[RESOLVED] $_SESSION variabables

rupertbj

I am writing a user authentication script and I am trying to use sessions to achieve this. This is what I have so far:

index.php (clearing any existing sessions and prompting for login details)

session_start();
if (isset($_SESSION['username'])) {
   unset($_SESSION['username']);
} else {
}

session_start();
$_SESSION["username"] = $username;

Any ideas on why this isn't working?

Many thanks in advance for your assistance!

Rupert

Tyree

What's not working? Your session unset?

If you really want to kill a previous session, do this:
session_unset();
session_destroy();

That'll wipe it all out.

rupertbj

No, the problem is that the session isn't being set.

btw, if you look at php.net, you use unset() with $_SESSION:

The session_unset() function frees all session variables currently registered.

Note: If $SESSION (or $HTTP_SESSION_VARS for PHP 4.0.6 or less) is used, use unset() to unregister a session variable, i.e. unset ($SESSION['varname']);.

Caution
Do NOT unset the whole $SESSION with unset($SESSION) as this will disable the registering of session variables through the $_SESSION superglobal.

So why still does my $_SESSION not work?

Tyree

You use unset() if you're using 4.0.6 or less. But, to totally remove a previous session, it's best to use the method I described. If not, you'll have to unset each and every stored var.

Easy stuff first...when you say "This is what I have so far", I assume you're leaving out where you're setting the $username var?

scrupul0us

rupertbj wrote:
So why still does my $_SESSION not work?

R

b/c everytime you load index.php you destroy the session variable

rupertbj

@Thyree

I think you can use

$_SESSION = array();

to clear all of the variables too.
AND
Yes, I'm leaving out where the $username is set.

@scrupulOus

index.php is only run once at the beginning of a login. if another user goes to the computer an wants to log in they will go to index.php, the previous session will be destroyed, and a new session created in login.php - there are then no backward links to index.php.

Any other ideas?

Tyree

So, index.php sends the user to login.php automatically after the current session is unset. Then on login.php the user fills in a form to set $username and then submits. Is that your method?

I think you're going to have to show us more code.

rupertbj

@ - yes, that's the principle!

if (!$_POST['username'] || !$_POST['pwd']) { include("emptyUser.php"); exit; } 
    else {
        include("mysql.inc");
       	$result = mysql_query( "SELECT * FROM loginTable WHERE email='$username' && password='$pwd'");
		$num_rows = mysql_num_rows( $result );
        if ($num_rows != "1") { include("emptyUser.php"); exit; }
            else {
				session_start();
				session_register( "username" );
                mysql_close( $link );
                include("getUserInfo.inc");
				include("version3.php");
				 }
		}

Tyree

Which are you using?
This:
$_SESSION["username"] = $username;
or This:
session_register( "username" );

If using option A...then I think it should work.

Tyree

I use something very similar:

                if (!($userName) || !($password)){
	     $___m = "Please complete the form.";

} else {

//Check db for user
$query = "SELECT * FROM users WHERE UserName='$userName' AND Password='$password'";
$result = performQuery($query);
$row = mysql_fetch_assoc($result);

if (mysql_num_rows($result) > 0) {

$_SESSION['userName'] = $userName;
$_SESSION['userid'] = $row['ID'];
$_SESSION['group'] = $row['UserGroup'];
$_SESSION['sessionID'] = session_id();


$___m = "Login Success.";
} else {
	$___m = "No user matches that information.";
}

}

That's basically the same thing you're after. My session_start() is at the top of the page though.

rupertbj

Good point!

I now have:

if (!$_POST['username'] || !$_POST['pwd']) { include("emptyUser.php"); exit; } 
    else {
        include("mysql.inc");
       	$result = mysql_query( "SELECT * FROM loginTable WHERE email='$username' && password='$pwd'");
		$num_rows = mysql_num_rows( $result );
        if ($num_rows != "1") { include("emptyUser.php"); exit; }
            else {
				session_start();
                $_SESSION["username"] = $username;
                mysql_close( $link );
                include("getUserInfo.inc");
				include("version3.php");
				 }
		}

BUT.........It still doesn't work properly.

It logs in fine and the username is set etc. However, when I go back to index.php to log into the site as a new user, it logs in fine, but the username is still the first logged in user, not the new one!!!!

I changed the index.php to see if that would work:
index.php

<?php
session_start();
if (isset($_SESSION["username"])) {
    session_unset();
    session_destroy();
    $_SESSION = array();
} else {
}

I'm still stumped!
R

Tyree

Just as a test, try dropping the if statement and just clear the session regardless.

My logout page consists of three lines...well, 4 if you count the logout message:

session_start();
session_unset();
session_destroy();

$___m = "You have been logged out."

It works fine like that.

rupertbj

I made the suggested amendments, but no joy!

I have another page that prints $username - and it always prints the first logged in username, and never the newly logged in user - rather frustrating!

echo $username

Tyree

Hmmmm, gotta be something simple we're missing.

I have to run to lunch, I'll be back in about an hour. Hopefully you'll have already nailed it by then. If not, we'll tackle it then!

Later!

scrupul0us

destroy the session by passing the session ID

rupertbj

Ha!

OK - I worked it out after looking on php.net some more:

unsetting the var:

unset($username);

I added this into the session destroying bit on index.php and it works like a dream!

Always so simple, if only one knows how!

Tyree

Odd...just because you unset $username on index.php should have no affect on the page you used to echo $username.

To my knowledge, unset() only works on THAT page when working with a standard (non-session) var.

Oh well, just so it works, I guess. Sometimes you just want to know WHY it works when it seems it shouldn't! 😃

rupertbj

I think php treats $_SESSION vars just like normal vars so maybe that's why?
R

Tyree

Well, I'm hoping someone who knows for sure can put that question to rest.

I mean, if it treats session and normal vars the same, then why have session vars? 🙂

Now, if unset($_SESSION['username']) made it work then THAT makes sense. Becasue you unset a var that other pages could potentially use.

BUT, if you unset a normal var ($username) that can only be used by the page that set it in the first place, then the next page shouldn't care if you unset it or not. In fact, it shouldn't even know what you did with that var in the previous page.

Like I said, I'd like to see what a php expert has to say about that! 😃

rupertbj

me too!!!