Jump to content

sessions not working for some users


bschultz

Recommended Posts

I can't reproduce the problem...but I've been told by several people that they are having a problem logging in to a members only section.

 

The login page asks for a username and a password. 

 

Here's the code for the execution of that login:

 

<?php
//Start session
session_start();

//Include database connection details
require_once('config.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
	die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
	die("Unable to select database");
}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);

//Input Validations
if($login == '') {
	$errmsg_arr[] = 'Login ID missing';
	$errflag = true;
}
if($password == '') {
	$errmsg_arr[] = 'Password missing';
	$errflag = true;
}

//If there are input validations, redirect back to the login form
if($errflag) {
	$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
	session_write_close();
	header("location: login-form.php");
	exit();
}

//Create query
$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($password)."'";
$result=mysql_query($qry);

//Check whether the query was successful or not
if($result) {
	if(mysql_num_rows($result) == 1) {
		//Login Successful
		session_regenerate_id();
		$member = mysql_fetch_assoc($result);
		$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
		$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
		$_SESSION['SESS_LAST_NAME'] = $member['lastname'];
		$_SESSION['SESS_ADDRESS'] = $member['address'];
		$_SESSION['SESS_CITY'] = $member['city'];
		$_SESSION['SESS_STATE'] = $member['state'];
		$_SESSION['SESS_LOGIN'] = $member['login'];
		$_SESSION['SESS_CAPTAIN'] = $member['captain'];
		$_SESSION['SESS_TEAM'] = $member['team_name'];
		$_SESSION['SESS_MANUAL_TEAM'] = $member['manual_team'];

		session_write_close();
		header("location: member-index.php");
		exit();
	}else {
		//Login failed
		header("location: login-failed.php");
		exit();
	}
}else {
	die("Query failed");
}
?>

 

Here's the code for the "members only" section:

 

<?php
session_start();

require_once('auth.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Member Index</title>
<link href="loginmodule.css" rel="stylesheet" type="text/css" />
</head>
<body>
<h1>Welcome <?php echo $_SESSION['SESS_FIRST_NAME'];?></h1>
<a href="logout.php">Logout</a>
<p>
  <?php
include "links.php";
?>
  <br />
  <br />
  Thank you for participating in the Go100 For Health walks for 2009.  Below, you will see how many miles your team has walked.   <br />

blah blah blah

 

Here's auth.php

 

<?php
//Start session
session_start();

//Check whether the session variable SESS_MEMBER_ID is present or not
if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID']) == '')) {
	header("location: access-denied.php");
	exit();
}
?>

 

 

Like I said, I can't recreate the problem, so I'm a bit at a loss as to what might be causing this.  The people that are having a problem logging in are able to login once in a while...just not every time they try.

 

Anything look out of place or wrong to anyone?

 

Thanks!

Link to comment
https://forums.phpfreaks.com/topic/160925-sessions-not-working-for-some-users/
Share on other sites

If you could narrow it down by telling us what does happen when it does not work it would help. Does it redirect to a page and if so, which page? Are there any php error messages or any of the error messages that you code outputs? Just a blank page?

they get redirected from the line in auth.pp

 

header("location: access-denied.php");

 

 

upon turning on error reporting...

 

Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent in /login-exec.php on line 73

 

 

This section obviously is the problem in login-exec.php

 

//Check whether the query was successful or not
if($result) {
	if(mysql_num_rows($result) == 1) {
		//Login Successful
		session_regenerate_id();
		$member = mysql_fetch_assoc($result);
		$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
		$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
		$_SESSION['SESS_LAST_NAME'] = $member['lastname'];
		$_SESSION['SESS_ADDRESS'] = $member['address'];
		$_SESSION['SESS_CITY'] = $member['city'];
		$_SESSION['SESS_STATE'] = $member['state'];
		$_SESSION['SESS_LOGIN'] = $member['login'];
		$_SESSION['SESS_CAPTAIN'] = $member['captain'];
		$_SESSION['SESS_TEAM'] = $member['team_name'];
		$_SESSION['SESS_MANUAL_TEAM'] = $member['manual_team'];

		session_write_close();
		header("location: member-index.php");
		exit();
	}else {
		//Login failed
		header("location: login-failed.php");
		exit();
	}
}else {
	die("Query failed");
}
?>

 

 

Doesn't that then mean that

 

session_write_close();

 

isn't happening?

[Edit: per your last post, nothing is obvious in programming, you must find out exactly at what point the values are as expected and at what point they are not.]

 

About the only thing apparent is if they reach your site using a URL that contains www. and they reach the members only page using a URL that drops the www. (or vice versa) and your session cookie parameters are not setup to match both www.yourdomain.com and yourdomain.com (without the www.).

 

Start by checking what session.cookie_domain is. If it is not set, try setting it to .yourdomain.com (with the leading dot.)

