Register_globals off problem

[meltingpoint]

I declare my session variables like so;

$_SESSION['username']  =$user[$u];
$new_output			  =explode(",", $perm[$u]);//change to an array
$_SESSION['perm']	  =$new_output;
$_SESSION['group']	  =$grp[$u];
$_SESSION['assigned']	  =$ass[$u];
$_SESSION['ip-check']	  =$ip;

 

I know the $_SESSION variables are available from page to page as I have tested it.

However, when I set the php.ini file to register_globals off

 

it is as if the $_SESSION variables disappear.  Can anyone see why that would happen.  Below is the code that checks to see if the $_SESSION['username'] is set as well as the other $_SESSION variables. 

if(empty($_SESSION['username']))
	{
	$message = $sign_in;
	include($login_path."/message_page.php");
	session_destroy();
	exit;
	}
//
//
$permission_level	= $_SESSION['perm'];
$perm_ok = array_search($access_level, $permission_level);
if($perm_ok === FALSE)
{
$message = $no_access;
include($login_path."/message_page.php");
exit;
}
//
//--------Check to see if the SESSION IP and the USERS IP still match--------------
//
if($_SESSION['ip-check'] !== $ip)
		{
		$message = $ip_security;
		include($login_path."/message_page.php");
		session_destroy();
		exit;
		}

 

Any advice/help would be appreciated.

 

[JAY6390]

Have you actually started the session with session_start()

Also why do you have register globals on in the first place???

[meltingpoint]

Yes- at the top of each page I initiate session_start();

 

My host has register_globals on by default.  That is why I place the php.ini file in each folder of

of my site to turn register_globals off

[JAY6390]

Oh OK. Is this script receiving any parameters via $_GET or $_POST vars? if so, you need to define them at the start of your script. So say you have a $name param passed via the POST method, you need to put

$name = $_POST['name'];

at the top of your script and so on for each value to be defined

[meltingpoint]

Yes- I do pass the $_POST variables from the form and do define them.  I then take those and compare them with the database to make sure the user is allowed by confirming that the passwords and user name match.

 

Once all that is done- I assign the $_SESSION variables as above.  The second set of codes I displayed are run on each successive page to essentially verify that the $_SESSION variables are still set and to check the permission or access level of each page against the user.  So it appears that it is the page and permission validation code that is not working.

 

Keeping in mind that the code work flawlessly with register_globals on.

[Buddski]

Can you show us WHERE you define your values from $_POST?

[meltingpoint]

Here is my authenticate code.  This takes the input from the form, checks it against

the database and then assigns $_SESSION variables.

 

