start_session() problem?!

trendMM

Hi,

I'm using a pretty simple login script for a part of a website I have. It worked great on my server which was running php version 4 something. Sorry I don't know the exact one.

But when I switched to my new server which is running php 5 the login script no longer works, the problem seems to be the start_session() function. I've checked everything else and it seems to be good.

Anyways, what the problem is, is that when you login with the wrong password it sends you back with the error message which is good, but when you login using the correct info it just sends you back to the login form without sending you to the specfied page like it's supposed to. Does anyone have any idea why it would do this?

It's really confusing me.

Here's my code:
checklogin.php

<?php
$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

loginsuccess.php (where you go when it's successful, of course)

<?
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

<html>
<body>
Login Successful
</body>
</html>

It seems as though everytime you get to loginsuccess.php it says the session is not registered and sends you back to the login form. I'm so confused as to why it's doing this seeing as it was working great on my old server.

Any help would be greatly appreciated!!

NogDog

I would strongly suggest you not use session_register() and session_is_registered(), as they depend on the deprecated [man]register_globals[/man] configuration option. Instead, use the $_SESSION super-global array to store/retrieve your session values. In either case, though, you need a session_start() in the first script before you start saving session values.

Also, if doing a header() redirect, it's a good idea to first save your session data before doing the header():

<?php
session_start();
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
session_write_close();
header('Location: http://www.example.com');
exit;

PS: It's probably not a great idea to be saving the user's password in the session data if not truly necessary, as that's just one more place a hacker might be able to find it.

trendMM

Ah I think I understand what you're saying, the code you used as an example would be placed in the checklogin.php file, correct?

Well on the success page how would I check to see that the session has been registered? If not redirect them to the login page.

Thanks for your help thusfar.

trendMM

Tried your recommended action with this to ensure a session has been set on the protected pages, if not it sends back to the login screen.

if(empty($_SESSION['myusername']) || empty($_SESSION['mypassword'])) {
	header("location:index.php");
}

Thing is, even with a correct password it still sends you back to the login.

Also I commeted out the header location and tested to see if it's carrying over the $_SESSION['myusername'] value and it's still coming up empty. Any idea on what I can do? This is really frustrating me at this point.

HalfaBee

You might have the wrong path for session_tmp_dir in php.ini

tron00

Have you checked to see if your mysql query is actually returning a result? Also, you should encrypt your passwords.

trendMM

<?php

// Include config file
include('common.php');

$link = dbConnect();

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

// encrypt password
$encrypted_mypassword=md5($mypassword);

$sql="SELECT * FROM login WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "home.php"
session_start();
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
session_write_close();
header('location: home.php');
} else {
$results = "<font class=\"font\"><font class=\"fontBold\">Oops!</font> Incorrect username or password. <a href=\"index.php\">Click here</a> to try again.</font>";
}

?>

Yeah I checked and it's returning results from mySQL.

It's just that when it gets to the success page it's not carrying the session.

session_start();
if(empty($_SESSION['myusername']) || empty($_SESSION['mypassword'])) {
	//header("location:index.php");
}

As far as the tmp path, mine is: var/lib/php5

Just can't seem to figure this problem out.

HalfaBee

Do you have session_start() in checklogin.php?

trendMM

yep

session_start();
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
session_write_close();
header('location: home.php');

NogDog

Try adding the following to the start of each script, just to see if PHP has anything it's trying to tell you:

<?php
ini_set('display_errors', 1);
error_reporting(E_ALL);

trendMM

oh wow, it's returning this...
"Notice: Undefined index: myusername in" followed by the path to the file and the line that's messed up.

what's a fix for this?

NogDog

Which line is it? If it's this one:

$myusername=$_POST['myusername'];

...then make sure the form element's name exactly matches the index you are using (including upper-/lower-case).

trendMM

checked it and everything matches, actually it was within the success page.

i had it plugged saying you are logged in as, $_SESSION['myusername']

and it can't find that variable. any idea why the session isnt carrying over? is it timing out as soon as checklogin.php sends you to the success page?

trendMM

Here's some of the session defaults as viewed from phpinfo()

session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 0 0
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /var/lib/php5 /var/lib/php5
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0

HalfaBee

I would change session.save_path to a dir in your own webspace.

Make sure groups/permissions are set properly.

I would also suggest you set up a simple test script to see if sessions are working.