Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 14 of 14
  1. #1
    New Coder
    Join Date
    Nov 2002
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts

    all sorts of sessions problems...

    I am having problems with my sessions such as: a user loging in but after login another persons username is displayed, the session randomly working after a certain amount of logins, the session never working, different browsers handling the sessions differently.
    This is probably a scripting error as I am new to this. Here is my script:
    PHP Code:

    $username 
    $_POST["username"];
    $password $_POST["password"];

    // check if the form has been submitted
    if(isset($_POST['submit'])){ 
        
    //$db=mysql_connect  ("xxxxxx","xxxxxx","xxxxxx") or die ("Database Error"); 
        //mysql_select_db("xxxxxx",$db) or die ("Database Error");
        
    $connection mysql_connect("xxxxxx","xxxxxx","xxxxxx") or die("Can't connect to the host".mysql_error());
        
    $dbconnection mysql_select_db("xxxxxx"$connection) or die("Can't connect to the database".mysql_error());
        
    $query "SELECT * from xxxx WHERE username = '$username' AND password = '$password'";
        
    $result mysql_query($query) or die ("Database Error");
                     
    // if the username and password are valid
                      
    if(mysql_num_rows($result) > 0)
                            {
                     
    session_start();
                     
    $_SESSION["username"] = $username;
                     
    session_register("username");                           
                     
    header("Location: [url]http://shootthemessenger.org/admin/admin.php[/url]");                                  
                     } 
                     
    // else if username and password are not is valid
                     
    else 
                     {
                     
    session_destroy();
                     include (
    "loginerror.php");
                     }
         }
         
    // else if submit doesnt exits display form
         
    else 
         {
         
    session_destroy();
         include (
    "loginform.php");     
         } 
    Anyone know why these problems are occuring?
    Thanks for any help

  • #2
    New Coder
    Join Date
    Feb 2004
    Location
    California
    Posts
    96
    Thanks
    0
    Thanked 0 Times in 0 Posts
    session_start() has to be before any code. I would recommend relocating to another page if they log in correctly as opposed to having it in an if() statement.

  • #3
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,278
    Thanks
    4
    Thanked 83 Times in 82 Posts
    See this line

    session_register("username");

    You do not need to do that. That function has been deprecated. In order to create or "register" a variable in a session you just need to do what you already have done like so:

    $_SESSION['username'] = $username;

    Also both times that you have used the session_destroy function you never created a session to begin with. Take those out. You don't need them in this page. A session will only be created if the login is successful therefore no need to try to destroy any sessions as obviously they will not exist if login is invalid or they have not yet submitted their login.
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster

  • #4
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,278
    Thanks
    4
    Thanked 83 Times in 82 Posts
    Originally posted by Steveo31
    session_start() has to be before any code.
    That is not correct. The session_start() function only needs to be before any output to the browser. What he is doing is fine as he is not outputting anything to the browser before creating the session.
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster

  • #5
    New Coder
    Join Date
    Nov 2002
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    do you think there is an issue when the user closes the browser window instead of logging out(which runs the session_destroy function)?

    or is closing the browser essentially the same thing?

  • #6
    New Coder
    Join Date
    Nov 2002
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Also both times that you have used the session_destroy function you never created a session to begin with. Take those out. You don't need them in this page. A session will only be created if the login is successful therefore no need to try to destroy any sessions as obviously they will not exist if login is invalid or they have not yet submitted their login.
    The reason I have the session destroy after the else if is because when the user logs out they are just taken back to the main page (the one above). They will have not clicked sumbit so the session is destroyed.

  • #7
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,278
    Thanks
    4
    Thanked 83 Times in 82 Posts
    Originally posted by nick_a
    do you think there is an issue when the user closes the browser window instead of logging out(which runs the session_destroy function)?

    or is closing the browser essentially the same thing?
    The session file will remain on the server if the user closes their browser. Nothing you can do about that. However PHP has a garbage collection feature. There is a setting in the PHP config file for the session timeout. Basically if the session is idle for a specified amount of time it will automatically be deleted.
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster

  • #8
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,278
    Thanks
    4
    Thanked 83 Times in 82 Posts
    Originally posted by nick_a
    The reason I have the session destroy after the else if is because when the user logs out they are just taken back to the main page (the one above). They will have not clicked sumbit so the session is destroyed.
    But session_destroy will also get called when they go to the page and have not yet logged in. To logout I normally just create a seperate file for it and put the session destroy in it and redirect back to the login page.
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster

  • #9
    New Coder
    Join Date
    Nov 2002
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Ok, I know Im bringing up my old topic, but I am having some new problems and I figured I would just continue this one instead of creating a new thread.

