Session Variables

bmandrews81

PHP version 5
Database is Oracle XE

I am working on an authentication page and am experiencing problems accessing $_SESSION[‘foo’] variables.

My login script runs a select statement against the database and confirms that the username and password are legit. If they are then I assign variable names to the table columns in the user table, then start the session and assign $_SESSION[“var”} to all those variables.

So the select statement pulls the values USERID, ROLE_ID, FNAME, LNAME, EMAIL, USERNAME, PASSWORD and the values of those columns are assigned to $USERID, $ROLES, $FNAME, $LNAME, $EMAIL, $USERNAME, $PASSWORD and then the session vars are assigned by $_SESSION[“userid”] = $USERID, etc…

This action is being done by a script that lives in the “includes” folder of the server. The username and password are passed to this script by a POST from a form in index.html of the site.

I have no problem with everything just described except that in my login script if everything passes then I am using header(“Location” http://myserver/launch.php”) to redirect the user to a page where they can do whatever they do.

If I comment out the header function and just echo all the $SESSION variables they work. I can even assign $foo = $SESSION[“FOO”] and echoing $foo works. As long as I am on the login script page I can access all the variables. Once I do the header function its like all the $_SESSION vars go away.

The launch.php page has an if test to check for session_id by “if (session_id() != “”) { echo out some of the $_SESSION vars.}” but the session_id is always “”.

I tried issuing the function session_start() before echoing the vars and it tells me a session has already been started.

Is there something with the header function that destroys the session?

Rodney_H_

Can you post your login script and the launch.php file?

bmandrews81

Authentication form:

<form action="includes/user_login_action.php" method="post">
<table border="1" align="left">
<tr><td class="blackBoldTen">Login Here</td></tr>
<tr>
<td class="blackBoldTen">Username: <input type="text" name="username"></td>
</tr>
<tr>
<td class="blackBoldTen">Password: <input type="password" name="password"></td>
</tr>
<tr>
<td><input type="submit" name="submit" value="Log In" class="blackBoldTen"></td>
</tr>
</table>
</form>
</td>
</tr>
</table>
</body>
</html>

USER_LOGIN_ACTION Page:

<?php
if(isset($POST["submit"])) {
if(strlen(trim($POST["username"])) > 0) {
if(strlen(trim($_POST["password"])) > 0) {
require("db.inc.php");
$c = @db_connect();

		$q = "SELECT EMPID, ROLE_ID, USERNAME, PASSWORD, FNAME, LNAME, EMAIL FROM EMPLOYEE WHERE ";
		$q .= "username=" . "'" . htmlspecialchars(addslashes($_POST["username"])) . "'" . " AND ";
		$q .= "password=" . "'" . sha1($_POST["password"]) . "'";
		$s = ociparse($c, $q);
		if (!$s){
			die("Database troubles</body></html");
		}
		ociexecute($s, OCI_DEFAULT);
		ocifetch($s);
		$EMPID = ociresult($s, "EMPID");
		$USERNAME = ociresult($s, "USERNAME");
		$PASSWORD = ociresult($s, "PASSWORD");
		$FNAME = ociresult($s, "FNAME");
		$LNAME = ociresult($s, "LNAME");
		$EMAIL = ociresult($s, "EMAIL");
		$ROLE = ociresult($s, "ROLE_ID");

		if (addslashes($_POST["username"]) == $USERNAME and sha1($_POST["password"]) == $PASSWORD)  {
			if (sha1($_POST["password"]) != $PASSWORD) {
				echo "Password incorrect!";
				exit;
			}
			if ($_POST["username"] != $USERNAME) {
				echo "Username incorrect!";
				exit;
			} else {

			oci_close($c);
			session_start();
			session_regenerate_id();
            $_SESSION["EMPID"] = $EMPID;
            $_SESSION["USERNAME"] = $USERNAME;
            $_SESSION["PASSWORD"] = $PASSWORD;
            $_SESSION["FNAME"] = $FNAME;
            $_SESSION["LNAME"] = $LNAME;
            $_SESSION["EMAIL"] = $EMAIL;
            $_SESSION["ROLE"] = $ROLE;

           // echo "this is the empid " . $_SESSION["EMPID"];
           // echo "<br />";
            //echo "this is the username " . $_SESSION["USERNAME"];
			//$fname = $_SESSION["FNAME"];
			//echo "Me FIRST name is " . $fname . "<br />";
			header("Location: http://myserver/ctcadp/launch.php");

