Session problems

shaneH

I hate to post another question about sessions but nothing here seem to address my particular problem.

Here's my code

<?
session_start();
$sid = session_id();

$nerror = "";
$perror = "";

if(isset($_POST['Logout'])){
session_destroy();
}
if(isset($_POST['Login'])){
	$userid = $_POST['userid'];
	$userpass = $_POST['userpass'];

if(!$userid) {
$nerror = "Please enter a valid Username!";
}
if(!$userpass) {
$perror = "Please enter a valid Password!";
}
else {
$userpass = md5($userpass);
}

$location = "localhost";
$username = "ecgc_dbadmin";
$password = "e1c5g0c5";
$database = "ecgc_Press";
$press_db = mysql_connect("$location","$username","$password");

if (!$press_db) die ("Could not connect MySQL");
mysql_select_db($database,$press_db) or die ("Could not open database");

$user_qry = "
	SELECT *
	FROM Users
";

$user_res = mysql_query($user_qry);

while ($user_row = mysql_fetch_array($user_res)){
list( $record_number, $Name, $User_Id, $User_Pass, $Email, $Logs, $admin, $home, $aword, $tracts, $booklet, $gospel, $outlines, $commentary, $reviews, $testimonies, $contact, $directions, $serving, $ecbts, $tvshow, $university, $bible, $recordings, $phone ) = $user_row;
	if($userid == $User_Id){
		if($userpass == $User_Pass){

			session_register('Name'); 
			$_SESSION['Name'] = $Name;
			session_register('User_Id'); 
			$_SESSION['User_Id'] = $User_Id;
			session_register('admin'); 
			$_SESSION['admin'] = $admin;
			session_register('home'); 
			$_SESSION['home'] = $home;
			session_register('aword'); 
			$_SESSION['aword'] = $aword;
			session_register('tracts'); 
			$_SESSION['tracts'] = $tracts;
			session_register('booklet'); 
			$_SESSION['booklet'] = $booklet;
			session_register('gospel'); 
			$_SESSION['gospel'] = $gospel;
			session_register('outlines'); 
			$_SESSION['outlines'] = $outlines;
			session_register('commentary'); 
			$_SESSION['commentary'] = $commentary;
			session_register('reviews'); 
			$_SESSION['reviews'] = $reviews;
			session_register('testimonies'); 
			$_SESSION['testimonies'] = $testimonies;
			session_register('contact'); 
			$_SESSION['contact'] = $contact;
			session_register('directions'); 
			$_SESSION['directions'] = $directions;
			session_register('serving'); 
			$_SESSION['serving'] = $serving;
			session_register('ecbts'); 
			$_SESSION['ecbts'] = $ecbts;
			session_register('tvshow'); 
			$_SESSION['tvshow'] = $tvshow;
			session_register('university'); 
			$_SESSION['university'] = $university;
			session_register('bible'); 
			$_SESSION['bible'] = $bible;
			session_register('recordings'); 
			$_SESSION['recordings'] = $recordings;
			session_register('phone'); 
			$_SESSION['phone'] = $phone;

		}
		else {
		$perror = "Please enter a valid Password!";
		session_destroy();
		}
	}
	else {
	$nerror = "Please enter a valid Username!";
	session_destroy();
	}
}
}
if (isset($_SESSION['Name'])) {

$Name = $_SESSION['Name'];
$User_Id = $_SESSION['User_Id'];
$admin = $_SESSION['admin']; 
$home = $_SESSION['home']; 
$aword = $_SESSION['aword'];
$tracts = $_SESSION['tracts'];
$booklet = $_SESSION['booklet']; 
$gospel = $_SESSION['gospel']; 
$outlines = $_SESSION['outlines']; 
$commentary = $_SESSION['commentary'];
$reviews = $_SESSION['reviews']; 
$testimonies = $_SESSION['testimonies']; 
$contact = $_SESSION['contact']; 
$directions = $_SESSION['directions'];
$serving = $_SESSION['serving']; 
$ecbts = $_SESSION['ecbts']; 
$tvshow = $_SESSION['tvshow'];
$university = $_SESSION['university']; 
$bible = $_SESSION['bible']; 
$recordings = $_SESSION['recordings']; 
$phone = $_SESSION['phone'];
}
?>

To explain all that, in basic, this is the administration side for church web site that has 10,000 plus documents (and growing) that are being made available online. I am attempting to setup access based upon the area that different people oversee. I.e. if you are responsible for outlines and booklets your user entry in the database will have a value of "1" set to the "outlines" and "booklet" fields and a value of "0" set for any other field. I have a separate menu file that is included in order to see a menu item it will first check to see if the session has that item set to a value of "1".

