[Resolved] sessions not working ?

ejwf

I have a login form on the first page, from which I want to take the username and password and save them as session variables to take them forward from page to page.

the part of my code that does this is ;


if ($username && $password)	      // everything is OK
{							// query the database
$query = "SELECT UserId FROM tblUser                      

          WHERE CLogIn='$username'
          AND CPass=PASSWORD('$password')";
         $result = @mysql_query($query);
         $row = mysql_fetch_array ($result, MYSQL_NUM);

if ($row)  // username and password match database records   

 {
 // start the session, register the values and redirect
session_start();
         $_SESSION['password'] = $row[1];
         $_SESSION['username'] = $row[2];	 
         $_SESSION['UserId'] = $row[0];

I have been going over this for days now and I know the session variables are not working - on the next page I have
session_start ();
right at the top, but when I try to test the session variable with
print_r($_SESSION);
I get the output
array()
i.e. nothing in the session variables.

the other strange thing is that I am using the variable $username in several places in the code on the second page (as part of a welcome message and within queries to set other variables) this is working fine.
Where is it getting the information for this $username variable from if not from the session?

I am really confused by it all - if any can help I would be very grateful - thanks

stolzyboy

put your session_start(); as the first line of code in your document

also, are you certain you are getting results back from your query to fill those session variables

and if there is nothing filling $username besides the session on the second page... it has to be the session doing it...

you should echo out each one, like $_SESSION['username'], etc...

not just the print_r

what does that do?

travelbuff

Hi ejwf:

stolzyboy made some good comments that I want to expand on a bit.

Where are the variables $username and $password coming from? If from a form, you REALLY need to use $POST['username'] and $POST['password'] for securities sake. If you want to know why take a look here.
The query looks fine, though I would certainly add an OR DIE ('could not access DB to verify username & password' . MYSQL_ERROR()); . That is just good programming practice and can save debugging headaches.

For debugging purposes, I suggest adding some code after issuing the session_start() and registering the session variables. Something like this would be helpful:

// start the session, register the values and redirect 
session_start(); 
         $_SESSION['password'] = $row[1]; 
         $_SESSION['username'] = $row[2];     

         $_SESSION['UserId'] = $row[0];
  //check and see if the session started 
  $sid = session_id();
    if ($sid) {
      echo ' The session ID is ' . $sid;
        //snoop the cookie info
       $cookie_info = session_get_cookie_params();
       echo ' <br> The cookie info is: ' . $cookie_info;
    } else {
      echo ' cannot retrieve session id';
    }
  //the cookie is set, let's test the variables 
  if (isset($_SESSION['username'])) {
   echo '<br> session user name is ' . $_SESSION['username'];
  } else {
   echo '<br>session username is not set';
  }
//repeat for other variables

Obivously, you will have to comment out any header() you may have.
This will tell us if everything is working as expected. After we know what is going on, we can remove this extraneous code and have the script do whatever we really intended it to.

BTW, this makes a handy function. I have it written into debug_session() and I include and call it whenever I first publish a page using session data, then go back and remove it. Doesn't take much time and beats the hell out of pulling your hair out troubleshooting.....

HTH,

ejwf

firstly I want to thank you guys for your reply, especially travelbuff for possibly the most comprehensive reply I've ever received on one of these forums.
however i must admit your reply has brought me to another problem ......... or is it the solution and I just don't know it

I have added your trouble shooting code after starting the sessions and when I run the code it comes up with the error message
Fatal error: Call to undefined function: escape_data()
for the line where I set the variable $username from the form results (this is earlier in the code as part of several checks performed on the information put in the form by the users and comes before the session start() ) ;

if (eregi ("^[[:alpha:].' _-]{2,60}$", stripslashes(trim($_POST['username']))))
{
$username = escape_data($_POST['username']);
}
else
{
$username = FALSE;
echo '<p><font color="red"> Please enter valid Username</font></p>';
}

any thoughts ?

