header and sessions not working together

[bruckerrlb]

Hey everyone,

 

I'm trying to do a little security here, I have a login script it stores three sessions, session id, the username and the permission level of the user, the last two are database sessions, and I can get them to print out fine on the page, but what is killing me is when I do this

 

if ($_SESSION['sessid'] != session_id()) {
header("Location:index.php");
}

Nothing seems to happen. What I mean is I logout, kill the session, try to hit a page that has this code in it, and it still lets me in. I don't understand why, there is no output getting sent before this, just start_session();

 

I've even done tests to see if $_SESSION['sessid'] and session_id() are the same, and they both show up different, but it lets me in. Does anyone know why this could be happening?

 

[o3d]

Rather than using the header function, try to error_log a message when the header function should fire. Then error_log your $_SESSION array to see what variables and values are set.

[bruckerrlb]

Thanks for the reply! I error logged, not too familiar with doing this, but in my error log, I got the string I passed, nothing else. How would I be able to error_log my session array?

 

Thanks!

[andrewgauger]

I think you need a space between the colon and the page:

Location: index.php

              _

 

 

[Gighalen]

I'm almost certain you need a space between : and index.php.

[bruckerrlb]

hey Guys,

 

I had tried with the space there and not there on the header, finally I changed up the code a little, works a little better

 

if ($_SESSION['sessid'] != session_id() || $$_SESSION['sessid'] == ' ') {
header("Location:index.php");
}

 

I'm sure thats not the best way but it seems to be working now, weird

[PFMaBiSmAd]

You need an exit; statement after your header() redirect to prevent the remainder of the code on the page from being executed/accessed. All a hacker needs to do is ignore the header and he can access the page the same as if that code was not present.

 

As to your original problem in the first post in this thread, you were probably getting a header() error (output sent before the header statement) and without the exit; statement the code on the page was executed the same as if the header statement was not even there.

 

Are you developing and debugging this code on a system with error_reporting set to E_ALL and display_errors set to ON so that you would know if you were or were not getting any header errors?

 

Edit: The $$_SESSION['sessid'] == ' ' part of your logic expression makes no sense and is probably always FALSE.

 

 

[bruckerrlb]

hey thanks for that info, that's what the problem was, I needed an exit() statement and I was able to take out the $_SESSION['sessid'] == ' ' part with the exit right after the header statement! I appreciate the help!

[bruckerrlb]

And a quick correction in my post, it wasn't the exit() it was the exit; statement