My problem is this, my code works great, but for some reason it will not log me out, technically. My code for determining what is shown looks like so:

if (!isset($Name)){ include('login.php'); } 
if (isset($Name)) { 
include('menu.php');
include('logout.php');

and when I click the Logout button (log out code above) it takes me back to just a login screen but if I then just click the login button without entering a username or password it shows all the menu items I have access permissions for (all 😃 ). Even if I close the browser window and open a new one it still will let me in without typing a username or password.

As you can see I have tried several things in an attempt to stop this, but they don't. I am guessing that some how the session is staying active but what is confusing from my understanding of sessions is that when I set the session_id() so that it will display for me each time, after closing and then opening a new browser window and click login, it was a new id number so I don't know how the browser is getting the the user information and displaying it. I would think that:

if ($userid != $User_Id) {
echo"tuff luck sucker no access";
}

if ($userpass != $User_Pass) {
echo"tuff luck sucker no access";
}

(not real code in the site but basically my code is setup that way)

Any help would be great.

Also, probably my code is a little awkward and bulky so any suggestions to make it more streamlined or dynamic would be welcome as this is the first time I have had to deal with user access permission and hence sessions.

rincewind456

Have you tried

$_SESSION = array();

unset($_SESSION);

shaneH

It's probally just me as I was up late working on this and got up early this morning but I am not sure I understand what you are thinking.

Could you explain further

I went to php.net to research sessions further and found this warning

Do NOT unset the whole $SESSION with unset($SESSION) as this will disable the registering of session variables through the $_SESSION superglobal.

I am not so sure I want to use your method without some futher clarification.

thorpe

In order to log out you need to kill the session and both the methods rincewind456 posted are valid options for doing so.

rincewind456

shaneH wrote:
It's probally just me as I was up late working on this and got up early this morning but I am not sure I understand what you are thinking.

Could you explain further

I went to php.net to research sessions further and found this warning

I am not so sure I want to use your method without some futher clarification.

Okay now I'm confused if you want to end a session why would you want to register anything to the session after you have logged out?

If you had read on a bit further to the user contributed notes you would have seen a number of other ways to end a session.

shaneH

Sorry if I am confusing you but I suspect it is my fault as I am pulling my hair out trying to figure this out.

I have been working with this and I have gotten it to the point that something has to be entered into the username and password form to be loged in, but I can enter anything and get access. I can type "A" for the username and "A" for the password (not a real user or password) and it will let me in. I have also taken and added a second user and now I am getting a really strang occurance. When I try to login as the first user it says I am logged in as the second user it is also the second user that comes up when I enter anything into the username and password fields. I have come to the conclusion that I must be making a mistake in how I am query the database, which is causing all the "session_register" in my code to get the values of the last user in the database but I have no idea why that is happening those values should only be set if $User_Id == $userid and if $User_Pass == $userpass (see code first post).

Any body want to double check my code from first post to see if there is a miskate that might cause this problem.

thorpe
I am killing the session check line #8 from my first post. From what several tutorials and php.net are saying "session_destroy()" should do that. I also tried unset($_SESSION['Name']) neither way will solve the problem if it is what am thinking it is above.

Thanks

rincewind456

Firstly your query needs to be reworked so that you actually check for a user/pass pair, at the moment you retrieve all the records which is entirely unnecessary.

mysql_real_escape_string() has a piece of code considered to be best practice that could be adapted to fit your needs, so replace your query with this

// Quote variable to make safe
function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not integer
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}


// Make a safe query
$user_qry = sprintf("SELECT * FROM Users WHERE User_Id=%s AND User_Pass=%s",
           quote_smart($userid),
           quote_smart($userpass));

you will need to check the field names for user id and user pass.

This should now only return one result set, if it returns more you need to change the database and enforce a unique value on the username field.

