Sessions Nightmare - Can't get them to work

hbradshaw

Hello:

I'm ready to throw something out a window.

I have a login script which starts a session. I am able to login successfully. To see if the session is working, someone suggested I open another browser window and try to access a page in the secure area. I was told if I couldn't open the page, then the sessions were working. Well, I did that and I am able to view the page which tells me, I guess, that sessions aren't working.

I have done a lot of reading on sessions and everyone has their own programming method of doing it. I think with all the reading I'm spinning my wheels in circles and I'm not sure where things are broken.

First, can someone help me troubleshoot my sessions issue? Secondly, if someone can provide me with a really in depth tutorial that brings you from beginning to end in working with sessions, it would be greatly appreciated?

For now, I've posted my login script since this is where the session variables are set. I will paste more code as it is needed.

To try out for yourself, go to this URL:
http://www.bridgemilltennis.com/testing.htm.

Username: bill
Password: plane

Thank you so very much in advance. I'm losing my mind here.

Here's the code:

<php>
<?php
session_start();
include "conn.inc.php";
switch($_REQUEST['req'])
{
case "validate":

$validate = mysql_query("SELECT * FROM member WHERE
username = '{$POST['username']}' AND password = md5('{$POST['password']}')") or
die (mysql_error());

if (mysql_num_rows($validate) == 1)
{
while($row = mysql_fetch_assoc($validate))
{
$SESSION['login'] = true;
$SESSION['memberid'] = $row['memberid'];
$SESSION['first_name'] = $row['first_name'];
$SESSION['last_name'] = $row['last_name'];
$SESSION['email'] = $row['email'];
$SESSION['phone1'] = $row['phone1'];
$SESSION['phone2'] = $row['phone2'];
$SESSION['username'] = $row['username'];
$_SESSION['password'] = $row['password'];

$login_time = mysql_query("UPDATE member SET last_login=now() where memberid='{$row['memberid']}'");
}
header("Location: http://www.bridgemilltennis.com/members/secure/member-area-main.htm");
}
else
{
header("Location: http://www.bridgemilltennis.com/members/secure/login_form.php");
exit;
}
break;
}
?>
/php
Thank you so very much in advance

paulnaj

Hi,

Here's my simple test to see if sessions are working on a server 'as expected' ...

<?php
session_start();

if(isset($_GET['do'])){
	if($_GET['do'] == 'create'){
		// Just set a default value
		$_SESSION['counter'] = 1;

} else if($_GET['do'] == 'inc'){
	$_SESSION['counter']++;
} else if($_GET['do'] == 'dec'){
	$_SESSION['counter']--;
} else if($_GET['do'] == 'kill'){
	// Remove from array
	unset($_SESSION['counter']);
}
} 
?>
<html>
<head><title>Test Session</title></head> 
<body> 
<?php 
if(!isset($_SESSION['counter'])){ 
?>
	<hr><a href="<?php echo $_SERVER['PHP_SELF']; ?>?do=create">Create</a> counter.
<?php 
} else {
?>
	<hr><a href="<?php echo $_SERVER['PHP_SELF']; ?>?do=kill">Kill </a> counter.
	<hr><a href="<?php echo $_SERVER['PHP_SELF']; ?>?do=inc">Increment</a> counter.
	<hr><a href="<?php echo $_SERVER['PHP_SELF']; ?>?do=dec">Decrement</a> counter.
<?php 
}
?>
<hr><strong>_SESSION</strong>: <pre><?php print_r($_SESSION); ?></pre></hr>
</body> 
</html>

See how you get on with this first.

Paul 🙂

hbradshaw

Hello,

Thank you for the reply.

I used your script to test sessions and yes it did work properly.

At least, I guess, that sessions are working on the server.

Where should I go from here?

paulnaj

Hi again,

Sorry ... first chance to get back to you.

OK, so the 'sessions' issue is now completely out of the way.

The next thing to do is to establish exactly how you intended to implement the authorisation. It's not actually clear from your test site so I think it will be better all round if you try and describe exactly what you were hoping to achieve.

In the end, it might need starting again. :queasy:

Paul

hbradshaw

Hi,

Thank you for replying. I'll be more than happy to explain a bit further.

The website with which I'm working is for a tennis club. The director wants a section of the website to become a Member Only Area. There will be information that the general public doesn't need to know.

I'm placing all files related to the Member Only Area in directories: /members/secure.

After a person logs in from the home page, they will be brought to the secure area. If the login is incorrect, they won't go anywhere except to try logging in again.

So, I'm not sure if this really involves sessions or a method of restricting access to directories. Maybe it's a combination of both.

I'm just not sure which way to go. I did do a lot of reading on the internet and in books. And, everyone has their own methods or philosophies on how to approach things, which is ok. Though, for a person just beginning it can be a bit confusing.

If you have any suggestions on how I can make the files within these directories, /members/secure, restricted to the people who are not members would be oh so greatly appreciated?

Thank you for all your time and help. And, if I need to revisit and rework stuff, I'm cool with that. Sometimes in order to get things done correctly, you need to invest the time.

🙂 🙂

visualAd

Sessions don't deny users access to certain parts of your site.

You can prevent access to anything under a certain directory by placing a .htaccess file in the dreictory with the following line:

Order allow,deny
Deny from all

Once you have done this only PHP scripts will have access to files under that directory. So once you have authenticated the user you will need to use PHP to fetch the file / files you need. You can do this by using PHP's file handling functions.

paulnaj

Hi,

visualAd suggests a really easy option ... but only if the host allows to implement .htaccess files.

So, next questions:

Do you know whether your host is running apache or .net or what?
Do you have access to a control panel for the site?

Paul 🙂

hbradshaw

Hello:

The answer to both of your questions is yes.

Helen 🙂

visualAd

If you do use a .htaccess file then you should think carefully about which content you want to protect.

You will also need a PHP script which is responsible for gettting the data from that directory. For example you could put the file name in the query string:

[url]http://www.mysite.com/secure_access.php?file=filename.jpg[/url]

This isn't too complicated but you will need to put some thought and planning into it first. 😉