[Resolved] sessions dont seem to work on other pages...

helz

i dont know how but i think i managed to create a login script, after one error that i put in an if field, the code worked perfectly no errors, except i think i missed something, because i logged in, i know it created the session username because the code is:

	$_SESSION['username'] = $_POST['user_name'];
	$_SESSION['password'] = md5($_POST['pass_word']);
	$username = $_SESSION['username'];
	print "Woo, You successfully logged in as: ".$username."";

and the var username goes off the info in the session, but the session doesnt seem to spread to other pages even tho the start_session() is in the header.php which is included on all pages, or should i say everything is included into it, the index.php file anyway, i called for it using the: $username = $_SESSION['username']; and echo'ed it but nothing shows...

here is the code for the login.php file:

<?
/*
// start session
session_start();
// require the db connect information for the username/password check
require ("".$DOCUMENT_ROOT."/cgi-bin/connect.php");
*/

// if the form has been submitted start login check else display form
if (isset(/*(*/$_POST['user_name'])/* && ($_POST['pass_word'])*/) {
		$result = mysql_query(" SELECT username, password FROM ".$membertable." ");
		if (!$result) {
		echo("<p>Error performing query: ".mysql_error()."</p>");
		exit();
		}
			// loop result to find data on usernames,passwords
			while ( $row = mysql_fetch_array($result) ) {
			$usertest = $row["username"];
			$passtest = $row["password"];
				// perform checks on the user-entered username / password
				if ($_POST['user_name'] !== $usertest) { $flag==0; }
				elseif (($_POST['user_name'] == $usertest) && ($_POST['pass_word'] !== $passtest)) {$flag=2;}
				elseif (($_POST['user_name'] == $usertest) && ($_POST['pass_word'] == $passtest)) {$flag=1;}
			}
			// die if username check returns false
			if ($flag==0) {
			die("You entered an incorrect username.");
			}
			// die if password check returns false
			elseif ($flag==2) {die("You entered an incorrect password for this username: ".$usertest."");}
		// if the login check returns true echo completion and set session username
		elseif ($flag==1) {
		$_SESSION['username'] = $_POST['user_name'];
		$_SESSION['password'] = md5($_POST['pass_word']);
		$username = $_SESSION['username'];
		print "Woo, You successfully logged in as: ".$username."";
		}
// additional check to see if the user is already logged in
} elseif ($_SESSION['username']) {
die("You are already logged in as: ".$_SESSION['username']."");
// if task = logout, unset & destroy session
} elseif ($task=="logout") {
session_unset();
session_destroy();
echo "You have successfully logged out!";
// display login form
} else {
echo  "Login Here:<br>
	   <form method='post' action='index.php?login=login'>
	   Username <input type='text' name='user_name'><br>
	   Password <input type='password' name='pass_word'><br>
	   <input type='submit' name='submit' value='Login!'>";
}
?>

dalecosp

I guess one thing to check would be that sessions are correctly written to /tmp or wherever the session path lies; and that the SESSID is either being passed via the URL or that cookies are enabled on the browser you are using, and not being rejected for any reason...

helz

well, the session id is not being past thru the url, and ive not set it to use cookies, as you can see by the code, how would i go about tesitng the sessions, and setting it to send the id thru the url?

kenhess

What I found when using sessions is that on each page that you want the variables carried to, you will have to put session_start(); at the first of that page too.

Then your variables will show up in that page.

Ex:

page1.php
<?
session_start();
session_register("var1", "var2");
$var1 = "blah";
$var2 = "yada";
echo "<FORM ACTION='page2.php' METHOD='POST'>";
echo "<INPUT TYPE=submit VALUE='submit'>";
?>

page2.php
<?
session_start();
echo "$var1";
echo "<P>";
echo "$var2";
?>

this should echo your two variables...and the simple way it is written asssumes you have register globals On in your php.ini, but you can make the code additions if not.

Hope this answers your question.

helz

well the only thing is that all my pages are included into index.php when requested, and index.php includes header.php which has the session_start() at the top of it, no idea why it doesn't work tho.

the login page after logging in successfully it displays the username which is grabbed from the session, so its working on the login page but no-where else,

will i need to pass the session id thru links, also i heard that this was automatic, but not sure how to do this...

dalecosp

originally posted by helz
i've not set it to use cookies

Nope. But you don't have to. Session support uses cookies to track the SESSID, dependent on local configuration.

