Hi there,

I'm pretty new to PHP, but had a friend help me with fixing up my basic code. I've got a website which has a login feature, and we've FINALLY got the login and logout working, using the session variable and calling to a database of members. The home page is called "index.php", and when a user logs in, the only information that changes is the welcome message up the top, but they're still on the same page.

The problem occurs AFTER you log in. If you do any of the following, the website destroys the session variable and returns you to 'Guest' status:

1. Refresh the page (index.php) - by manually clicking in the address bar and hitting Enter again.
2. Click on any link that has a href value of "index.php" (e.g. the 'Home' link on the navigation bar, or the store logo in the corner of the page).

We've used the following two lines of code to DELIBERATELY erase the session:

$_SESSION = array();
session_destroy();

... in ONLY two places. Firstly, what I'll call the logout clause (where the user has logged in and then clicks the logout button). Secondly, before the user logs in again - it's set to wipe the session to ensure that they're starting from scratch, then resets all session variables.

We've echoed different error messages all over the place to determine how it's destroying the session, and it's not going to EITHER of those places mentioned above.

Is this - the spontaneous destruction of a session upon renavigating to a page that has a login script in it, after logging in - a peculiarity with PHP, or is there something wrong with our code? (I'd put it in here, but there's a whole lot of unnecessary HTML stuff that'd take too long to remove.)

On the technical side, I'm using the following:

• Apache 2.0.52
• MySQL 4.0.21
• PHP 4.3.9

Would really appreciate feedback ASAP, this project is due next week. 0_o;;

Thanks!

~Bec

you are calling session_start() at the top of every page that uses the sessions, aren't you?

There's only one page so far, index.php, and yes, it has session_start(); at the top of the page, before even the <html> declaration.

Hi,

please post the session settings (php.ini). You can post the complete script as attachment (limit: 102400 bytes). Just post the script as it is.

Thomas

I get the distinct feeling this is bad programming style, but we haven't GOT a 'php.ini' file. All the settings are located in 'index.php' or the 'global_variables' file. I'd post up the latter, but I'm not sure that's what you're after - all we've got in there is the dbhost, dbusername, dbpasswd and database_name variables to set up the connection.

The connection isn't the problem, though.

I will post the entire index.php file as an attachment.

And apologies in advance for the messiness of the code - most of it was generated by Dreamweaver/Fireworks because we used a sliced image to create the HTML, so it's... very hard to read. -_-;;

Another way to get the session settings:

Create a script containing

<?PHP
phpinfo();
?>

The output should contain a section with the session settings. Additionally, there should be a line near the top of the output which shows the directory where php expects php.ini to be. I'd recommend to have a php.ini file.

I'll look over the script now

Thomas

Turns out I DO have a php.ini file, I just wasn't aware of it. I still don't know what it does, but I hope you do. Have attached it as a text file!

Also, I've made a cleaner version of the index.php file as well - removed everything except the php code at the start and the HTML for the form itself.

Attached as a text file.

Ok,

just to test that sessions work at all:

<?PHP
  session_start();
  $cnt = 0;
  if (!isset($_SESSION['sess_cnt'])) {
    $_SESSION['sess_cnt'] = $cnt;
  } else {
    $cnt = $_SESSION['sess_cnt'];
    $_SESSION['sess_cnt']++;
  }
?>
<html>
<head>
</head>
<body>
<a href="<?=$_SERVER['PHP_SELF']?>"><?=$cnt?></a>
</body>
</html>

The number displayed should increment each time you follow the link.

Thomas

Hi,

I was partly able to reproduce the problem. Remove the session_destroy() line (in the 'process' part of the script, not in the 'logout' part) and check if that solves the problem.
I modified the code I posted in my last post a little bit. If I change part of the code to:

  } else {
    $cnt = $_SESSION['sess_cnt'];
    $cnt++;
    $_SESSION = array();
    session_destroy();
    $_SESSION['sess_cnt'] = $cnt;
  }

the session will NOT contain the incremented value afterwards. So using $SESSION after session_destroy() in the same script doesn't seem to store the new value in the session (session_destroy() seems to destroy the session for the rest of the script).
Just using $SESSION = array(); without session_destroy solves the problem.

EDIT: To completely destroy the sesion you need to kill the cookie, too. Read session_destroy to get more info.

Thomas

So you loaded the page and it displayed 0. You clicked on the link the first time and it displayed 0, too ?

Thomas

Originally posted by tsinka
I was partly able to reproduce the problem. Remove the session_destroy() line (in the 'process' part of the script, not in the 'logout' part) and check if that solves the problem.

Whoa, thank you, that did indeed fix the problem!

Originally posted by tsinka
EDIT: To completely destroy the sesion you need to kill the cookie, too. Read session_destroy to get more info.

Will do. I've been looking into using cookies to store the username and password as well (because I wasn't sure whether or not this problem could be solved) - do you think it's still a good idea to use cookies as well as the session variable to do this?

Originally posted by tsinka
So you loaded the page and it displayed 0. You clicked on the link the first time and it displayed 0, too ?

Thomas

Precisely. Was it meant to increment from the first click onwards?

I've been looking into using cookies to store the username and password as well

Don't use cookies to store confidential data like passwords. That's a security risk.
However, storing passwords in the session can be dangerous, too, if PHP is set up in a way that it stores session data to a folder that anyone can read. I'd suggest to never store a password in sessions/cookies (especially if you store it unencrypted). The password itself should only be neccessary to authenticate users so there's no need to store the password in the session.

Generally: Don't store more data in a session than you really need. If you want to have e.g. the feature "remember my login" then store e.g. the userid (maybe encrypted) in a cookie and check if that cookie exists if a user revisits.

Precisely. Was it meant to increment from the first click onwards?

It did so on the both servers I tested the script on ... it should increment the counter with the first click. You wrote that removing session_destroy() solved the initial problem. I'd not worry too much about that little test script, as long as no other session problems occur.

Thomas

Originally posted by tsinka
The password itself should only be neccessary to authenticate users so there's no need to store the password in the session.

Heh. I hadn't really thought about that, but now that you mention it - will remove the password.

Many thanks for all the help!

For those who didn't quite follow:

Two ways to solve the problem.

One was to get rid of the session_destroy(); call in the 'process' block.

The other, which SHOULD have occurred to me when I first checked the code (and which I eventually ended up using) was to leave the destroy call in, but to add AFTER it: session_start(); again.

Pretty obvious, but it was killing the session and then expecting a new one to be created automatically. Which doesn't happen, obviously.

So! Stupidity solved.