[SOLVED] can't "log in"; $_SESSION not carrying values to pages

[dxdolar]

I wrote a log-in function according to a reference book, with changes just to be appropriate for my site, but I can't seem to access the values of my $_SESSION superglobal array. I can't see what I'm doing wrong. I've been pounding my head over it for hours. I get the concepts but don't see where it's not applying.

 

Here are my 2 pages, the full pages (with a few url for anonymity )

<?php // login.php
// Start output buffering:
ob_start();

// Initialize a session:
session_start();

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<title><?php echo $page_title; ?></title>
</head>
<body>
<div id="Header"><?php echo $page_title; ?></div>
<div id="Content">

<?php 
require_once ('ncludes/config.inc.php'); 
$page_title = 'Login';

if (isset($_POST['submitted'])) {
require_once ('../dbc.php'); //database connection

if (!empty($_POST['email'])) {
	$e = mysqli_real_escape_string ($dbc, $_POST['email']);
} else {
	$e = FALSE;
	echo '<p class="error">You forgot to enter your email address!</p>';
} 	// Validate the email address:

if (!empty($_POST['pass'])) {
	$p = mysqli_real_escape_string ($dbc, $_POST['pass']);
} else {
	$p = FALSE;
	echo '<p class="error">You forgot to enter your password!</p>';
}	// Validate the password:

if ($e && $p) { // If everything's OK.

	$q = "SELECT id, first_name, user_level FROM users WHERE (email='$e' AND pass=SHA1('$p'))";		
	$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); 	// Query the database:

	if (mysqli_num_rows($r) == 1) { // A match was made.
		$_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); 	// Set values to the session & redirect:
		mysqli_free_result($r);
		mysqli_close($dbc);

		$url = 'http://www.mysite.com/index.php'; // Define the URL:
		ob_end_clean(); // Delete the buffer.
		header("Location: $url");
		exit(); // Quit the script.

	} else { // No match was made.
		echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>';
	}
} else { // If everything wasn't OK.
	echo '<p class="error">Please try again.</p>';
}
mysqli_close($dbc);
} // End of SUBMIT conditional.
?>
<h1>Login</h1>
<form action="http://longhere.com/login.php" method="post">
<fieldset>
<p><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="40" /></p>
<p><b>Password:</b> <input type="password" name="pass" size="20" maxlength="20" /></p>
<div align="center"><input type="submit" name="submit" value="Login" /></div>
<input type="hidden" name="submitted" value="TRUE" />
</fieldset>
</form>

<div id="Menu"> 
<a href="index.php" title="Home Page">Home</a><br />
<?php //this code shows a menu that's supposed to change links depending on whether or not the user is logged in
if (isset($_SESSION['id'])) {
echo '<a href="logout.php" title="Logout">Logout</a><br />
     <a href="change_password.php" title="Change Your Password">Change Password</a><br />';
} else { //  Not logged in.
echo '<a href="register.php" title="Register for the Site">Register</a><br />
<a href="login.php" title="Login">Login</a><br />
<a href="forgot_password.php" title="Password Retrieval">Retrieve Password</a><br />';
}
?>
</div>
</body>
</html>
<?php // Flush the buffered output.
ob_end_flush();
?>

 

I checked the SQL query, it pulls up the right bits of information. And when I get redirected to my index, it doesn't keep any of that information stored as as a Session. Here's my index page that I'm redirecting to

 

<?php 
// Start output buffering:
ob_start();

// Initialize a session:
session_start();

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<title><?php echo $page_title; ?></title>
</head>
<body>
<div id="Header"><?php echo $page_title; ?></div>
<div id="Content">

<?php
// Include the configuration file:
require_once ('includes/config.inc.php'); 

// Set the page title 
$page_title = 'Welcome to this Site!';

// Welcome the user (by name if they are logged in):
echo '<h1>Hello';
if (isset($_SESSION['first_name'])) {
echo ", {$_SESSION['first_name']}!";
}
echo '</h1>';
?>
<p>TEST TEST TEST TEST TEST TEST TEST TEST TEST TEST TEST TEST .</p>
<p>TEST TEST TEST TEST TEST TEST TEST TEST TEST TEST TEST TEST .</p>

</div>

<div id="Menu">

<a href="index.php" title="Home Page">Home</a><br />
<?php # Script 16.2 - footer.html
// This page completes the HTML template.

// Display links based upon the login status:
if (isset($_SESSION['id'])) {

echo '<a href="logout.php" title="Logout">Logout</a><br />
	  <a href="change_password.php" title="Change Your Password">Change Password</a><br />
';

} else { //  Not logged in.

echo '<a href="register.php" title="Register for the Site">Register</a><br />
<a href="login.php" title="Login">Login</a><br />
<a href="forgot_password.php" title="Password Retrieval">Retrieve Password</a><br />
';

}
?>
</div>
</body>
</html>
<?php // Flush the buffered output.
ob_end_flush();
?>

 

The only thing I can see is that maybe I'm applying the variables to my $_SESSION wrong? Even though I'm following the example from my book.

 

Also, my browser accepts all cookies, and I tried it in another browser as well, so I know it's not my security settings.

 

Any help would be appreciated! thanks!

 

[deansatch]

Before I read all your code, should the require_once url not be "includes" rather than "ncludes"?

[Rottingham]

You need to use session_name('yoursessionname'); as well or session_start() has no idea what session to start...

 

Use code like this at the top of every page:

 

session_name("login");
session_start();

[deansatch]

you shouldn't have to name the session unless you want to run more than one at a time on the same domain.

 

However, make sure you aren't starting a session on http then on logging in, redirecting to https as this will be a completely different session because it is a different domain.

[dxdolar]

So i guess my $_SESSION values are storing. But for some reason when I redirect to the index page it doesn't display any of my $_SESSION dependent content

 

BUT

 

here's the thing that boggles my mind.

if i go to my retrieve password page (function), and I click the submit button, EVEN if no queries are ran, just by the fact that I hit the submit button on ANOTHER page, the links all update with $_SESSION specific content...

 

:eek:::mad:

 

this is completely beyond me.

 

To the prior posters, I'll see if session_name affects anything, I have to be more clear about that concept before I implement it, and it's all on the same domain. Oh yeah the ncludes is just a typo for the anonymity thing, it's correct on the actual code.

[PFMaBiSmAd]

The following line in the first piece of code unconditionally overwrites any existing $_SESSION variables with whatever is fetched from the database -

$_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); 	// Set values to the session & redirect:

 

If you have existing session variables from a previous page they won't be set after that line of code is executed. I recommend specifically setting named session variables using a list() statement instead of overwriting all existing session variables.

 

Add the following two lines immediately after your first opening <?php tag on both pages -

 

ini_set ("display_errors", "1");
error_reporting(E_ALL);

[dxdolar]

I didn't get what you said early about HTTP's but now I do!

 

thank you for bringing that to light

 

it works now.