Probably the three directives in php.ini which have the most bearing here are the following:

session.use_cookies
session.use_only_cookies
session.use_trans_sid

Obviously, if #2 is ON, nothing will happen automagically, URL-wise. The last one is the one you want, I expect...

helz

i got some help from a friend and its all working now, thanks anyway

stolzyboy

so what was the problem, it may help others here

helz

to be honest ive no idea, probobly just the way i made it, heres the new and updated script:

also what i found was even tho the user logged in correctly you have to refresh the browser to make the changes work. (probobly the same reason why this forum and others go to a redirect/refresh page in-between changes)

<?php
session_start();
if (isset($_POST['user_name'])) {
	//be sure you check the values of post against a permitted list of characters (ie., alphanumeric + some punctuation) before you do this:
	extract($_POST);
	$result = mysql_query(" SELECT username, password FROM ".$membertable." WHERE username = '".$user_name."'");
	//query the database here with "SELECT username. password FROM members WHERE username=$user_name"
	// if result = mysql error, username and password entered are incorrect
	if (!$result) { 
		//they have supplied an invalid username/password pair!
		print '<p>Supplied username-password combination is invalid.  Please try again.</p>';
		loginForm();
		exit();
	}
	else {
		//they checked out. register their username and password
		session_register('user_name', 'pass_word');
		//now show them the stuff.
		print "Woohoo! You have successfully logged in as: $user_name<br />";
		print '<a href="index.php">Click here</a> to complete the login procedure';
		logoutButton();
	}

}
elseif (session_is_registered('user_name') && session_is_registered('pass_word')) {
	//they didn't supply a username and password, but they are registered with the session
	//check to see if they want to log out
	if ($task == 'logout') {
		session_unset();
		session_destroy();
		loginForm();
	}
	//otherwise give them the goods
	else {
		print "You're still logged in as $user_name<br />";
		logoutButton();
	}
}

else {
	//if they get here, it is probably the first time they're visiting the page
	//give them the login form
	loginForm();
}

function loginForm() {
	//print out a login form - in a function like this, you don't have to write it out a billion times
	print "Login Here:<br>
	       <form method='post' action='login.php'>
	       Username <input type='text' name='user_name'><br>
	       Password <input type='password' name='pass_word'><br>
	       <input type='submit' name='submit' value='Login!'>";
}
function logoutButton() {
	//print out the logout button
	print '<form action="login.php" method="post">
			<input type="hidden" name="task" value="logout" />
			<input type="submit" value="Logout" />
			</form>';
}
?>

and here is the script to check whether the user is logged in for the rest of the site.

at the top of ismember.php is an if statement that checks whether the session has already started, but i dont have the code yet for that if it is at all possible...
also my site uses a header.php so i have session_start() at the top of that so i dont have session_start() in the login page like above.

ismember.php

<?
if (session has started) {}
else {session_start();}
require ("".$DOCUMENT_ROOT."/cgi-bin/connect.php");
$username = $_SESSION['user_name'];
$password = $_SESSION['pass_word'];
$result = mysql_query("SELECT username, password FROM ".$membertable." WHERE username = '".$username."' AND password = '".$password."' ";
if (!$result) {$flag=0} // if flag = 0 user not logged on
else {$flag=1} // if flag = 1 user is logged on...
/*
		To incorporate this into your code.
   simply insert this into the top of your pages:
			require("ismember.php");
	and then in your code add this to enable it:

	if ($flag==0) {
	echo "You do not have access to this page!";
	elseif ($flag==1) {
	echo "You have access to this page";}

*/
?>

hope this helps, its not the best solution but it is the one im willing to use, also if any of you have any comments for security issues with this please post..

============EDIT=================
ive just found out that there is no thang to check whether i session has already been started, so im not sure on what to do. if anyone can help please do 😃
========NEW EDIT===========
right for that if statement just do a check to see if a session variable is there and if so dont start session then else start session

if ($_SESSION['user_name']) {}
else {session_start();}