So knowing that it should only return one row you can check like so

 
$user_res = mysql_query($user_qry) or die(mysql_error());

$num_rows = mysql_num_rows($user_res);

if($num_rows ==0) { // if no result set in the database
	echo "User and Password combination are incorrect";
} else {

then you can go on to set your session vars like

while ($user_row = mysql_fetch_row($user_res)) {
			foreach($user_row as $key => $val)
			{
				$_SESSION[$key] = $val;
}

Which would do away with the
session_register()[URL] which the manual says

Caution

If you want your script to work regardless of register_globals, you need to instead use the $SESSION array as $SESSION entries are automatically registered. If your script uses session_register(), it will not work in environments where the PHP directive register_globals is disabled.

So your code would now look like this

<? 
session_start();
$sid = session_id();

$nerror = "";
$perror = "";

if(isset($_POST['Logout'])){
// Unset all of the session variables.
$_SESSION = array();


//  destroy the session.
session_destroy();
echo "You are now logged out";
}
if(isset($_POST['Login'])){
	$userid = $_POST['userid'];
	$userpass = $_POST['userpass'];

if(!$userid) {
	$nerror = "Please enter a valid Username!";
}
if(!$userpass) {
	$perror = "Please enter a valid Password!";
}
else {
	$userpass = md5($userpass);
}

$location = "localhost";
$username = "ecgc_dbadmin";
$password = "e1c5g0c5";
$database = "ecgc_Press";
$press_db = mysql_connect("$location","$username","$password");

if (!$press_db) die ("Could not connect MySQL");
mysql_select_db($database,$press_db) or die ("Could not open database");

// Quote variable to make safe
function quote_smart($value)
{
	// Stripslashes
	if (get_magic_quotes_gpc()) {
		$value = stripslashes($value);
	}
	// Quote if not integer
	if (!is_numeric($value)) {
		$value = "'" . mysql_real_escape_string($value) . "'";
	}
	return $value;
}


// Make a safe query
$user_qry = sprintf("SELECT * FROM Users WHERE User_Id=%s AND User_Pass=%s",
quote_smart($userid),
quote_smart($userpass));

$user_res = mysql_query($user_qry) or die(mysql_error());

$num_rows = mysql_num_rows($user_res);

if($num_rows ==0) { // if no result set in the database

	$perror = "User and Password combination are incorrect";

} else {

	while ($user_row = mysql_fetch_row($user_res)) {
		foreach($user_row as $key => $val)
		{
			$_SESSION[$key] = $val;
		}
	}
}
}
if (isset($_SESSION['Name'])) {

$Name = $_SESSION['Name'];
$User_Id = $_SESSION['User_Id'];
$admin = $_SESSION['admin'];
$home = $_SESSION['home'];
$aword = $_SESSION['aword'];
$tracts = $_SESSION['tracts'];
$booklet = $_SESSION['booklet'];
$gospel = $_SESSION['gospel'];
$outlines = $_SESSION['outlines'];
$commentary = $_SESSION['commentary'];
$reviews = $_SESSION['reviews'];
$testimonies = $_SESSION['testimonies'];
$contact = $_SESSION['contact'];
$directions = $_SESSION['directions'];
$serving = $_SESSION['serving'];
$ecbts = $_SESSION['ecbts'];
$tvshow = $_SESSION['tvshow'];
$university = $_SESSION['university'];
$bible = $_SESSION['bible'];
$recordings = $_SESSION['recordings'];
$phone = $_SESSION['phone'];
}
?>

Which also does away with the need to destroy sessions that don't need to be set.

shaneH

Thanks for the help, you managed to show me how, differnet peices of an example I was using, all worked with my situation. The example I have also has a couple mistakes, it appears, and originally to try and fix it I had changed a lot of the code to what I was more familiar with.

I did run into a problem the system will not log me in so I decided to check to see if the md5 passwords were the same by echoing the password and checking it against the one in the database

My password looks like so in the database:

6bde541e3b0caf7b98d2

and like so when generated from the login:

6bde541e3b0caf7b98d21d5d6d88cff1

I even tryed deleting the database entries and registering again and I am still getting a different password. I haven't really sat down and studied MD5 encodding but I must assume that something is changing the password before it is being encoded and I am sure it is not my code. Because before when I was having problems I was echoing the md5 password and it was the same as the database.

Any idea what is happening???

