Why don't these sessions match?

[TeddyKiller]

Hi. When a user logs in, it sets two sessions "uid" and "hash"

uid works perfectly fine, and it appears that the "hash" session gets set with the correct results (as I tested with echo's)

 

Here is when the sessions get set.

$query = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$pwd' LIMIT 1") or trigger_error('Query failed: '. mysql_error());
        $row = mysql_fetch_array($query);
        
        $_SESSION['uid'] = $row['id'];

        $hash = sha1($row['id'] . $_SERVER['REMOTE_ADDR'] . $secret_key);
        $_SESSION['hash'] = $hash;

 

Then when I go onto test.php (whilst the sessions are still set)

<?php
session_start();
include("../inc/config.php");
include("functions.php");

$player = check_user();

echo $player->username;
echo $player->password;
echo $player->dob;
echo $player->date;
        
?>

 

Then here's the checkuser function.

<?php function check_user()
{
    
    if (!isset($_SESSION['uid']) || !isset($_SESSION['hash']))
    {
        header("Location: /index.php");
    }
    else
    {
        $check = sha1($_SESSION['uid'] . $_SERVER['REMOTE_ADDR'] . $secret_key);
        if ($check != $_SESSION['hash']) {
            session_unset();
            session_destroy();
            header("Location: /index.php");
        } else {
            $query = mysql_query("SELECT * FROM users WHERE id='".$_SESSION['uid']."'") or trigger_error("Query failed: ".mysql_error());
            $userarray = mysql_fetch_array($query);
            if (mysql_num_rows($query) ==0)
            {
                session_unset();
                session_destroy();
                header("Location: /index.php");
            }
            foreach($userarray as $key=>$value)
            {
                $user->$key = $value;
            }
            return $user;
        }
    }
}
?>

 

I have echoed $secret_key outside the function (above it) and it gets displayed correctly. $secret_key is defined in config.php

I also echo's it where the sessions get set, and it also.. echoed correctly. Although..

something goes wrong, it doesn't say if its the same.

        $check = sha1($_SESSION['uid'] . $_SERVER['REMOTE_ADDR'] . $secret_key);
        if ($check != $_SESSION['hash']) {

There, for some reason it still destroys the sessions, so the session is not matching $check?

 

Can anyone help me.

Thanks

[schilly]

when in a function, it has a separate namespace so $secret_key is not defined in that function. either pass it into the function or put

global $secret_key; 

at the top of your function.

[TeddyKiller]

That worked, although I tried passing it through the function.

check_user($secret_key) but that didn't work, although it does now.

 

Thanks (Atleast I learnt about globals now ! )

[schilly]

ya if you changed to function to:

function check_user($secret_key){

 

and your function call to

$player = check_user($secret_key);

 

it should work that way as well.

[KevinM1]

Don't use 'global.'  Pass it as an argument to the function instead.

[TeddyKiller]

Warning: Missing argument 1 for check_user(), called in /home/jeanie/public_html/main.php on line 7 and defined in /home/jeanie/public_html/inc/functions.php on line 2

 

Warning: Cannot modify header information - headers already sent by (output started at /home/jeanie/public_html/inc/functions.php:2) in /home/jeanie/public_html/inc/functions.php on line 16

 

<?php
session_start();
include("inc/config.php");
include('classes/imgmanip.php');
include("inc/functions.php");

$user = check_user($secret_key);
?>

 

function check_user($secret_key)
{ 	

 

Why am I getting errors?

[KevinM1]

Your secret key exists in the session, correct?  Well, you need to either use that value directly, or assign it to a variable which you then pass to the function.  In other words:

 

$user = check_user($_SESSION['secret_key']);

 

or

 

$secret_key = $_SESSION['secret_key'];

$user = check_user($secret_key);

 

Remember: if you need to use variables across pages, put them in a session.

 

EDIT: or, if you're worried about the secret key being compromised, save it somewhere (file, db), then read it from that data store when you need to access it.

[TeddyKiller]

No. $secret_key is defined in config.php which is included in every file.

 

edit: Oh damn, i was saving index.php rather than main.php

[KevinM1]

No. $secret_key is defined in config.php which is included in every file.

 

The errors tell me that your functions.php file is borked.  The error resides there.  Show code?

[TeddyKiller]

It's alright. I editted my last post saying that I was saving index.php rather than main.php though you replied too fast.

Thanks for trying to help though