Sessions not storing? For login page.

[xxbrighidxx]

Hello!

 

I have been trying to play around with this all night and all morning yet I can't figure out why it's not working. It appears that the values being posted into Session to store; are either not storing or not transferring to the redirected members page.

 

I have the session_start () in a header file that is included with each page. Also global_variables are turned on under phpinfo.

 

header.html:

<?php 
ob_start();

session_start();

session_regenerate_id (TRUE); 

if (!isset($page_title)) {
$page_title='User Registration';
}

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />

<title><?php echo $page_title; ?>;</title>

<style type="text/css" media="screen">@import "includes/layout.css";</style>

</head>

<body>

<div id="Header">User Registration</div>

<div id="Content">

 

footer.html:

</div>

<div id="Menu">

<a href="index.php" title="Home Page">Home</a><br />

<?php 

if (isset($_SESSION['user_id'])) {

echo '<a href="logout.php" title="Logout">Logout</a><br />

<a href="change_password.php"title="Change Your Password">Change Password</a><br />';

if ($_SESSION['user_level'] ==1) {

echo '<a href="view_users.php"title="View All Users">View Users</a><br />

<a href="#">Some Admin Page</a><br />';

}
} else {//not logged in.

echo'<a href="register.php" title="Register for the Site">Register</a><br />

<a href="login.php" title="Login">Login</a><br />

<a href="forgot_password.php"title="Password Retrieval">Retrieve Password</a><br />';

}

?>

<a href="#">Some Page</a><br />
<a href="#">Some Other Page</a><br />

</div>

<?php
ob_end_flush ();
?>

 

 

login.php:

<?php 
// This is the login page for the site.

require_once ('includes/config.inc.php'); 
$page_title = 'Login';
include ('includes/header.html');

if (isset($_POST['submitted'])) {
require_once (MYSQL);

// Validate the email address:
if (!empty($_POST['email'])) {
	$e = mysql_real_escape_string ($_POST['email'],$dbh);
} else {
	$e = FALSE;
	echo '<p class="error">You forgot to enter your email address!</p>';
}

// Validate the password:
if (!empty($_POST['pass'])) {
	$p = mysql_real_escape_string ($_POST['pass'],$dbh);
} else {
	$p = FALSE;
	echo '<p class="error">You forgot to enter your password!</p>';
}

if ($e && $p) { // If everything's OK.

	// Query the database:
	$q = "SELECT user_id, first_name, user_level FROM users WHERE (email='$e' AND pass=SHA1('$p')) AND active IS NULL";		
	$r = mysql_query ($q,$dbh) or trigger_error("Query: $q\n<br />MySQL Error: " . mysql_error($dbh)); 

	if (mysql_num_rows($r) == 1) { // A match was made.

		// Register the values & redirect:
		$_SESSION =  mysql_fetch_array ($r, mysql_ASSOC);
		mysql_free_result($r);
		mysql_close($dbh);

		$url = BASE_URL . 'members.php'; // Define the URL:
		ob_end_clean(); // Delete the buffer.
		header("Location: $url");
		exit(); // Quit the script.


	} else { // No match was made.
		echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>';
	}

} else { // If everything wasn't OK.
	echo '<p class="error">Please try again.</p>';
}

mysql_close($dbh);

} // End of SUBMIT conditional.


?>

<h1>Login</h1>
<p>Your browser must allow cookies in order to log in.</p>
<form action="login.php" method="post">
<fieldset>
<p><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="40" /></p>
<p><b>Password:</b> <input type="password" name="pass" size="20" maxlength="20" /></p>
<div align="center"><input type="submit" name="submit" value="Login" /></div>
<input type="hidden" name="submitted" value="TRUE" />
</fieldset>
</form>

<?php 
// Include the HTML footer.
include ('includes/footer.html');
?>

 

 

members.php:

<?php 


require_once ('includes/config.inc.php');

$page_title='Welcome to this Site!';
include ('includes/header.html');
echo '<h1>Welcome';
if (isset($_SESSION["first_name"])) {
echo ", {$_SESSION["first_name"]}!";
}

echo '</h1>';

?>

<p>Spam spam spam</p>

<?php 
include ('includes/footer.html');
?>

 

Any help would be greatly appreciated!

 

Also here is my session portion of phpinfo:

 

session

 

Session Support enabled

Registered save handlers files user

 

Directive Local Value Master Value

session.auto_start Off Off

session.bug_compat_42 On On

session.bug_compat_warn On On

session.cache_expire 180 180

session.cache_limiter nocache nocache

session.cookie_domain no value no value

session.cookie_lifetime 0 0

session.cookie_path / /

session.cookie_secure Off Off

session.entropy_file no value no value

session.entropy_length 0 0

session.gc_divisor 100 100

session.gc_maxlifetime 1440 1440

session.gc_probability 1 1

session.name PHPSESSID PHPSESSID

session.referer_check no value no value

session.save_handler files files

session.save_path /tmp /tmp

session.serialize_handler php php

session.use_cookies On On

session.use_only_cookies Off Off

session.use_trans_sid Off Off

 

 

 

I thank you in advance for any help!

[xxbrighidxx]

Sorry forgot to include - what is happening is after I login into the site from the form - it takes me to the members page; with the incorrect login pages. (Showing logged out) and nothing else happens. Even when attempted to login again - it results in the same thing. The account was easy to register - and I know I am entering in the correct information.