Also isn't this segment:

        while ($user_row = mysql_fetch_row($user_res)) { 
            foreach($user_row as $key => $val) 
            { 
                $_SESSION[$key] = $val; 
            } 
        }

supposed to look like so:

while ($user_row = mysql_fetch_row($user_res)) {
            foreach($user_row as $key => $val)
            {
				session_register('$key');
                $_SESSION[$key] = $val;
            }
        }

Aren't you supposed to register each peice of the session data?

shaneH

Never mind the password problem got it figured out.

rincewind456

shaneH wrote:

Also isn't this segment:

        while ($user_row = mysql_fetch_row($user_res)) { 
            foreach($user_row as $key => $val) 
            { 
                $_SESSION[$key] = $val; 
            } 
        }

supposed to look like so:

while ($user_row = mysql_fetch_row($user_res)) {
            foreach($user_row as $key => $val)
            {
				session_register('$key');
                $_SESSION[$key] = $val;
            }
        }

Aren't you supposed to register each peice of the session data?

No it's not, read the manual entry for session_register() there are cautions all over it you really need to read them and read the extract in my previous post.

The password thing, bet the database field length wasn't long enough 😃 It needs a length of 32 chars.

shaneH

Yea, the password problem was the database field setting, when I first setup the table I just put in a number before I had thought about the md5. Sound likes you had one of those duh moments once.

Any way I now have a differnt problem, one I did not expect to have. for some reason my sessions are ending when I click a link (don't jump to any conclusions yet).

Here's how thing are working I have made the entire session code an included file, it is included in the first line of my index.php. In the first line of my session.php file is the "session_start();". How this all brakes down is all those extra fields in my user database table set the permissions for what menu items are seen and what pages can be accessed. The links in my menu are setup like so: http://www.mysite.com/administartion/index.php?page=booklet. That will then prompt the code in my index.php to include the dataentry.php and based upon settings for the "booklet" page, that are stored in the database, display a list of booklets and an form customized for making new entries or updating the booklets in the database.

From my understading having the "session_start();" at the top of the page should keep the session active but it's not. As for how I know the session has ended I just do a "print_r ($_SESSION);" in the dataentry.php file and it comes up blank were if I do that in the index.php page it has all the values.

Anybody know whats going on???

And again thanks for all the help so far.

rincewind456

session_start() has to be called on all pages so provided the include is called on every page it should work. set your error reporting to

error_reporting(E_ALL);

and see if there are any notices shown.

shaneH

All of my pages are designed to be included in the index.php and I have the session_start() in the first line of my session.php which is included in the first line of index.php

I tried the error_reporting(E_ALL), to get it to run properly I had to move session_start() from the session.php to the first line of the index.php and place the error_reporting(E_ALL) just below it. Here is what I got for errors I think all of them are irrelavant to my problem

Notice: Undefined index: 0 in /home2/ecgc/public_html/admin/session.php on line 85 
 
Notice: Undefined index: 1 in /home2/ecgc/public_html/admin/session.php on line 86 
 
Notice: Undefined index: 2 in /home2/ecgc/public_html/admin/session.php on line 87 
 
Notice: Undefined index: 4 in /home2/ecgc/public_html/admin/session.php on line 88 
 
Notice: Undefined index: 5 in /home2/ecgc/public_html/admin/session.php on line 89 
 
Notice: Undefined index: 6 in /home2/ecgc/public_html/admin/session.php on line 91 
 
Notice: Undefined index: 7 in /home2/ecgc/public_html/admin/session.php on line 92 
 
Notice: Undefined index: 8 in /home2/ecgc/public_html/admin/session.php on line 93 
 
Notice: Undefined index: 9 in /home2/ecgc/public_html/admin/session.php on line 94 
 
Notice: Undefined index: 10 in /home2/ecgc/public_html/admin/session.php on line 95 
 
Notice: Undefined index: 11 in /home2/ecgc/public_html/admin/session.php on line 96 
 
Notice: Undefined index: 12 in /home2/ecgc/public_html/admin/session.php on line 97 
 
Notice: Undefined index: 13 in /home2/ecgc/public_html/admin/session.php on line 98 
 
Notice: Undefined index: 14 in /home2/ecgc/public_html/admin/session.php on line 99 
 
