problem with set session variables

[markbett]

when logging into the site session variables are declared and set:

[code]  if(mysql_num_rows($validate) == 1){
      while($row = mysql_fetch_assoc($validate)){
        $_SESSION['login'] = true;
        $_SESSION['userid'] = $row['id'];
        $_SESSION['first_name'] = $row['first_name'];
        $_SESSION['last_name']  = $row['last_name'];
        $_SESSION['email_address'] = $row['email_address'];[/code]
the problem i have is that when i call on these variables later on, they often have changed and are now showing information for a different users.  the problem generally is triggered after performing a new SQL query to fetch other information.  Where I am confused is that I do not set $_session variables in ANY other locations.  I am the one experiencing the poblem on my test site so i know i am not hacking anything and resetting variables....  am i mistaken that once $_SESSION['first_name']  is set to a value that it will rmeain that set value until explicitly told otherwise or is it the case that when you declare $_SESSION['first_name']  = $row['first_name']; every time you have a $row['first_name'] the session variable will be reset to that new value....

[btherl]

No you aren't mistaken.

The only explanation I can think of is that your code which sets the $_SESSION variables is being called again..

Try adding a debugging statement like

[code]echo "<br>Setting session variables for user {$row['id']}<br>";[/code]

Then if that code gets run, you'll get a visual indicator on the page.

[markbett]

alaas it shouldnt be able to:

[code]case "validate":
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
    $validate = mysql_query("SELECT * FROM users
                          WHERE username='$username'
                          AND password = md5('$password')
                          AND verified='1'  AND disabled='0'
                          ") or die (mysql_error());
                         
  if(mysql_num_rows($validate) == 1){
      while($row = mysql_fetch_assoc($validate)){
        $_SESSION['login'] = true;
        $_SESSION['userid'] = $row['id'];
        $_SESSION['first_name'] = $row['first_name'];
        $_SESSION['last_name']  = $row['last_name'];[/code]

i could throw in a check to see if they are logged in already and tell it not to run but because its in a switch it shouldnt be able to run a second time..... and on top of that its within its own sql return so for it to run the second time it should have to rerun the query and return proper values...... grrr

[markbett]

ohh i should clarify... when first logged in the session variables are returned corrently... as i nav to new pages and run other queries to set things in the DB etc, that is when things change and instead of calling me Mark is will call me "21" or "Manager" etc even though the session is still the same

[btherl]

Are you missing a break in your switch statement, above case "validate": ?

In any case, you have nothing to lose by adding paranoid statements like "If (impossible condition) die("Something impossible happened!")".  You'd be surprised at how often something which should be impossible actually happens :)

[markbett]

no luck

[code]switch($_REQUEST['req']){
 
case "validate":
//ensure they are not already logged in//
if($_SESSION['login'] != TRUE){

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
    $validate = mysql_query("SELECT * FROM users
                          WHERE username='$username'
                          AND password = md5('$password')
                          AND verified='1'  AND disabled='0'
                          ") or die (mysql_error());[/code]

[markbett]

*bump*