many thanks

travelbuff

ejwf:

Thanks 🙂

Fatal error: Call to undefined function: escape_data()
means that you did not define the function before calling it. escape_data is a user-defined function, not a built in function. I think I recognize it from a PHP/MYSQL book I have. Anyhow...you need to either define the function or remove the reference to it from the code:

$username = $_POST['username'];

On another note:

if (eregi ("^[[:alpha:].' _-]{2,60}$", stripslashes(trim($_POST['username']))))

Personally, I don't validate usernames before authenticating them. I understand that some argue that this adds an extra layer of security, but it seems a bit more of a hassle than it is worth to me. Some others here may disagree.

If that was my code, it would look something like this:

 if ($_POST['username']) 
{ 
$username = $_POST['username'] ; 
} 
else 
{ 
$username = FALSE; 
echo '<p><font color="red"> Please enter valid Username</font></p>'; 
}

Not as elegant but will do the job and a lot less resource intensive, IMHO....

ejwf

thanks travelbuff,
I have taken the escape_data() out of the code and no more error message.
(I have left the security validation part of the code in - it is already there and I might as well keep it if it isn;t affecting how the code works !)
But I think we might have found the fundamental problem of why all the pages of my code aren't working.

I thought it was because the session variables weren't being carried forward, but I think it is more because it isn't picking up the username & password information from the database in the first place and when I try queries dependant on this information they don't work.

this is the whole page of code I have

	<?php 
if (isset($_POST['submit']))// Check if the form has been submitted
{
require_once ('../connect.php');//connect to the database     

//check username is in correct format
if (eregi ("^[[:alpha:].' _-]{2,60}$", stripslashes(trim($_POST['username']))))
{
$username = $_POST['username'];
}
else
{
$username = FALSE;
echo '<p><font color="red"> Please enter valid Username</font></p>';
}
 // check user name has been entered
if (empty($_POST['username']))
{
$username = FALSE;
echo '<p><font color="red"> You forgot to enter your username.</font></p>';
}
else
{
$username = $_POST['username'];
}

// check password is in valid format
if (eregi ("^[[:alnum:]]{4,80}$", stripslashes(trim($_POST['password']))))
{
$password = $_POST['password'];
}
else
{
$password = FALSE;
echo '<p><font color="red"> Please enter a valid password</font></p>';
}

// check password has been entered
if (empty($_POST['password']))
{
$password = FALSE;
echo '<p><font color="red"> You forgot to enter your password.</font></p>';
}
else
{
$password = $_POST['password'];
}

if ($username && $password)	 // everything is OK
{			// query the database
$query = "SELECT UserId FROM tblUser                      

          WHERE CLogIn='$username'
          AND CPass=PASSWORD('$password')";		 
         $result = @mysql_query($query)
        OR DIE ('could not access DB to verify username & password' . MYSQL_ERROR()); 
         $row = mysql_fetch_array ($result, MYSQL_NUM);

if ($row)  // username and password match database records   

 {
 // start the session, register the values and redirect
		session_start();
         $_SESSION['password'] = $row[1];
         $_SESSION['username'] = $row[2];	 
         $_SESSION['UserId'] = $row[0];
//check and see if the session started 
  $sid = session_id(); 
    if ($sid) { 
      echo ' The session ID is ' . $sid; 
        //snoop the cookie info 
       $cookie_info = session_get_cookie_params(); 
       echo ' <br> The cookie info is: ' . $cookie_info; 
    } else { 
      echo ' cannot retrieve session id'; 
    } 
  //the cookie is set, let's test the variables 
  if (isset($_SESSION['username'])) { 
   echo '<br> session user name is ' . $_SESSION['username']; 
  } else { 
   echo '<br>session username is not set'; 
  } 
//repeat for other variables
 if (isset($_SESSION['password'])) { 
   echo '<br> session password is ' . $_SESSION['password']; 
  } else { 
   echo '<br>session password is not set'; 
  } 
   if (isset($_SESSION['UserId'])) { 
   echo '<br> session user id is ' . $_SESSION['UserId']; 
  } else { 
   echo '<br>session user id is not set'; 
  } 

