[RESOLVED] Checking isset issue

robkir

I have a routine that I used to prevent users from going directly to a php page without first logging in. The code merely asks if the user has an access_level set. If the user does not, then the user is bounced back to the log in window. It works about 95% of the time and always in this manner:

The user successfully logs in and is directed to the home page that has the access_level check. The successful user is never bounced when going to the home page. But, when the user chooses an a php page to visit from the navigation menu, 5% of the time he will get bounced back into login. I've tested it a dozen times and I can't detect anything that I am doing differently between logins that would cause it to sometimes fail.

The routine looks like this:

if (!isset($_SESSION['access_level'])) {
		$err_msg='Illegal access--user not logged in';
		include('userlogin.php');
		exit();
}

I've also tried it with empty and get the same results.

I can't figure out why it usually works, an occasionally fails. Any ideas?

NogDog

Could be an issue with whether or not the "www." sub-domain is used when the user accesses the page versus whether or not the "www." is part of links/redirects.

This can be addressed at the web-server level via URL rewriting to enforce use or omission of the sub-domain, or in your PHP configuration by setting the session.cookie_domain to ".yourdomain.com" (note leading dot).

robkir

Hi Nogdog,

Interesting. The program’s navigation system was based on hyperlinks and had the full path to the pages:

http://www.sourcesite.org/ASYO_contact_list_program/profile_select1.php

Based on your advice, I changed it to eliminate the www and made it a relative path (i.e. profile_select1.php) and so far, no crashes. Any thoughts on why it would some of the time?

I’m still green in the world of programming and cookies are something I haven’t investigated enough to understand. I’ll have to do some more research on how I access my PHP configuration, if I even can, since the hosting company provides it. In the meantime, here’s a larger issue question. Should I be using the methodology I am using to prevent users from simply calling up a key php page (checking to see if there is an access_level set?) or is there a better way? Should the cookie be used to valid the user’s credentials.

I appreciate any information I can get. I am reading as fast as I can…but it’s an uphill climb.

robkir

NogDog

Basically, if the user initially accesses the site via "domain.com" as the host part of the URI, any cookie (including the session cookie) will only be sent on further requests to "domain.com". If a request includes a sub-domain portion ("www.domain.com"), then the more general "domain.com" cookie will not be sent, so your PHP script would start a new session ID.

This confusion can be avoided within your PHP scripts by setting the session.cookie_domain setting to ".domain.com" with the leading dot, or at the script level using [man]session_set_cookie_params/man. In this case, any cookie set this way will be sent with any page request to that domain, regardless of sub-domain or lack of sub-domain.

robkir

I am sorry to be so dense about this but I really would like to understand it. I understand how the cookie facilitates the navigation, but I'm still fuzzy on the mechanics. Is the syntax

session_set_scookie_params(.mywebsite.com)

And, do I do this once, at the login, or in every script?

I apologize for taking up your time but I appreciate your input.

NogDog

If you do it via the script, it would have to be in each script before the session_start() is called. Therefore it might be a good thing to put into an include file (along with any other stuff that is useful to have in all scripts:

header.php:

<?php
// session cookie: expires when browser closed, applies to all paths, applies to all sub-domains:
session_set_cookie_params(0, '/', '.your_domain.com');
session_start();
header('Content-Type: text/html; charset=UTF-8'); // example of "other stuff"

typical file:

<?php
require 'header.php';
// rest of script...
?>