 

Ref: http://us.php.net/manual/en/session.configuration.php#ini.session.cookie-domain

 

You should also note that browsers that strictly follow HTTP 1.1 expect a fully qualified URI in a header() redirect -

Note: HTTP/1.1 requires an absolute URI as argument to » Location:  including the scheme, hostname and absolute path, but some clients accept relative URIs. You can usually use $_SERVER['HTTP_HOST'], $_SERVER['PHP_SELF']  and dirname() to make an absolute URI from a relative one yourself:

<?php

/* Redirect to a different page in the current directory that was requested */

$host  = $_SERVER['HTTP_HOST'];

$uri  = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');

$extra = 'mypage.php';

header("Location: http://$host$uri/$extra");

exit;

?>

 

The directory that these scripts are in is a shared directory for four of our company domains...

 

so...

domain1.com/shared

domain2.com/shared

domain3.com/shared

domain4.com/shared

 

...all point to /public_html/shared

 

How can I set the session.cookie_domain in this case?

Cookies are domain specific. You would need to check the request URI that was used to request the page and use that value to set the session.cookie_domain. The session.cookie_domain would need to be set before each session_start() statement.

 

If there is any chance that you have links or redirects on your pages or if your visitors have short-cuts or favorites that switch domains, that could also cause the problem. Your visitor's might be logging in under one domain and switching to a different domain, whereas your testing to reproduce the symptom does not switch between domains.

all links are relative paths...so that SHOULDN'T be the problem (won't say anything for certain though!)...

 

I've tried this for the session domain path:

<?php
if (strpos(getenv('SERVER_name'), 'kkbj.com')!==false) {
ini_set(session.cookie_domain, kkbj.com)
} elseif (strpos(getenv('SERVER_name'), 'kkbjam.com')!==false) {
ini_set(session.cookie_domain, kkbjam.com)
} elseif (strpos(getenv('SERVER_name'), 'wmisfm.com')!==false) {
ini_set(session.cookie_domain, wmisfm.com)
}elseif (strpos(getenv('SERVER_name'), 'wbji.com')!==false) {
ini_set(session.cookie_domain, wbji.com)
};

echo ini_set(session.cookie_domain);

?> 

 

and I get this error

 

Parse error: syntax error, unexpected '}' in /iniget.php on line 4

ok...sound this online..

 

if (isset($_SERVER['HTTP_HOST'])) {
    if(strpos($_SERVER['HTTP_HOST'], ':') != -1){
        $domain = substr($_SERVER['HTTP_HOST'], 0, strpos($_SERVER['HTTP_HOST'], ':'));
    }
    else{
        $domain = $_SERVER['HTTP_HOST'];
    }
    $domain = preg_replace('`^www.`', '', $domain);
  // Per RFC 2109, cookie domains must contain at least one dot other than the
  // first. For hosts such as 'localhost', we don't set a cookie domain.
  if (count(explode('.', $domain)) > 2) {
      ini_set('session.cookie_domain', $domain);
  }
}

 

That's now before every session_start()...

 

and I still get the error

 

Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent in /sandbox/login-exec.php on line 94

Edit: Cannot help with the last error unless we see all the code in that file.

 

I see you edited a post above (Reply #2) with the following -

Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent in /login-exec.php on line 73

 

That is relavant to the problem at hand. What exact line of the posted code is line 73? And depending on that, it almost sounds like your pages are being requested twice by the browser (which could be related to the URL rewriting/redirecting of the four domains to one.)

 

For your last post (Reply #7), ini_set() expects two strings. All the session.cookie_domain and all the strings you are setting it to must be enclosed in quotes (single-quotes would work.)

 

You probably want to use ini_get() in the echo statement.

that line is

 

session_regenerate_id();

 

complete code

 

<?php
//////////// SET COOKIE DIRECTORY
if (isset($_SERVER['HTTP_HOST'])) {
    if(strpos($_SERVER['HTTP_HOST'], ':') != -1){
        $domain = substr($_SERVER['HTTP_HOST'], 0, strpos($_SERVER['HTTP_HOST'], ':'));
    }
    else{
        $domain = $_SERVER['HTTP_HOST'];
    }
    $domain = preg_replace('`^www.`', '', $domain);
  // Per RFC 2109, cookie domains must contain at least one dot other than the
  // first. For hosts such as 'localhost', we don't set a cookie domain.
  if (count(explode('.', $domain)) > 2) {
      ini_set('session.cookie_domain', $domain);
  }
}
//////////// END SET COOKIE DIRECTORY


//Start session
session_start();

//Include database connection details
require_once('config.php');

/////////////ERROR REPORTING . . . COMMENT OUT WHEN GOING LIVE! /////////////////////////////////
echo ini_get('display_errors');
if (!ini_get('display_errors')) {
    ini_set('display_errors', 1);
}
echo ini_get('display_errors');
/////////////  END OF ERROR REPORTING  /////////////////////////////////