<?php
//----------------------Here we set $errors to an array so that we can later loop through them -------
$errors = array();
//
//------------------------------Variables passed from the form-----------------------------------------
//
$u_name				= sanitize_data($_POST['u_name']);
$u_name				= strtolower($u_name);
$password			= sanitize_data($_POST['password']);
$date				= date("m/d/Y--h:i:s");
$ip					= $_SERVER['REMOTE_ADDR'];
$test6				= sanitize_data($_POST['test6']);
$test7				= sanitize_data($_POST['test7']);
//
//
//----------------------Here we log that someone has attempted to or has used the form--------------
//----------------------this gets logged reguardless of the rest of this script----------------------------------
//----------------------this is so we can monitor security to the site- false submissions, bots etc-------
//
$fp = fopen("$tfc_file5",'a');
$content = $u_name."|".$date."|".$ip."\n";
fwrite($fp,$content);
fclose($fp);
//
//
//
//-----CHECK TO MAKE SURE Username or Password is not empty, not longer than 30 characters and does not
//-----contain the "|" character
if (empty($u_name)  OR  (empty($password)))
{
$errors[]  ="<font color=red>-The Username or Password (or both) have been left empty.</font>";
}
if(strlen($u_name) >= 31)
{
$errors[] ="<font color=red>-The Username field is limited to 30 characters.</font>";
}
//------------------------Security:  limit string length of password--------------------------------------
if(strlen($password) >= 31)
{
$errors[]= "<font color=red>-The Password is limited to 30 characters.</font>";
}
//
//-----------------Make sure Security numbers match to prevent spam bots---------------------
if (empty($test6)  OR  (empty($test7)))
{
$errors[]  ="<font color=red>-One  or both of the security numbers have been left empty.</font>";
}
if (strlen($test6) >4)
{
$errors[] ="The security number(s) are greater than 4 and thus the form will not submit";
}
if (strlen($test7) >4)
{
$errors[] ="The security number(s) are greater than 4 and thus the form will not submit";
}
if ($test6 != $test7)
{
$errors[] ="<font color=red>-The security numbers did not match.</font>";
}
//
//------------------------------------Error Headers--------------------------------------------------------------
$error_header 			="<strong>The following errors have occured:</strong>";
$error_correction		="Please re-submit your entries.  <br>If still no success- NOTIFY THE SITE ADMINSTRATOR.";
//----------------------------------If $errors is not empty- echo out the errors-----------------------
if (!empty($errors))
{
echo $error_header;
echo "<br>";
echo $error_correction;
	foreach($errors as $msg)
   	{
  		 echo "<br>&nbsp&nbsp&nbsp&nbsp";
  		 echo $msg;
  		 echo "\n";
  		 echo "&nbsp&nbsp&nbsp&nbsp";
  		}exit;
}
else
{
//Open file and place each line as an array which is one long continuous array with each line being a key and the string
//being the value
//
$openedfile = file($tfc_file4);
//
//-----------Here we get the size of the file or how many elements there are------------------
$size = sizeof($openedfile);
//
//
//-----------Loop through $openedfile and get key and values
foreach($openedfile as $Key => $Val)
   {
  		$Data[$Key]= explode("|", $Val);
  	}
//
//------Set $K as the key and loop until all are gone through seperating each into an array-------------------
     	for($K=0; $K<$size; $K++)
   			{
   				$last[] 		= $Data[$K][0];
   				$first[] 		= $Data[$K][1];
   				$user[] 		= $Data[$K][2];
   				$psw[] 		= $Data[$K][3];
   				$email[]		= $Data[$K][4];
   				$grp[] 		= $Data[$K][5];
   				$ass[]		=$Data[$K][6];
   				$perm[]		= $Data[$K][7];
   				$tos[]		= $Data[$K][8];
   			}
//
//
if(in_array($u_name, $user))
{
$u= array_search($u_name, $user);//Gets the key postion of the users username
}
else
{
echo "Sorry- your username was NOT FOUND in the database.";
echo "<br>";
echo "Try logging in again.";
echo "</br>";
echo "If no succcess- notify the website administrator.";
exit;
}
if(in_array($password, $psw))
{
$p= array_search($password, $psw);//Gets key position of the users password 
}
else
{
echo "Sorry- your password was NOT FOUND in the database.";
echo "<br>";
echo "Try logging in again..";
echo "<br>";
echo "If no success- notify the website administrator.";
session_destroy();
exit;
}
//---------------------Now test to see if the Username and Password belong to the same person-----------------
//-----------------------------------------And register the session variables-------------------------------------------------------
if($u !== $p)
{
echo "Sorry- Your username and/or password did not match";
echo "<br>";
echo "Try logging in again- or notify the website Administrator";
session_destroy();
exit;
}
else
{
//----------------Declare the sessionvariables-----------------------------------------------------
$_SESSION['username']			=$user[$u];
$new_output					=explode(",", $perm[$u]);//change to an array
$_SESSION['perm']				=$new_output;
$_SESSION['group']				=$grp[$u];
$_SESSION['assigned']			=$ass[$u];
$_SESSION['ip-check']			=$ip;
}
}
//---------------Now do a switch to re-direct to the groups specific page------------------------------------
//
echo "<center><strong><font color=Blue>Congrats ".$_SESSION['username']." -- You are logged in!</font></strong></center>";
echo "<br>";
echo "<center><strong><a href=\"../landing_page.php\">Click Here</a> To enter the Site.</strong></center>";
?>

[trq]

I don't see any call to session_start() in there.

[meltingpoint]

It's not listed- but I do have a call to session_start() at the top of the actual page.

 

However- I have solved my problem.  I simply set the $_SESSION variables to "" at the top

along with the form variables.  Then assigned them a value according to the database and user info in the later part of the script.  It now works very well. 

 

$_SESSION['username']	=	"";
$_SESSION['perm'] ="";
$_SESSION['group'] ="";
$_SESSION['assigned'] ="";
$_SESSION['ip-check'] ="";

 

Sheepishly- I can;t believe I didn't see it earlier.  Cheers all.