Ineffable

The code on the login page: <?php if($_POST['email'] != NULL){ session_start(); require_once("../../includes/DbConnector.php"); $connector = new DbConnector(); $result = $connector->query("SELECT * FROM artists WHERE email='".$_POST['email']."'"); if($resultArray = $connector->fetchArray($result)){ $salt = $resultArray['salt']; $pass = $salt.$_POST['password']; $hashPass = md5($pass); if($hashPass == $resultArray['password']){ if (isset($_SESSION['HTTP_USER_AGENT'])){ if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])){ die("Bad session. Please log in again."); } } else { $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); } if (!isset($_SESSION['initiated'])){ session_regenerate_id(); $_SESSION['initiated'] = true; } $_SESSION['logged_in'] = TRUE; $_SESSION['accesslevel'] = $resultArray['accesslevel']; $_SESSION['name'] = $resultArray['name']; $_SESSION['artistID'] = $resultArray['ID']; header('Location: optionpanel.php'); } else { die("Password incorrect. Learn to type."); } } else { die("Email ".$_POST['email']." not found"); } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Login</title> </head> <body> <form method="post"> <label>Email:<input type="text" name="email" /></label> <label>Password:<input type="password" name="password" /></label> <input type="submit" value="Beam me up, Scotty" /> </form> </body> </html> DbConnector.php just contains a class that handles my database interaction. It's all in MySQL. The code on the option panel page (page that you get sent to when you log in, this is the backend of a site so it's just ways to edit or upload stuff): <?php ini_set("display_startup_errors", "1"); ini_set("display_errors", "1"); error_reporting(E_ALL); require_once("../../includes/loginFunctions.php"); require_once("../../includes/DbConnector.php"); $login = new login; $login->checkLogin(0); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Options</title> <link rel="stylesheet" href="../css/backend.css"> </head> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try { var pageTracker = _gat._getTracker("UA-9571231-1"); pageTracker._trackPageview(); } catch(err) {} </script> <body onLoad=”javascript:pageTracker._setVar(‘test_value’);”> <div id="optionpanel"> <?php echo "<p> User ".$_SESSION['name']." is logged in. </p>"; ?> <ul> <?php if($_SESSION['accesslevel'] >= 1){ ?><li><a href="/login/comics/upload.php">Upload a comic</a></li><?php } ?> <?php if($_SESSION['accesslevel'] >= 1){ ?><li><a href="/login/comics/comiclist.php">Edit a comic</a></li><?php } ?> <?php if($_SESSION['accesslevel'] >= 2){ ?><li><a href="/login/blog/newblog.php">Write a new blog</a></li><?php } ?> <?php if($_SESSION['accesslevel'] >= 2){ ?><li><a href="/login/blog/bloglist.php">Edit a blog</a></li><?php } ?> <li><a href="user/uploadimage.php">Upload a profile picture</a></li> <li><a href="user/edituser.php">Edit my profile</a></li> <?php if($_SESSION['accesslevel'] >= 4){ ?><li><a href="/login/user/userlist.php">Edit another profile</a></li><?php } ?> <?php if($_SESSION['accesslevel'] >= 3){ ?><li><a href="/login/mail/mailinglist.php">Send an email to all the artists</a></li><?php } ?> <?php if($_SESSION['accesslevel'] >= 5){ ?><li><a href="/login/magic.php">View server information</a></li><?php } ?> <li><a href="logout.php">Logout</a></li> </ul> </div> <div id="todo"> <pre> <?php if($_SESSION['accesslevel'] >= 1){ include("TODO.txt"); } ?> </pre> </div> </body> </html> EDIT: Just noticed that logging in to optionpanel.php works now on a www. domain after the ini_set('session.cookie_domain', '.domain.co.uk'); ...stupid not to notice that. Wouldn't appear to be reliant on the www. part, since I have a page which works either way. Also, register_globals is currently set to OFF.