		}
		}
	else {
		echo "Login failed please try again. ";
	}
} else {
 echo " You must enter a password.";
}
} else {
	echo "You must enter a username. ";
}

}
?>

Include file new_header for launch.php:

<?
session_start();
if (session_id() != "") {
$fullname = $SESSION["FNAME"] . " " . $_SESSION["LNAME"];
}

if (!empty($fullname)) {
  echo "Welcome " . $fullname;
} else {
	echo "Welcome Guest User";
}

?>

Launch.php Page:

<?
session_start();
$title = "CTC ADP Listings";
include_once('includes/new_header_top.php');
include_once ("includes/adp_nav.php");
?>
<div id="launch">
<ul>
<li><b>ADP</b> - Provides options to browse and search for ADP equipment and related items.</li>
<li><b>SUPPLIES</b> - Provides options to browse and search for ADP Supplies.</li>
<li><b>SOFTWARE</b> - Provides options to browse and search for software used by CTC.</li>
<li><b>HELPDESK</b> - Provides a form to make a request for help and access to CTC FAQ's.</li>
</div>
</body>
</html>

This is the error I get when I log in.

Notice: A session had already been started - ignoring session_start() in /usr/local/apache2/htdocs/ctcadp/includes/new_header_top.php on line 2

Notice: Undefined index: FNAME in /usr/local/apache2/htdocs/ctcadp/includes/new_header_top.php on line 4

Notice: Undefined index: LNAME in /usr/local/apache2/htdocs/ctcadp/includes/new_header_top.php on line 4

bmandrews81

My original question is still a mystery but I was able to work around it by including the user_login_action.php file into the launch page. In my index.php file form I used <form action=launch.php method=post> instead of <form action=includes/user_login_action.php method=post>

At the top of launch.php I have <? include('includes/user_login_action.php') ?>

I used $fullname = $SESSION["FNAME"] . " " . $SESSION["LNAME"]; as my variable for the full name of the user that is displayed at the top of each page through the new_header_top.php file. I also had to repeat that code at the top of each page so it would be available each time new_header_top.php was included in a file.

Rodney H graciuosly cleaned up my user_login_action page resulting below. Thanks Rodney.

<?php
// start session
session_start();

// if submit variable doesn't exist
if(!isset($_POST['submit']))
{
    // redirect to index and exit
    header('Location: http://myserver/index.php');
    exit;
}

// if username OR password were not set
if(!isset($_POST['username']) || !isset($_POST['password']))
{
    echo 'Please enter a username and password.';
    exit;
}

// else, process user input:
else {
    $user = htmlspecialchars($_POST['username']);
    $user = addslashes($user);
    $pass = sha1($_POST['password']);

}

// begin connection
$db_info = require('db.inc.php');
$connect = @db_connect();

// Query statement
$query = "SELECT EMPID, ROLE_ID, USERNAME, PASSWORD, FNAME, LNAME, EMAIL";
$query .= " FROM EMPLOYEE WHERE username='" . $user . "'";
$query .= " AND password='" . $pass . "'";

// Prepare Oracle statement for execution
$resource = ociparse($connect, $query);

if (!$resource)
{
    echo 'Database troubles';
    exit;
}

OCIExecute($resource, OCI_DEFAULT);
$nrows = oci_fetch_all($resource, $results);

// if no results
if ($nrows == 0)
{
    echo 'Login failed please try again.';
    exit;
}

// else there was a result
else {
    // fetch columns from selected row
	ocifetch($resource);
			$EMPID = ociresult($resource, "EMPID");
			$USERNAME = ociresult($resource, "USERNAME");
			$PASSWORD = ociresult($resource, "PASSWORD");
			$FNAME = ociresult($resource, "FNAME");
			$LNAME = ociresult($resource, "LNAME");
			$EMAIL = ociresult($resource, "EMAIL");
			$ROLE = ociresult($resource, "ROLE_ID");
	//assign session variables.
                $_SESSION["EMPID"] = $EMPID;
                $_SESSION["USERNAME"] = $USERNAME;
                $_SESSION["PASSWORD"] = $PASSWORD;
                $_SESSION["FNAME"] = $FNAME;
                $_SESSION["LNAME"] = $LNAME;
                $_SESSION["EMAIL"] = $EMAIL;
                $_SESSION["ROLE"] = $ROLE;
$fullname = $_SESSION["FNAME"] . " " . $_SESSION["LNAME"];
$role = $_SESSION["ROLE"];
}
?>