floridaflatlander Posted December 14, 2011 Share Posted December 14, 2011 ONE of my SESSION values isn't remaining after login while others do. This works fine on my localhost, it's on the live site that there is a problem and it just started yesterday. Before that it worked great. Out of the four SESSIONs made I can only echo three values on other pages, member id the most important doesn't transfered to other pages Notes: all these files are in the same folder, there is a SESSION started for the member id on the login page, you can see that it is used in the redirect below and the redirect works fine with the redirect going to the correct page " $home/member/index.php?user=$id_mem " Here is the login page // Here's the basic login page info <?php # login.php session_start(); ob_start() ...connect to db & header called... ...Form validation..... if ($e && $p) { // If everything's OK. // Query the database: $q = "SELECT id_mem, display_name, mem_group FROM sn_members WHERE (email='$e' AND password=SHA1('$p')) AND active IS NULL"; $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); // or die("Error: ".mysqli_error($dbc)); if (@mysqli_num_rows($r) == 1) { // If a match was made. // Register the values & redirect: // Give SELECTED elements a session $_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); $_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']); mysqli_free_result($r); // Update db for last login $id_mem = $_SESSION['id_mem']; // <<< SESSION member id has a value here because it's used in the redirect below $ip = $_SERVER['REMOTE_ADDR']; // Get ip address of person logging in $q = "UPDATE sn_members SET last_login = Now(), ip = '$ip' WHERE id_mem = '$id_mem' LIMIT 1"; $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); header("Location: $home/member/index.php?user=$id_mem"); exit(); // Quit the script. } ?> Here is the main page that a user would be redirect to above <?php // /member/ all member info is through this folder session_start(); ob_start(); if (isset($_GET['user']) && is_numeric($_GET['user'])) { $user = $_GET['user']; $user = $user; if ($user < 0) { header("Location: $home/index.php"); exit(); } } if ((!isset($_SESSION['id_mem'])) && (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT'])))){ // If not a logged in member redirect header("Location: $home/index.php"); exit(); // Quit the script. } ?> Thanks in advance for the help SJ Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 14, 2011 Share Posted December 14, 2011 What does a phpinfo statement show for the register_globals setting? Do you have any code at all (logout) that clears $_SESSION['id_mem']? Where is that code at relative to what you have posted? Quote Link to comment Share on other sites More sharing options...
marcelobm Posted December 14, 2011 Share Posted December 14, 2011 When you do // Update db for last login $id_mem = $_SESSION['id_mem']; // <<< SESSION member id has a value here because it's used in the redirect below $ip = $_SERVER['REMOTE_ADDR']; // Get ip address of person logging in $q = "UPDATE sn_members SET last_login = Now(), ip = '$ip' WHERE id_mem = '$id_mem' LIMIT 1"; $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); it updates the database as expected? i mean if when you use $_SESSION['id_mem'] it returns the right value Quote Link to comment Share on other sites More sharing options...
floridaflatlander Posted December 14, 2011 Author Share Posted December 14, 2011 My register_globals settings are to on Do you have any code at all (logout) that clears $_SESSION['id_mem']? Where is that code at relative to what you have posted? A user has to click a logout link to logout or close the browser. Here is the logout code on the logout page <?php ...calls to connect to db ..call header // If no member id session variable exists, redirect the user: if (!isset($_SESSION['id_mem'])) { $url = "$home/index.php"; // Define the URL: ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } else { // Log out the user. $_SESSION = array(); // Destroy the variables. session_destroy(); // Destroy the session itself. setcookie (session_name(), '', time()-300); // Destroy the cookie. } ?> it updates the database as expected? i mean if when you use $_SESSION['id_mem'] it returns the right value Yes, it updates the db and to play I added // Test to see id_mem value $id_mem = $_SESSION['id_mem']; header("Location: $home/member/index.php?user=$id_mem"); exit(); // Quit the script. To see if $_SESSION['id_mem'] still had a value after the insert and it did, sending me to the correct user page /member/index.php?user=20 Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 14, 2011 Share Posted December 14, 2011 My register_globals settings are to on Then any $_COOKIE['id_mem'], $_GET['id_mem'], $_POST['id_mem'], or $id_mem variable will overwrite your $_SESSION['id_mem'], which is why register_globals were turned off by default almost 10 years ago (they allow hackers to set your session variables and program variables to anything they want.) A) Turn register_globals off ASAP. B) If you happen to be on a server configuration where you cannot do that, shame on your web host and you must make sure that you don't use cookie, get, post, or program variables with the same index name/name as your session variables. Quote Link to comment Share on other sites More sharing options...
floridaflatlander Posted December 14, 2011 Author Share Posted December 14, 2011 Thanks PFMaBiSmAd, I'll check into that. The file I loaded said register_globals is on, I went to my host control panel and it said register_globals is off. I've contacted my host and they should be in touch with me shortly. I'll mark this closed when I check and see if the main problem is solved. Thanks all for the help Quote Link to comment Share on other sites More sharing options...
floridaflatlander Posted December 14, 2011 Author Share Posted December 14, 2011 That was it, my host hasn't got back to me yet but they had been working on my site a few days ago and I'm guessing assigned register_globals on for some reason and didn't assign it to off again when they were through Thanks again Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 14, 2011 Share Posted December 14, 2011 When php5.4 is released, this sort of register_globals time wasting nonsense will be finally gone. Quote Link to comment Share on other sites More sharing options...
floridaflatlander Posted December 14, 2011 Author Share Posted December 14, 2011 When php5.4 is released, this sort of register_globals time wasting nonsense will be finally gone. Thanks again Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.