[RESOLVED] Just want to make sure im doing this right..[sessions]

big_nerd

I tested this code with Apache/Win32, PHP 5, worked fabulous, uploaded it to a server (helping a friend out with school) and it doesnt work there.

I am sure I did it right (especially since it worked for me).

It is written very basic (newbie to PHP wrote it) I am just helping figure out what is happening.

<?php

require "connect.inc.php"; // The SQL Connection works perfectly.. no need to show.
db_connect("database");

session_start(); // Start the session

$user = $_REQUEST['username'];  // Get what they entered for user / pass
$pass = $_REQUEST['password'];

$query = "SELECT * from useraccess WHERE username = '$user' ";
$result = mysql_query($query); 

if (mysql_num_rows($result) < 1) {  // If the username does not exist;
	echo "You have entered an invalid username and/or password.  Please <a href=\"index.html\">Try Again</a>.";
} else {
	while ($row = mysql_fetch_object($result)) {
		$db_pass = $row->password;
		$acslevel = $row->acslevel;
	}
	if ($pass == $db_pass) {
		$validated = 1;
	} else {
	echo "You have entered an invalid username and/or password.  Please <a href=\"index.html\">Try Again</a>.";	}
}


if ($validated == 1) {
	$_SESSION['username'] = $user;
	$_SESSION['password'] = $pass;
	$_SESSION['acslevel'] = $acslevel;
	echo "Thank you for logging in, <a href=\"custome_e.php\">Continue</a>";

}

?>

Then the file custome_e.php:

<?php
// Start Session; Get User / Password / Access Variables.

session_start();

$user = $_SESSION['username'];
$pass = $_SESSION['password'];
$acslevel = $_SESSION['acslevel'];

echo "Hello $user.  Your Options are below. $acslevel $pass";
if ($acslevel >= 10) {
	echo "You are an Administrator, you may delete or edit customer records.<br>";
} else {
	echo " You must be an administrator in order to change/delete customers You may ADD, or VIEW customers.<br>";
}
?>
  <table width="500" border="0" cellspacing="0" cellpadding="0">
    <tr>
      <td><div align="center"><a href="show_records.php">Show Customers </a></div></td>
    </tr>
    <tr>
      <td><div align="center"><a href="add_record.php">Add New Customer </a></div></td>
    </tr>
<?php 
if ($acslevel >= 10) {
?>
    <tr>
      <td><div align="center"><a href="delete_record.php">Delete Customer </a></div></td>
    </tr>
    <tr>
      <td><div align="center"><a href="edit_records.php">Edit Customers </a></div></td>
    </tr>
<?php
}
?>

The problem is, on my system it worked great, on the system it was uploaded to it wont accept the SESSION data on the 2nd file. If I (from the login.php file) echo $_SESSION['username']; after initializing it, it will echo perfectly.

As soon as it gets to the second file it can't seem to get the data.

I believe it to be a server problem, however it is a server that is setup for the school, where they instructed to use sessions.

I just want to make sure there is no coding errors... I know its basic, it sorta needs to stay that way.

thanks in advance...

bradgrafelman

"I know its basic" - Basic and could do with tons of optimization and security enhancements (e.g. you're vulnerable to SQL injection attacks, and where does it ever verify that you're actually logged in within the custome_e.php script?)... but anywho...

The session ID might not have been propogated correctly. To test this, echo [man]session_id/man on both pages - the value echo'd should be the same within the same session (e.g. same browser window). If they are different, then you need to do either one of two things, with #1 being preferred:

Change the session.use_cookies directive to '1' (or 'On') in the php.ini file or in a .htaccess file in the root of your site.
Propogate the session id via the URL manuall, e.g.
```
echo "Thank you for logging in, <a href=\"custome_e.php?PHPSESSID=" . session_id() . "\">Continue</a>";
```
or do the same steps above, only this time you're enabling the session.use_trans_sid directive.

big_nerd

He isn't quite at SQL injection yet, as I mentioned its a school project.

I logged in, passing the session ID worked like a charm (using ?".SID."...)

They havn't gotten to .htaccess, SQL injection, or optimization for that matter.

Although I offered to write it for him; he is more interested in learning.

Thanks AGAIN.. .. geez I should buy you a present or something.

[edit] What is the best way to verify that the user is actually logged in in this scenario?

bradgrafelman

big.nerd wrote:
He isn't quite at SQL injection yet, as I mentioned its a school project.

Still, since it's a security exploit, there's no sense in learning it the wrong way, so I just always point that out.

big.nerd wrote:
[edit] What is the best way to verify that the user is actually logged in in this scenario?

Since you set their username in the session, I would do something like this:

if(empty($_SESSION['user'])) {
    die('Error: You must be logged in to view this page.');
}

EDIT: You keep mentioning how 'basic' this project is, but just to throw it out there..

If you ever coded a "logout" function, all you'd have to do is destroy the session data (e.g. [man]session_destroy/man) and clear out the $_SESSION superglobal array; technically, there's no need to use setcookie() to delete the actual session cookie.

big_nerd

Thanks again, will do.

I will teach him about SQL Injection; im sure its worth some bonus marks.