not another session question

bfuzze_98

Yes it is...

I'm having trouble with a login procedure. The login script seems to be working in that it is generating the correct session vars, pulled from the database based on user parameters. However, when the login page redirects back to the requestor page the session var is empty.

Background: Each content page has an 'included' headerscript which checks the session user vars. If the user vars do not exist, or have expired...back to the login page. Since the session vars are not passing from the login page...

This is a set up I transferred from my work environment, where it works fine, so it has to be something about my server setup and/or how it is dealing with sessions.

Just to get it out of the way, I am using session_start() on every page.

Unfortunately server admin is not my forte. phpinfo tells me the session is being created and tells me the session save path, but when I go there the dir is empty.

One thought is this may be the result of some sort of multiple session conflict. The sessions are named rather than just a randomly assigned id (although it has that too) and perhaps they are not being destroyed correctly. If there was more than one with the same ref, the server wouldn't know which to load. It's just a theory. I don't really have a clue other than that a session is persistent and should be available.

So what's the deal?

benracer

Could you post the login and check session script?

bfuzze_98

$src = isset($_GET['src']) ? $_GET['src'] : "";
if (isset($_POST['user'])) {

$dbc = mysql_connect('myhost', 'myusername', 'mypass');
$set_encoding = mysql_query("SET NAMES 'utf8'");
$sel = mysql_select_db('mydb', $dbc);

require_once ('includes/escape_data.php');

$src = isset($_POST['src']) ? $_POST['src'] : "";

if (isset($_POST['user'])) {
	$user = escape_data($_POST['user']);
} else {
	$user = FALSE;
}

if (isset($_POST['pass'])) {
	$password = escape_data($_POST['pass']);
} else {
	$password = FALSE;
}


if ($user && $password) { 

	$strSQL = "(ping db for user credentials...)";		

	$result = mysql_query($strSQL);

	while ($row = mysql_fetch_assoc($result))	{ 
	if ((mysql_num_rows ($result))==1) {
		if ($row['priv_home'] != 1) {
			$error = "Sorry, account disabled, you may not login.";
		} else {
			session_name ('items');
			session_set_cookie_params (43200, dirname($_SERVER['PHP_SELF']), $_SERVER['HTTP_HOST']);
			session_start();

			$_SESSION['accesstime'] = time();
			$_SESSION['username'] = $row['username'];
			$_SESSION['user_id'] = $row['user_id'];
			$_SESSION['first_name'] = $row['first_name'];
			$_SESSION['last_name'] = $row['last_name'];
			$_SESSION['fav_topic'] = $row['fav_topic'];


//print_r($_SESSION);
//THIS IS WHERE I FIRST CHECKED THE $_SESSION VAR, SEEMS OK HERE

				if (strlen($src) > 0) {
					header ("Location:  http://" . $_SERVER['HTTP_HOST'] . $src);
				} else {
					header ("Location:  http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/index.php");
				}
				exit();
			#}
		}	
	} else {
		$error = "Password incorrect"; 
	}
}
mysql_close();
} else {
	$error = "Please try again.";		
}

} 
//The rest is a basic login form...

Headerscript

session_set_cookie_params (43200, "/", $_SERVER['HTTP_HOST']);
session_start();

//print_r($_SESSION);
//THIS IS WHERE I CHECKED THE $_SESSION VAR, EMPTY

if (!isset($_SESSION['user_id'])) {
	header ("Location:  http://" . $_SERVER['HTTP_HOST'] . "/items/login.php?src=" . urlencode($_SERVER['REQUEST_URI']));
	exit();
}

header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);

// HTTP/1.0
header("Pragma: no-cache");

header('Content-Type: text/html; charset=utf-8');

$user_id = $_SESSION['user_id'];
$username = $_SESSION['username'];
$fav_topic = $_SESSION['fav_topic'];

#priv redirects on zero value
$priv_home = $_SESSION['priv_home'];
if ($priv_home == 0) {
	header ("Location:  http://" . $_SERVER['HTTP_HOST'] . "/items/login.php");
	exit();
}

/**
 * Set any constants needed by other scripts
**/
define("ITEMS_DIR", realpath(dirname(__FILE__) . "/../"));

Thanks for the attention.

benracer

put php tags round your code instead of code

bfuzze_98

I changedd the tags, any suggestions?

Weedpacket

I notice that in in Headerscript you don't seem to be setting the session name before you start it. Was it left out of your post?

bfuzze_98

Yes, must have clipped it by mistake. It's actually the first line. Good catch.

bfuzze_98

I should note that although I left out the session_name() at the top of the script that I posted, it is at the top of the script I'm working with so that is not the source of the problem. Any other suggestions?

bfuzze_98

Hate to bring this back up, but I'm still having problems carrying sessions over from the login script to any other page. I don't think this is necessarily a problem with the script but rather environmental settings.

I'm using FF and I've set it to allow cookies from my local environment. I've found in certain cases a server will not allow cookies from 'localhost' so I'm using explicit naming (my computer name).

I've also tried changing the session save path:

ini_set('session.save_path', 'my_server_tmp');

so I can see when the sessions are being created. Before it was set a location outside the server in one of my windows user profile dirs and I don't think the actual session files were being created due to perms issues. I can see the session files now as they're created at the end of the login process. All the information is correct, but once redirected back to the application page, I start the session, ping the global session var and it's empty.

I also tried doing another ini_set...save_path at the beginning of the application page to match the login session save_path, but now it's just creating 2 sessions, one from the login page and the second from the app page.

What am I missing here (and where the hell is the smiley for rage and frustration)?