PHP Session hell...

bigandy · Oct 24, 2006

The website I'm currently working on has a kind of "user status" widget at the top of the screen. It says, among other things, "You're not logged in" or "Welcome [username]" depending on if you are logged in or not.

Previous to this site I did another that worked in exactly the same way - user logged in, their username was stored in a php_session variable, and the message was determined depending on if the username value was empty or not. It's also worthy to note that the whole site header is called externally from a header.php file.

Thing is, on the previous site it worked fine. But on this new site, the main pages seem to see the session variable information fine, but the header file cannot.

Is there any reason for that? The only difference between the new and old sites is that one had all the pages in one folder, and this new one has a structure (mainly because it's sooo complicated).

seanf · Oct 24, 2006

Can you post the relevant code and the session configuration details (see phpinfo()) from the new site?

Sean

c-Row · Oct 24, 2006

bigandy said:
Is there any reason for that? The only difference between the new and old sites is that one had all the pages in one folder, and this new one has a structure (mainly because it's sooo complicated).

I know cookies are very picky about which directory they were created from, but session variables should work everywhere.

I agree with seanf - some source code would be helpful.

Knox · Oct 24, 2006

When using session variables, the first thing to check is whether you are using $_SESSION to access the variable and if not, is register_globals on (phpinfo() will tell you) and are you trying to access the session variable within a function?

gwilli · Oct 24, 2006

How are you starting your sessions and assigning your session variables? If you're starting your session after your header file is included using session_start() your header file won't read the session data. If it's before the include statement you can access and assign your session data using $_SESSION['user']['wateva'] = 'Hello'; it might be worth running print_r($_SESSION); in your header file and in your main file and have a look at what the session ID's are... from your main file.

e.g

/includes/header.php

PHP:

print_r($_SESSION);

main.php

PHP:

include './inclides/header.php';
print_r($_SESSION);

if their the same then there shouldn't be anything wrong.... if their not then one of your files are opening and using new sessions.
Your code should look something like this.

main.php

PHP:

session_start();
$_SESSION['user']['id'] = '2';
include './inclides/header.php';

/includes/header.php

PHP:

echo $_SESSION['user']['id'];

Hope that helps.

Gav

bigandy · Oct 30, 2006

Ok, first sorry for the time to reply! Second, this is going to be quite a post!

seanf said:
Can you post the relevant code and the session configuration details (see phpinfo()) from the new site?

I'm leaving this up for a short while (my phpinfo). I have a dedicated server, and this seems to be the same for all the virtual servers running on it. (it's cPanel/WHM on FC4)

Here's the code from the header:

Code:

<?php  if ($_SESSION['MM_Username'] != "") { ?>
welcome, <?php echo $_SESSION['MM_Username']; ?> | <a href="/manage/login/logout.php">logout</a>
<?php } else { ?>
You're not logged in. | <a href="/manage/login/index.php">login</a> <hr noshade="noshade" size="1">No account? <a href="/manage/login/signup.php">Signup!</a><?php } ?>

And here's the code from the login page. It's just standard Dreamweaver 8 login function fayre:

Code:

<?php require_once('/Connections/dbc2.php'); ?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['uid'])) {
  $loginUsername=$_POST['uid'];
  $password=$_POST['pwd'];
  $password = md5($password);
  $MM_fldUserAuthorization = "position";
  $MM_redirectLoginSuccess = "/members/index.php";
  $MM_redirectLoginFailed = "loginfailure.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_2pz, $2pz);
  	
  $LoginRS__query=sprintf("SELECT username, password, position FROM users WHERE username='%s' AND password='%s'",
  get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 
   
  $LoginRS = mysql_query($LoginRS__query, $2pz) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
    
    $loginStrGroup  = mysql_result($LoginRS,0,'position');
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

And this is from my members page, and it does work...

Code:

<?php print_r($_SESSION); ?>

- it outputs this for me, for example:
Array ( [MM_Username] => andy [MM_UserGroup] => 0 )

Knox said:
When using session variables, the first thing to check is whether you are using $_SESSION to access the variable and if not, is register_globals on (phpinfo() will tell you) and are you trying to access the session variable within a function?

I don't think I am. I'm not that advanced with PHP to know - hence using the Dreamweaver option

Register_globals is off. I was wandering if you were going to say turn it on, but that makes no difference. So it's back off.

gwilli said:
How are you starting your sessions and assigning your session variables? If you're starting your session after your header file is included using session_start() your header file won't read the session data. If it's before the include statement you can access and assign your session data using $_SESSION['user']['wateva'] = 'Hello'; it might be worth running print_r($_SESSION); in your header file and in your main file and have a look at what the session ID's are... from your main file.