// header ("Location:http://www.***.com/***/equipment.php");

}
else			// no match was made
{
echo '<p><font color="red">The Username and Password you entered do not match those on file.</font></p>';
}

}
else		              // if everything wasn't OK
{
echo '<p><font color="red">Please try again</font></p>';
}

}

include ('header.php');

?>

<h1><font face="Arial, Helvetica, sans-serif"><img src="images/page.jpg" width="134" height="50" align="middle"> 
  Login</font></h1>
<form action="" method="post"> /* I have taken out the form action to test the variables */
  <fieldset><legend><font face="Arial, Helvetica, sans-serif">Please Enter Your 
  Information Below;</font></legend> 
  <p><font face="Arial, Helvetica, sans-serif" size="3"><b>Username:</b> 
    <input type="text" name="username" size="30" maxlength="60" value="<?php if(isset($_POST['username'])) 
	echo $_POST['username'];?>" /></font>
	<p><font face="Arial, Helvetica, sans-serif" size="3"><b>Password:</b> 
    <input type="password" name="password" size="30" maxlength="60" />
    </font></p><br>

<div align="center"> <input type="submit" name="submit" value="Submit" /></div>

</form>

when I run this code I get the error message ;
The Username and Password you entered do not match those on file.
which is the error massage I put in as the else of the statement if ($username && $password) // everything is OK

I know I am inputting the right username and password, exactly as I have it in the database, I have tried it for password that are encrypted and not encrypted - still doesn't work

I am not sure if this is a php code problem or MySQL problem now, but if you have any ideas I'd be very grateful.........

thanks

travelbuff

Sorry to leave you hangin' for a day or two...

Hmmm...I would take all of the username and pwd validation out of the script for now, you can always uncomment it later, one piece at a time.

The Username and Password you entered do not match those on file.
which is the error massage I put in as the else of the statement if ($username && $password) // everything is OK

No, it is the } else { for if ($row) {, meaning that there were no results to return from the db. We put an OR DIE message so we can assume that we areable to connect and run the query, it just isn't returning any matches. Do you have phpmyadmin or shell access to the server? You could try running the query from the command line and see what you get.

Also, If I were writing the SELECT query it would look like this:

$query = "SELECT UserId FROM user                       

          WHERE LogIn='$username' 
          AND Pass=PASSWORD('$password')";         

         $result = @mysql_query($query)

I am not sure if propending the table name with tbl and column name with c is correct and allowable or not. I have never seen it before though...what platform are you running on?

ejwf

thanks travelbuff,

I have commented out all of the username and password validation code
still get same results, so I assume that this part of the code isn't affecting / causing the problem, I'm leaving it commented out, like you say i can re-introduce it once the problem is solved.

First thing to say is that the guy who built the database has called the table 'tblUser' and the field are called 'CLogIn' / 'CPass' etc. so I am following these names exactly.

I have access to PHPMyAdmin, but to be honest I can 'read' what it says there but I'm not familiar with exactly how it works.
However, I have run the following codes in the sql tab and found some interesting results;

By the way the tblUser contains the members of the beatles for testing purposes!

SELECT UserId FROM tblUser WHERE CLogIn = 'John.Lennon' AND CPass = PASSWORD( 'happiness ');
says that 'Your SQL-query has been executed successfully' but doesn't acutally return any results.

SELECT * FROM tblUser WHERE CLogIn = 'John.Lennon' AND CPass = PASSWORD( 'happiness ');
says that 'Your SQL-query has been executed successfully' but doesn't acutally return any results.

SELECT * FROM tblUser WHERE CLogIn = 'John.Lennon' ;
shows the row containing all the fields for this username.

From this I think my problem lies with the password.