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
	die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
	die("Unable to select database");
}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);

//Input Validations
if($login == '') {
	$errmsg_arr[] = 'Login ID missing';
	$errflag = true;
}
if($password == '') {
	$errmsg_arr[] = 'Password missing';
	$errflag = true;
}

//If there are input validations, redirect back to the login form
if($errflag) {
	$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
	session_write_close();

$host  = $_SERVER['HTTP_HOST'];
$uri   = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
$extra1 = 'login-form.php';
header("Location: http://$host$uri/$extra1");
exit;
}

//Create query
$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($password)."'";
$result=mysql_query($qry);

//Check whether the query was successful or not
if($result) {
	if(mysql_num_rows($result) == 1) {
		//Login Successful
		session_regenerate_id();
		$member = mysql_fetch_assoc($result);
		$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
		$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
		$_SESSION['SESS_LAST_NAME'] = $member['lastname'];
		$_SESSION['SESS_ADDRESS'] = $member['address'];
		$_SESSION['SESS_CITY'] = $member['city'];
		$_SESSION['SESS_STATE'] = $member['state'];
		$_SESSION['SESS_LOGIN'] = $member['login'];
		$_SESSION['SESS_CAPTAIN'] = $member['captain'];
		$_SESSION['SESS_TEAM'] = $member['team_name'];
		$_SESSION['SESS_MANUAL_TEAM'] = $member['manual_team'];

		session_write_close();


$extra2 = 'member-index.php';
header("Location: http://$host$uri/$extra2");
exit;

	}else {
		//Login failed

$extra3 = 'login-failed.php';
header("Location: http://$host$uri/$extra3");
exit;
	}
}else {
	die("Query failed");
}
?>

I've added ob_clean and ob_start before all session_start's...and it appears to be working.  I'll be back if I hear that it's not working yet.

 

Thanks for the help, PFMaBiSmAd!

 

<?php
ob_clean();
ob_start();
//////////// SET COOKIE DIRECTORY
if (isset($_SERVER['HTTP_HOST'])) {
    if(strpos($_SERVER['HTTP_HOST'], ':') != -1){
        $domain = substr($_SERVER['HTTP_HOST'], 0, strpos($_SERVER['HTTP_HOST'], ':'));
    }
    else{
        $domain = $_SERVER['HTTP_HOST'];
    }
    $domain = preg_replace('`^www.`', '', $domain);
  // Per RFC 2109, cookie domains must contain at least one dot other than the
  // first. For hosts such as 'localhost', we don't set a cookie domain.
  if (count(explode('.', $domain)) > 2) {
      ini_set('session.cookie_domain', $domain);
  }
}
//////////// END SET COOKIE DIRECTORY
//Start session
session_start();

//Include database connection details
require_once('config.php');

/////////////ERROR REPORTING . . . COMMENT OUT WHEN GOING LIVE! /////////////////////////////////
//echo ini_get('display_errors');
//if (!ini_get('display_errors')) {
//    ini_set('display_errors', 1);
//}
//echo ini_get('display_errors');
/////////////  END OF ERROR REPORTING  /////////////////////////////////

     //Domain Info used to header redirects
     $host  = $_SERVER['HTTP_HOST'];
     $uri   = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
	die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
	die("Unable to select database");
}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);

//Input Validations
if($login == '') {
	$errmsg_arr[] = 'Login ID missing';
	$errflag = true;
}
if($password == '') {
	$errmsg_arr[] = 'Password missing';
	$errflag = true;
}

//If there are input validations, redirect back to the login form
if($errflag) {
	$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
	session_write_close();


$extra1 = 'login-form.php';
header("Location: http://$host$uri/$extra1");
exit;
}

//Create query
$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($password)."'";
$result=mysql_query($qry);

//Check whether the query was successful or not
if($result) {
	if(mysql_num_rows($result) == 1) {
		//Login Successful
		session_regenerate_id();
		$member = mysql_fetch_assoc($result);
		$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
		$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
		$_SESSION['SESS_LAST_NAME'] = $member['lastname'];
		$_SESSION['SESS_ADDRESS'] = $member['address'];
		$_SESSION['SESS_CITY'] = $member['city'];
		$_SESSION['SESS_STATE'] = $member['state'];
		$_SESSION['SESS_LOGIN'] = $member['login'];
		$_SESSION['SESS_CAPTAIN'] = $member['captain'];
		$_SESSION['SESS_TEAM'] = $member['team_name'];
		$_SESSION['SESS_MANUAL_TEAM'] = $member['manual_team'];

		session_write_close();


$extra2 = 'member-index.php';
header("Location: http://$host$uri/$extra2");
exit;

	}else {
		//Login failed

$extra3 = 'login-failed.php';
header("Location: http://$host$uri/$extra3");
exit;
	}
}else {
	die("Query failed");
}
?>

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.