[xxbrighidxx]

Still doing the same thing - if there is ANY help that anyone can offer it would be greatly appreciated! I have spent way over 7 hours just trying to fix this!

 

I had checked the Session variables and they keep returning back with an empty array! :/

[peter_anderson]

I'm not very good with procedural PHP, but

$_SESSION =  mysql_fetch_array ($r, mysql_ASSOC);

 

looks like it should be:

<?php
// ...
$rows =  mysql_fetch_array ($r, mysql_ASSOC);
$_SESSION['userid'] = $rows['userid'];
$_SESSION['userlevel'] = $rows['userlevel'];

// ...
?>

[PFMaBiSmAd]

A) Have you configured your server so that .html files get parsed as php code so that the php code in header.html is being seen as php code?

 

B) Are you developing and debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON in your php.ini so that all the errors php detects will be reported and displayed?

 

C) global_variables? There is no such setting and if you were actually writing about register_globals, C-1) Don't turn them on (ever), C-2) They don't have anything to do with why your code does not work.

[xxbrighidxx]

@peter - Thank you for the help; I tried replacing my code there with what you posted and it is still doing the same thing.

 

@PFM - I'm not quite sure how I would configure that - I am hosted through 1and1.com but I had tried changing my .html files to both .php files and renamed the rest of the files respectively. The code has trigger_error() after the query's and it isn't reporting anything. Should I try a general error? Could it possibly be a hidden error?

 

Sorry for the questions! Just can't figure out what is going on.

 

Regarding the global variables - when researching my problem I had noticed a lot of people stating how Session is a global variable and it could not be storing due to global variables being turned off. This is why I thought it would be important to include that information but I guess I was wrong! Again I apologize!

[peter_anderson]

Have you tried adding session_start() to the very top of ALL files?

[xxbrighidxx]

@peter - my session_start() is inside my header which I have included on every other file.

[PFMaBiSmAd]

You should NOT be attempting to learn php or develop php code on a live server. You are literally wasting hours of your time uploading code just to see one result and until code is completely tested and debugged, it often has security holes that would allow a hacker to exploit a live server.

 

Actually, since you are including the .html file into (hopefully) a .php file, what I wrote concerning the .html files does not matter.

 

The code has trigger_error()

Except that does not report or display anything unless you have error_reporting/display_errors set to report and display correctly.

[Pikachu2000]

Have you echo'd the query string and print_r()'d or var_dump()'d the $_POST array to see if the values you'd expect to be in there are actually in there?

Have you checked to verify that the result of mysql_num_rows($r) is actually exactly one?

Also, you shouldn't be using mysql_real_escape_string() on the $_POST['pass'] variable. It's going to be hashed, and if there is an added escape slash, it will change the value of the hash.

[xxbrighidxx]

@PFM - What would you recommend then? I don't have any other access to another server to do my code on, and I have defined Live as False and have it set so that any errors will only be displayed while the Live =False; I don't get any real visitors to my site and all files are located inside another folder on my site. A folder I just created yesterday and have given no access to anyone else. I also have all passwords in my database encrypted with md5 so I hope that I have taken most security precautions available.

 

I am including the .html file into a .php file. would the following code be correct to include to have error_reporting displayed?

 

ini_set('display_errors', 'On');
error_reporting(E_ALL | E_STRICT);

 

If this is correct where would the appropriate spot to put this be? Would I put it in the header which is included with every other file or should I personally copy it into each file manually?

[PFMaBiSmAd]

There are several all in one - Apache/php/mysql triads that can be installed on almost any personal computer - http://www.apachefriends.org/en/xampp.html

 

Yes, those two error_reporting/display_errors setting should work. You should only put them into the file you are trying to debug (assuming you can identify which one) so that it is easy to remember to take them out later. They should generally be put right after the first opening <?php tag in a main file so that any runtime (they won't help with parse errors) errors produced by any of the actual code are reported and displayed.

 

By having a local development system, you can set those settings in the master php.ini and you won't ever need to worry about where they are at in your code or remember to remove them when you put your code onto a live server.

[PFMaBiSmAd]

In case you have not made any progress on this, the actual problem is because mysql_ASSOC that you are using in mysql_fetch_array() is incorrect. It should be MYSQL_ASSOC Due to this error, you are not actually fetching anything and assigning it to the $_SESSION variables.

 

I determined this rather quickly (it has taken me longer to compose this reply than it took to find the problem) by executing the code on a development system that has the error_reporting and display_errors set in the master php.ini as previously suggested and doing a little debugging (commenting out the header() and ob_end_clean() statements) so that I could see what is happening in the login code.

 

Now, please remove all the ob_start();, ob_end_clean();, and ob_end_flush(); statements from your code. You should only use output buffering if you want to buffer output for capturing it, not to fix problems in your code. The ob_end_clean() function in particular in your code is hiding/cleaning the php error message you would get about the mysql_ASSOC problem.

 

If your MYSQL file (which I assume contains your msyql_connect() and mysql_select_db() code) also happens to contain your database connection username and password, please change this file so that it has a .php extension so that if someone discovers it and browses to it that they cannot see the username/password (without an extension, the contents of the file will be output as is, with a .php extension, the php code in the file will be parsed as php code and only any output it sends will be seen, which is likely nothing.)