Browser specific session problems

wessie

Hi all,

Excuse the verbosity - I want whoever reads it to be really clear on what my problem is :-)

I have a small application that uses sessions as a means of authenticating users to a secure section. The problem is that it works ideally when using Internet Explorer 6 but doesn't work with Mozilla Firefox. I've narrowed the reason down to the way Firefox handles sessions.

My application structure is as follows
http://localhost/scripts
|
------enter.php
http://localhost/scripts/secure
|
-----execute.php

A user gains access to execute.php by navigating to the enter.php page where a user is prompted with a username and password field. If the user enters the correct details a session is set indicating that the user is logged in. The user is then transferred to the /secure/execute.php page which checks the session variable to see if the user is logged in.

If however, a user navigates directly to http://localhost/scripts/secure/execute.php they are supposed to be redirected to http://localhost/scripts/enter.php

The problem I have is the following : After I login (using IE), if I close my browser window and open up another browser window and attempt to go directly to http://localhost/scripts/secure/execute.php I am redirected to http://localhost/scripts/enter.php - which is correct. However if I try to go directly to http://localhost/scripts/secure/execute.php I am allowed to access the page because a cookie has been created on my machine.

Any help is appreciated!

stolzyboy

you are using cookie-based session (whether you are using setcookie or not, cookie-based sessions put cookies on the client machine), have a look at www.php.net/session and look for:

session.use_cookies boolean
session.use_cookies specifies whether the module will use cookies to store the session id on the client side. Defaults to 1 (enabled).

you should use sessions w/o cookies, that way, when the browser is closed, the session is ended and will require re-login

if you want to post some of your session code, someone could probably have a look at that as well

hth,
stolzyboy

wessie

thanks stolzyboy!

I tried setting "session.use_cookies" to "0" but then my sessions aren't created.

stolzyboy

can you show us some of your code... we may be able to help you more then...

wessie

This is the basic functionality thats giving me problems. There are 2 webpages involved : enter.php and secure/execute.php. enter.php sets a few session variables and secure/execute.php checks them. Please note that session.use_cookies = 0

enter.php

<?PHP
session_start();
$username = $POST["name"];
$password = md5($POST["password"]);
$_SESSION["test_session"] = "this is a test";

if(($username == "USER") && ($password == md5("PASSWORD")))
{
session_register("uname");
$uname = $username;
session_encode();

  $_SESSION["user"] = $username;
          header("Location: secure/execute.php");

}
?>
<form name="enter" method="post" action="<?php echo $PHP_SELF; ?>">
<?PHP echo $error_message; ?>
<input name="id" type="hidden" value="set">
Name: <input name="name" type="text" size="20" value="<?PHP echo $username; ?>"><br>
Password:<input name="password" type="password" size="20" maxlength="20" value="">
<input type="submit" name="nsubmit" value="LOGIN">
</form>

secure/execute.php

<?PHP
// session start
session_start();
// is set session variable?
echo "session test value = " . $SESSION["test_session"] . "<br>";
if (!isset($SESSION["user"]))
// recall the enter page
{
header("Location: ../enter.php");
exit;
}
else
{
$usr = $_SESSION["user"];
print "session user is set<br>usr := $usr<br>";
}
?>

stolzyboy

a couple things... it is not necessary to use session_register and you actually shouldn't when using register_globals = off and don't mix/match when using $_SESSION and session_register...

also, a lot of times, code right before header redirects won't have time to fire... the redirect fires before the code can finish, adding a sleep in there or adding some if/else structure to "slow the firing" will likely help this issue

hth,
stolzyboy

bradgrafelman

stolzyboy wrote:
adding a sleep in there or adding some if/else structure to "slow the firing" will likely help this issue

Actually, calling [man]session_write_close/man before sending out the redirect header usually solves this.