So I have tested it with a non-encrypted password;
SELECT * FROM tblUser WHERE CLogIn = 'Paul.McCartney' AND CPass = 'vegetarian';
and it showed the expected row for the username.

So I took PASSWORD() out of the php code and ran with Paul.McCartney and it (sort of) worked.

I moved on to the session section of the code but now got the jumbo error message;

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /////***/connect.php:20)

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /////***/connect.php:20)

which I know is because there is code prior to the session_start(), but how do I get around this because I need to connect to the database first, and then verify the login information before i start the session (don't I?)

but then, the good news......
I also get the following output;

The session ID is c715eda3b5f0a568a5669337912415b8
The cookie info is: Array
session user name is Paul.McCartney
session password is vegetarian
session user id is 2

all is what i would expect, apart from cookie info is: Array , should this not show the information contained within the array?

So travelbuff, couple of questions if you don't mind.........

Is the cookie information Array part of the code correct? Is this what you would expect from your code? Or is it because of 'Cannot send session cookie - headers already sent' ?

How do I get around the part of the code to start the session and set the session variables in the correct order so that I avoid 'Cannot send session cookie - headers already sent / Cannot send session cache limiter - headers already sent '. ?

Once I get all this working (!) how can I re-introduce PASSWORD() into the code - I need the information to be as secure as possible and to maintain database integrity, as although the information contained in the database (when we go live) isn't going to be ultra-sensitive I still need to make sure it is all well safeguarded.

a million thank yous

Weedpacket

Originally posted by travelbuff
Personally, I don't validate usernames before authenticating them. I understand that some argue that this adds an extra layer of security, but it seems a bit more of a hassle than it is worth to me.

I'll keep that in mind if I ever come across a site you've written: it will have a guaranteed SQL insertion vulnerability. 🙂

Originally posted by travelbuff
Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /////***/connect.php:20)

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /////***/connect.php:20)

What exactly is line 20 of connect.php? What's happening here is that something is being sent out to the client before the session_start() is called. Do you need to verify the login before you start the session (or can you (re)start a session before doing user validation)? Does the database connection code need to generate any output?

ejwf

OK, quick up-date on where I am now.

1) through trial and error I have changed the order in which I am calling different bits of the code, so I have got rid of the 2 Warning: session_start(): error messages. I now start the sessions before I connect to the database, then I run the query - it all seems to work OK.

2) I know that the username session variable is being taken over to page 2, because I can echo $username in the welcome message in the code. HOWEVER, it stops there, it doesn't come over onto the the 3rd page. I need the $username information to perform more queries in the code on the 3rd page to INSERT results into the database.

My questions are;

because I am using the variable $username (as opposed to $SESSION[username]) in the code in the 2nd page, is this re-setting the variable? Is this why is the sessions aren't working?
Having said this, I have replaced all the $username in the code with $SESSION[username] but then the queries dependent on this variable don't work - no error message, just no results returned. But is this just because I haven't got the correct syntax for the variable?

how can I test the session variables all the way through the code? I have added in
print_r($_SESSION);
but I get Array () as the output - so I know there is nothing there.

I want to get to a point where I know that the username is set as a session variable at the point the user enters it via the login form. Then I take this information and use it for a number of queries, on the second page show another user entry form based on information taken from the database, then on the thrid page take the information from this form, perform yet more queries based on the username (!) and add the results of the form into the database - I know what I want to do and I reckon I have got the code to do it, I just cannot get the username to carry forward across all the pages............ HELP!

ejwf

Just to let you know that I'm closing this thread down, not that the problem has been solved, but I have approached the way i am writing my code from a different direction and I can get it to work as I want it to up to a point......... i am sure that real coders would cringe if they saw the code, but hey I'm nearly there !
I do still have another problem - now a form problem instead of a session problem ! - so I will be starting up a new thread "form results not working" if you fancy taking a look.

thanks to all who have helped so far ........