As you'll see above, I'm starting sessions using the standard way via Dreamweaver. And the same way I've done it before

Hope someone can shed some light on this, I'm really confuzzled!

bigandy · Oct 30, 2006

Just FYI, here's the corresponding code from the previous website:

header.php

Code:

<?php  if ($_SESSION['MM_Username'] != "") { ?>
welcome, <?php echo $_SESSION['MM_Username']; ?> | <a href="/" class="toplink">home</a> | <a href="javascript:toggleLayer('logoutask');" class="toplink">logout</a>
<?php } else { ?>
You're not logged in. <a href="/" class="toplink">home</a> | <a href="javascript:toggleLayer('loginform');" class="toplink">login</a><?php } ?>

login.php

Code:

<?php require_once('Connections/pxl.php'); ?>
<?php
mysql_select_db($database_pxl, $pxl);
$query_login = "SELECT * FROM `user`";
$login = mysql_query($query_login, $pxl) or die(mysql_error());
$row_login = mysql_fetch_assoc($login);
$totalRows_login = mysql_num_rows($login);
?><?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['uid'])) {
  $loginUsername=$_POST['uid'];
  $password=$_POST['pwd'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "manage.php?msg=loggedin";
  $MM_redirectLoginFailed = "login.php?msg=fail";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_pxl, $pxl);
  
  $LoginRS__query=sprintf("SELECT uid, pwd FROM user WHERE uid='%s' AND pwd='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 
   
  $LoginRS = mysql_query($LoginRS__query, $pxl) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

They really are so similar. The only difference to me seems to be the locations of the files - in this one everything was flat (there were only about 7 files). Because of the complications of the new project everything's been laid out into folders, but this really shouldn't make a difference, should it?

the locations are like this:

/manage/login/index.php <-- login file
/members/index.php <-- home once logged in
/static/php/header.php <-- the header file causing all the trouble

c-Row · Oct 30, 2006

That's probably a shot in the blue, but you could try to put the session_start() function in front of everything else. It usually works everywhere as long as there has been no header sent, but you never know...

I'd also combine these into one chunk of PHP, like this:

Code:

<?php

// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();

 require_once('/Connections/dbc2.php');
...

Might be that there is just one single blank space in between the "?>" and the adjacent "<?php" of your original source code, but that could already count as a header since the browser displays this as a blank space as well.

angelneo · Oct 31, 2006

Just to make sure, are you using IE 7 beta 1? (it's hard to believe, but yes, IE 7 beta 1 causes php session to bug out)

EDIT: Ignore this, since you are saying other files view the session correctly. The only reason I can come up with off the top of my head now is most likely that your session_start() is placed in the incorrect place.

bigandy · Oct 31, 2006

angelneo said:
Just to make sure, are you using IE 7 beta 1? (it's hard to believe, but yes, IE 7 beta 1 causes php session to bug out)

most certainly not. i don't even own a Windies box

Thanks for the replies guys, I'll give it a shot and report back when I'm at my G5 in an hour or two

bigandy · Nov 4, 2006

well it was a little more than an hour, but i tried this:

c-Row said:
That's probably a shot in the blue, but you could try to put the session_start() function in front of everything else. It usually works everywhere as long as there has been no header sent, but you never know...

I'd also combine these into one chunk of PHP, like this:

#code...

Might be that there is just one single blank space in between the "?>" and the adjacent "<?php" of your original source code, but that could already count as a header since the browser displays this as a blank space as well.

nope.

I'm truly stumped. I don't really know what to do in this case. I'm going to go and cry, then I think I might see if including the header files in a different way (for example from a .tpl file or something) and see if that works.

Grr.

exabytes18 · Nov 4, 2006

I had a bunch of problems when I switched my site over to use sessions exclusively. If you access your site from www.somewebsite.com, a session is created. However, if you go to somewebsite.com, the browser doesn't recognize the session previously created.

I'm a newbie at this, so this might just be crazy talk.

nightelf · Nov 4, 2006

Hello, I did not read all your posts

but I think this could be the problem.

You mentioned that in the first site, everything worked fine, and that every page was in the same folder, but in the second site, that is organized by folder the include is not working well?

If you have something like this, the includes should be like:

/manage/login/index.php <-- include('../../static/php/header.php');
/members/index.php <-- include('../static/php/header.php');
/static/php/header.php

You cannot use absolute path when using PHP functions because it will go the the root of the server, not the domain.

Do not turn Globals On because is very unsecure. People could write this at the end of your site and get a registered user access.

http://www.yoursite.com/?MM_Username=nightelf

Basically, with globals on, any type of variable can get "overwrite" by another. In this case im telling the system to replace your $_SESSION['MM_Username'] with my $_GET['MM_Username'];

Hope this work.

nightelf · Nov 4, 2006

exabytes18 said:
I had a bunch of problems when I switched my site over to use sessions exclusively. If you access your site from www.somewebsite.com, a session is created. However, if you go to somewebsite.com, the browser doesn't recognize the session previously created.

I'm a newbie at this, so this might just be crazy talk.

You are right. Sessions are based on the address.

something.com
www.something.com
subdomain.something.com

All of them would have different sessions.

Knox · Nov 5, 2006

nightelf said:
You are right. Sessions are based on the address.

something.com
www.something.com
subdomain.something.com

All of them would have different sessions.

However, if it's a issue you can change it using the session_cookie_domain config option in php.ini or via ini_set. Setting it to .something.com (note the initial dot) would mean the cookie was available to all the sub-domains.

Search

Search

PHP Session hell...

bigandy

macrumors G3

seanf

macrumors 6502

c-Row

macrumors 65816

Knox

Administrator

gwilli

macrumors newbie

bigandy

macrumors G3

bigandy

macrumors G3

c-Row

macrumors 65816

angelneo

macrumors 68000

bigandy

macrumors G3

bigandy

macrumors G3

exabytes18

macrumors 6502

nightelf

macrumors 6502

nightelf

macrumors 6502

Knox

Administrator

Our Staff