Notice: Undefined index: 15 in /home2/ecgc/public_html/admin/session.php on line 100 
 
Notice: Undefined index: 16 in /home2/ecgc/public_html/admin/session.php on line 101 
 
Notice: Undefined index: 17 in /home2/ecgc/public_html/admin/session.php on line 102 
 
Notice: Undefined index: 18 in /home2/ecgc/public_html/admin/session.php on line 103 
 
Notice: Undefined index: 19 in /home2/ecgc/public_html/admin/session.php on line 104 
 
Notice: Undefined index: 20 in /home2/ecgc/public_html/admin/session.php on line 105 
 
Notice: Undefined index: 21 in /home2/ecgc/public_html/admin/session.php on line 106 
 
Notice: Undefined index: 22 in /home2/ecgc/public_html/admin/session.php on line 107 
 
Notice: Undefined index: 23 in /home2/ecgc/public_html/admin/session.php on line 108 
 
Notice: Undefined index: 24 in /home2/ecgc/public_html/admin/session.php on line 109

which are these lines below

	$rn = $_SESSION['0'];
    $Name = $_SESSION['1'];
    $User_Id = $_SESSION['2'];
	$Email = $_SESSION['4'];
	$Logs = $_SESSION['5'];

$admin = $_SESSION['6'];
$home = $_SESSION['7'];
$aword = $_SESSION['8'];
$tracts = $_SESSION['9'];
$booklets = $_SESSION['10'];
$gospel = $_SESSION['11'];
$outlines = $_SESSION['12'];
$commentary = $_SESSION['13'];
$reviews = $_SESSION['14'];
$testimonies = $_SESSION['15'];
$contact = $_SESSION['16'];
$directions = $_SESSION['17'];
$serving = $_SESSION['18'];
$ecbts = $_SESSION['19'];
$tvshow = $_SESSION['20'];
$university = $_SESSION['21'];
$bible = $_SESSION['22'];
$recordings = $_SESSION['23'];
$phone = $_SESSION['24'];

All of the above errors go away once I login

Notice: Undefined variable: page in /home2/ecgc/public_html/admin/index.php on line 9

if (in_array("$page", $misc_array)) {

Notice: Undefined variable: page in /home2/ecgc/public_html/admin/index.php on line 35

if (in_array("$page", $press_array)) {

Notice: Undefined variable: page in /home2/ecgc/public_html/admin/index.php on line 62

if ($page == "bible") {

Notice: Undefined variable: page in /home2/ecgc/public_html/admin/index.php on line 88

if ($page == "recordings") {

Notice: Undefined variable: page in /home2/ecgc/public_html/admin/index.php on line 203

if ($page == "register") {include('register.php');}

Notice: Undefined variable: page in /home2/ecgc/public_html/admin/index.php on line 205

if (in_array("$page", $press_array)) {include('dataentry.php');

And all of these errors go away, as you can probably guess, once I click a link, which all use a have a "page=something". Take note of the last error and the line. It is the include that is called for each menu item link.

If you have any other ideas let me know thanks

rincewind456

I tried the error_reporting(E_ALL), to get it to run properly I had to move session_start() from the session.php to the first line of the index.php

So did that get the session to run properly?

shaneH

No, the session still dies when I click a link.

Best I could tell all those erros are just caused by variables not having a value that once a value is set (by loging in or clicking a link) they go away but clicking a link would still end the session.

shaneH

I think the best way to solve the problem will be to either use cookies or have the session stored in the database.

As it has been about 2 years since I used javascript in any serious manner I think it would be easiest to store the session in the database. I was thinking I would just pick a large number and add the year month day hour minute and seconds to that number and make the total a unique identifier that would be generated at for storing the session in the database the session id would also be stored in the database and the unique identifier would be passed from page to page once the user is logged in and that unique identifier would make a call to the database to check the current session id against the stored session id and if they match retrieve the stored permissions. I would then set up the log out to delete the session from the database. And if they don't manually log out I think there is away to to setup mysql to have the entry expire. If not I will just set it so that each time someone logs in the script will check for old sessions and delete them as I do not anticipate there being more than 4 or 5 enteries at any given time period and I am certain that at least once a week, but most likely 3 or more times a week, someone will have to login.

I just want to make sure that there is no known problems with doing it this way.