[RESOLVED] $_SESSION not saving

zekemorgan

I'm pretty self-sufficient with finding solutions but I've been struggling with this for a few days.

I have a login system that uses session or cookies. Cookies work fine. $_SESSION['username'] transfers from the login page to the index, where checkLoggedIn() is called. After a refresh the checkLoggedIn() function doesn't detect the session variable and sends users back to the login page. (Also I just started working with OO PHP so don't crucify me, but I am open to suggestions!! :p)

PHP info
Testing session across pages and it works

http://www.walsh-web.com/code/login/login.php

<?php 
session_start(); 
ob_start();


class Config {
	public static $DBHOST = "host";
	public static $DBUSER = "user";
	public static $DBPASSWORD = "pass";
	public static $DB = "dbname";
}
$config = new Config;

mysql_connect(Config::$DBHOST, Config::$DBUSER, Config::$DBPASSWORD) or die(mysql_error());
mysql_select_db(Config::$DB) or die(mysql_error());

//Starts login script if user fills in login information
$submit = $_POST['submit'];
if($submit)
{
	//Pull login variables
	$username = strtolower(mysql_real_escape_string($_POST['username']));
	$password = md5(mysql_real_escape_string($_POST['password']));

//Ensures user entered both a username and password
if ($username && $password)
{
	//Compares username and password to information stored in table "users"
	$result = mysql_query("SELECT * FROM users WHERE username = '$username'");
	while($row = mysql_fetch_array($result))
	{
		$dbusername = $row['username'];
		$dbpassword = $row['password'];
		$dbuid = $row['uid'];			
	}

	$dbuid = sha1($dbuid);

	if ($username == $dbusername && $password == $dbpassword)
	{
		//If "Remember Me" is turned on, cookie is created
		if ($_POST['rememberme'] == 'on')
			{
				setcookie("username", $username."-".$dbuid, time()+100000, $path="/");
			}
		//If its turned off, browser will remember user until browser is closed	
		else
			{
				$_SESSION['username'] = $username."-".$dbuid; 
			}

		header('Location: http://www.walsh-web.com/index.php');
	}
	else
		echo "You have entered an incorrect username or password.";
}
else
	echo "Please enter a username and password";

}

?>

http://www.walsh-web.com/inc/database.php

<?php
session_start(); 
ob_start();

class Config {
	public static $DBHOST = "dbhost";
	public static $DBUSER = "user";
	public static $DBPASSWORD = "pass";
	public static $DB = "db";
}

class User{

public $username;
public $access_level;
private $uid;
private $dbuid;

public function __construct($username, $access_level, $uid, $dbuid){
	$username = $this->getUsername();
	$uid = $this->getUid();
	$dbuid = $this->getDBUid();
	$access_level = $this->getAccessLevel();	
}

public function getUsername(){
	if(isset($_COOKIE["username"])){
		$username = $_COOKIE["username"];
		$username = explode("-", $username);
		return $username[0];
	}
	elseif (isset($_SESSION["username"])){
		$username = $_SESSION["username"];
		$username = explode("-", $username);
		return $username[0];
	}	
}

public function getName(){
	$username = $this->getUsername();
	$result = mysql_query("SELECT name FROM users WHERE username = '$username'");
	while($row = mysql_fetch_array($result)){
		$name = $row['name'];
	}
	return $name;
}

private function getUid(){
	if(isset($_COOKIE["username"])){
		$username = $_COOKIE["username"];
		$username = explode("-", $username);
		return $username[1];
	}
	elseif (isset($_SESSION["username"])){
		$username = $_SESSION["username"];
		$username = explode("-", $username);
		return $username[1];
	}
}

public function getAccessLevel(){
	$username = $this->getUsername();
	$result = mysql_query("SELECT access_level FROM users WHERE username = '$username'") or die(mysql_error());
	if (mysql_num_rows($result) > 0){
		while($row = mysql_fetch_array($result)){
			$access_level = $row['access_level'];
		}
	}
	else
		$access_level = "No Access";
	return $access_level;
}

private function getDBUid(){
	$username = $this->getUsername();
	$result = mysql_query("SELECT uid FROM users WHERE username = '$username'") or die(mysql_error());
	if (mysql_num_rows($result) > 0){
		while($row = mysql_fetch_array($result)){
			$dbuid = $row['uid'];
		}
	}
	return $dbuid;
}	

public function checkLoggedIn(){
	$username = $this->getUsername();
	$uid = $this->getUid();
	$dbuid = $this->getDBUid();
	$access_level = $this->getAccessLevel();

	if($username && $access_level != 'No Access') {
		//If they manipulate cookie data they are instantly logged out
		if (sha1($dbuid) != $uid && $_SERVER['PHP_SELF'] != "/code/login/login.php"){
			header('Location: http://www.walsh-web.com/code/login/logout.php');
		}	
		return true;

	}		
	//If they are not logged in, system sends them to login page
	else{
		if ($_SERVER['PHP_SELF'] != "/code/login/login.php")
			header('Location: http://www.walsh-web.com/code/login/login.php');
	}
}
?>

NogDog

Don't know if this could be the issue, but I've found that sometime if you are doing header() location redirects, you need to do a [man]session_save_close/man right before the call to header().

zekemorgan

Thanks for the quick response NogDog! That didn't work but after reading some of the comments on php.net about similar problems in the session_write_close page, I read about session_regenerate_id() and upon adding it to database.php, it seemed to work.

Does anyone know why session_regenerate_id is needed?