    But before I explain my new problem I would like to ask a question about Spooksters previous reply:
    Quote Originally Posted by Spookster
    But session_destroy will also get called when they go to the page and have not yet logged in.
    So will that cause a problem? The user never logged in the session was never created. That is what I assumed. The session_destroy will only apply after the session was created. Otherwise it wont do anything. Am I wrong?

  • #10
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,073
    Thanks
    11
    Thanked 98 Times in 96 Posts
    The session_destroy will only apply after the session was created. Otherwise it wont do anything. Am I wrong?
    depends , sessions are often used for many things other than authorisation , & you may end up killing other session variables your script requires ,ok you may not be using others ...but anyway , unset($_SESSION['auth_var']); , would normally suffice.

    for example I sometimes keep a count of how many attempts a user has made to login in a session var , if that count gets too high I set another session var restricting login attempts for $x seconds to try and annoy brute forcers etc.

    In general I don't destroy a whole session unless I really need to, and in the code above it is not required as the session does not even exist anyway (at that point in the script) , so its redundant code.
    Last edited by firepages; 04-21-2004 at 01:42 AM.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #11
    New Coder
    Join Date
    Nov 2002
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Ok thanks, now back to my other problem...
    Sometimes the session isnt created on the first loggin attempt. After I am redirected (and the session isnt echoed), I have to click logout (which takes me back to the main page, the code above, and since submit hasnt been hit) and I have to re-enter the login info. Then the session seems to be created since it is correctly echoed on the page that I am redirected to. Is there anything in the code that would cause this?

  • #12
    New Coder
    Join Date
    Apr 2004
    Location
    Texas
    Posts
    60
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I'm not sure exactly what you were saying on that last post, but you can check to see if a session was created like this....
    in browser address bar, type the following and hit enter.

    Javascript:alert(document.cookie)

    if you get a popup with PHPSESSID=somelongnumber then a session has been created.
    Jason B

  • #13
    New Coder
    Join Date
    Nov 2002
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    see below post
    Last edited by nick_a; 04-27-2004 at 10:30 PM.

  • #14
    New Coder
    Join Date
    Nov 2002
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Ok I will try to explain better.

    Here is the steps which I use to have the users login:
    1) The users enter thier username and password in the login form.
    2) The username and password are turned into variables which are then checked with the database to see if the user validates.
    3) If the user is valid than the username variable is assigned to the session "username".
    4) Then I redirect to the main admin page.

    On the main page I have the session "username" echoed and I use the session "username" value to access that users info in the database.

    The problem is that on the first login attempt the session "username" doesnt seem to have a value. A session cookie is created but I assume that it is just from the session_start() function and it doesnt contain the value for the session "username".

    But... If I click the logout link and then re-enter the user info and login the session "username" has the correct value. The username is echoed and all of the users info is properly extracted from the database.

    Here is my code for the main login page:
    PHP Code:
    <?php
    session_start
    ();
    header("Cache-control: private");
    // check if the form has been submitted
    if(isset($_POST["submit"])){
        
    $username $_POST["username"];
        
    $password $_POST["password"]; 
        
    $connection mysql_connect("xxxx","xxxx","xxxx") or die("Can't connect to the host".mysql_error());
        
    $dbconnection mysql_select_db("xxxx"$connection) or die("Can't connect to the database".mysql_error());
        
    $query "SELECT * from crew WHERE username = '$username' AND password = '$password'";
        
    $result mysql_query($query) or die ("Database Error");
                     
    // if the username and password are valid
                      
    if(mysql_num_rows($result) > 0)
                     
    //if ($row[0]==$password)
                     
    {                 
                     
    $_SESSION["username"] = $username;
                     
    header("Location: http://shootthemessenger.org/admin/admin.php");                          
                     } 
                     
    // else if username and password are not is valid
                     
    else 
                     {
                     include (
    "loginerror.php");
                     }
         }
         
    // else if submit doesnt exits display form
         
    else
         {         
         include (
    "loginform.php");     
         }  
    ?>
    To get the obvious out of the way:
    On the admin.php page that I redirected to I made sure that I started the session.
    On the logout page I destroy the session and have a link back to the login page.

    You can see this problem for yourself if you click here and login with
    username: demo
    password: test

    Does anyone know what could be causing this problem?
    Thanks in advance for any help. Your time is much appreciated.
    -Nick


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •