>".$SESSION['username']." </span>logged in";
}else{
header("Location:index.php");

Of course this is only psuedo code but it gives the idea of what has to happen.

HalfaBee

earthlingzed

Is there any possibility that if one were using meta tags to prevent page caching that a session variable would not be carried over to a new browser window?

example: <META HTTP-EQUIV='Pragma' CONTENT='no-cache'>
<META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'>