Yeah, sorry, forgot I hadn't posted any code. Inside each file that needs authorisation, it loads a loginFunctions.php file which calls session_start() and checks the login. Files which work in /login and i copy and paste into /login/user stop working, even though i update all the relevant paths and links. In the actual pages that are giving me the error, this is the auth. code: require_once("../../../includes/loginFunctions.php"); $login = new login; $login->checkLogin(0); Inside loginFunctions.php is this: class login{ function checkLogin($requiredAccess){ session_start(); if($_SESSION['accesslevel'] < $requiredAccess || $_SESSION['logged_in'] != TRUE){ die("You don't have access to this area. If you should have access, please log in again. <a href='/login/'>Login</a>"); } if (isset($_SESSION['HTTP_USER_AGENT'])){ if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])){ session_destroy(); die("Bad session. Please log in again. <a href='/login/'>Login</a> "); } } else { $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); } if (!isset($_SESSION['initiated'])){ session_regenerate_id(); $_SESSION['initiated'] = true; } } } The $requiredAccess variable is the access level that you need to access this page, so if you have an accesslevel of 3 in the database you can view level 0, 1, 2 and 3 pages. This is specified when the function is called in the main page and is compared to the access level of the current user which is defined in $_SESSIONS when they log in. I'm getting the error 'You don't have access to this area etc." when i try to access these pages. If i try to print the $_SESSION variables, nothing shows; they appear to be empty. However, if I move the file to the /login/ folder (one level up) and update the links, they work perfectly and all the variables print out (logged in status, name, accesslevel, ID). When I add in the debugging code, nothing prints on the pages that work, but when I get the error message I also get: ...which I'm assuming is it not finding the accesslevel variable in $_SESSIONS.

Aha. Yes, if i change the url on a page that works and add a www. on the front, it throws me out again. However, if I change the front of one of the urls that don't work, it still seems to throw me out. When I log in, there's no www., but none of the links on the main page point to a url with a www. on them (all the links are relative to site root), so I don't think it's changing. I've tried putting in ini_set('session.cookie_domain', '.mysite.co.uk'); but I'm not sure that's the right way of setting the cookie domain to match both versions. It doesn't work, either way. Thanks.

Someone else suggested setting the cookie domain before session_start() in each page, but that didn't work. Didn't think it would, since it was already right. If it helps, my session settings in PHP Info are as follows (local value in /login/ followed by the master value): session.auto_start Off Off session.bug_compat_42 On On session.bug_compat_warn On On session.cache_expire 180 180 session.cache_limiter nocache nocache session.cookie_domain no value no value session.cookie_httponly Off Off session.cookie_lifetime 0 0 session.cookie_path / / session.cookie_secure Off Off session.entropy_file no value no value session.entropy_length 0 0 session.gc_divisor 100 100 session.gc_maxlifetime 14400 14400 session.gc_probability 1 1 session.hash_bits_per_character 4 4 session.hash_function 0 0 session.name PHPSESSID PHPSESSID session.referer_check no value no value session.save_handler files files session.save_path /tmp /tmp session.serialize_handler php php session.use_cookies On On session.use_only_cookies Off Off session.use_trans_sid 0 0

That's a good idea actually, but I've checked and nothing. I'm fairly sure it's nothing to do with my code because the page loads just fine if it's moved up a directory and the links are updated to reflect that. The only thing that changes when it stops working is the file's location. On top of that, I changed nothing since the whole system was working perfectly, and suddenly all the pages in subfolders log me out of the system. The only thing I can think of is that my server provider has changed a setting in my installation.

Okay, thanks for replying. I used Firebug to monitor the cookies and the PHPSESSID cookie shows up when I log in, as expected. The domain is my website's domain and the path is "/", which seems right. When I visit one of the pages I get an 'access denied' from, the cookie shows no change. Interestingly, even though the cookie is not changing, if I then go back and visit the page before where I've just been (in the main /login/ folder which works fine), it now says access denied. So it seems that the server is losing the session information when I visit one of the pages in a subfolder. I'm just getting more confused the more I look into this problem...

I've got a simple login system using PHP sessions, but just recently it seems that if you visit pages not in a certain directory (/login/) you will always be flagged as not logged in, even when you are. It seems that my session data is being lost when I change directories (say, to /login/user/). I don't think I've touched the code myself since the problem appeared, is there something my web host could have done to my PHP installation that would delete the session data, and is there a workaround? Inside each file that needs authorization, i load a loginfunctions.php file which calls session_start() and checks the login. Files which work in /login and i copy and paste into /login/user stop working, even though i update all the relevant paths and links.