session question

katiemac

I have created a login script called
"online-login.php" where the user enters their uname and pwd.

This script is then forwarded to "online-login-process.php"
which checks the database to see if username and password exist.
If they do, this the code I used to start a session:

if (@mysql_num_rows($iResult) > 0) 
{ 
     session_start();
     $_SESSION['user'] = $sUser;
     $_SESSION['pwd']  = $sPwd;

 header('Location: http://enviroflexsurfaces.com/?page_id=1312');
}
else
{
     $sTemp1 = $_SESSION['user'];
     $sTemp2 = $_SESSION['pwd'];

 if ( ($sTemp1 == "") || ($sTemp2 == "") )
 {
   session_unset(); 
   header('Location: http://enviroflexsurfaces.com/?page_id=1303');
 }
}

If is is ok it fwds user to page 132 (admin panel) or if wrong fwds user to login screen (1303).

I tried to check for the session vars at the top of the admin panel page and they are empty. What did I do wrong?

Thanks.

bradgrafelman

When posting PHP code, please use the board's [noparse]

..

[/noparse] bbcode tags as they make your code much easier to read and analyze.

One problem I see is that your call to [man]session_start/man won't be executed if the 'else' branch is executed, yet the 'else' branch tries to use session variables. You must call session_start() before you attempt to use session variables.

Also note that if you're using cookies to propagate the session ID, then "www.mydomain.com" and "mydomain.com" are two separate host names, and by default the cookie is set for the exact domain that was being used at the time. Thus, if your users reached the above code via "www.yoursite.com", your redirects in the form of "yoursite.com" would thus cause the cookies to be lost (meaning subsequent calls to session_start() would actually create a new, blank session).

Lord_Yggdrasill

bradgrafelman;11001254 wrote:
Also note that if you're using cookies to propagate the session ID, then "www.mydomain.com" and "mydomain.com" are two separate host names, and by default the cookie is set for the exact domain that was being used at the time. Thus, if your users reached the above code via "www.yoursite.com", your redirects in the form of "yoursite.com" would thus cause the cookies to be lost (meaning subsequent calls to session_start() would actually create a new, blank session).

Well I have that problem too. The cookies set in www.yourdomain.com cannot be recognized by yourdomain.com(without www). I have no idea how to fix this though, luckily users of my software rarely complain about it.

Damian_

can you not use htaccess to always use www or non www ?

RewriteEngine on
RewriteCond %{HTTP_HOST} !^{www.your_domain.com$}
RewriteRule ^(.*)$ http://www.your_domain.com/$1 [R=301]

Lord_Yggdrasill

Thats a possible solution, tbh I dont know how .htaccess works at all. I will look into this possibility, thanks for bringing it up.

laserlight

Heh, but once you bring that up... no-www! (Read the FAQ for an example .htaccess entry.)

bradgrafelman

Lord Yggdrasill;11001536 wrote:
The cookies set in www.yourdomain.com cannot be recognized by yourdomain.com(without www). I have no idea how to fix this though

One possible fix is actually rather simple; you need to set the session.cookie_domain PHP directive to have a value of '.yourdomain.com' - the leading period with nothing before it is a bit like a wildcard character; that value will match any subdomain (including the NULL subdomain) of 'yourdomain.com' (e.g. 'www.yourdomain.com', 'yourdomain.com', 'my.foo.bar.yourdomain.com', etc.).