SESSION value doesn't remain from login page to another page while others do

[floridaflatlander]

ONE of my SESSION values isn't remaining after login while others do.

 

This works fine on my localhost, it's on the live site that there is a problem and it just started yesterday. Before that it worked great.

 

Out of the four SESSIONs made I can only echo three values on other pages, member id the most important doesn't transfered to other pages

 

Notes: all these files are in the same folder, there is a SESSION started for the member id on the login page, you can see that it is used in the redirect below and the redirect works fine with the redirect going to the correct page " $home/member/index.php?user=$id_mem "

 

Here is the login page

// Here's the basic login page info
<?php # login.php
session_start();
ob_start() 
...connect to db & header called...
...Form validation.....

if ($e && $p) { // If everything's OK.
	// Query the database:
	$q = "SELECT id_mem, display_name, mem_group FROM sn_members WHERE (email='$e' AND password=SHA1('$p')) AND active IS NULL";		
	$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));
	//  or die("Error: ".mysqli_error($dbc));

	if (@mysqli_num_rows($r) == 1) { // If a match was made.

		// Register the values & redirect:
		// Give SELECTED elements a session
		$_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC);
		$_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']);
		mysqli_free_result($r);

		// Update db for last login
		$id_mem = $_SESSION['id_mem']; // <<< SESSION member id has a value here because it's used in the redirect below
		$ip = $_SERVER['REMOTE_ADDR']; // Get ip address of person logging in
		$q = "UPDATE sn_members SET last_login = Now(), ip = '$ip' WHERE id_mem = '$id_mem' LIMIT 1";
		$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));

		header("Location: $home/member/index.php?user=$id_mem");
		exit(); // Quit the script.

	}
?>

 

Here is the main page that a user would be redirect to above

<?php // /member/ all member info is through this folder
session_start();
ob_start();

if (isset($_GET['user']) && is_numeric($_GET['user'])) {
$user = $_GET['user'];
$user = $user;
		if ($user < 0) {
			header("Location: $home/index.php");
			exit();
			}
}

	if ((!isset($_SESSION['id_mem']))  && (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT'])))){
	// If not a logged in member redirect
		header("Location: $home/index.php");
		exit(); // Quit the script.
	}
?>

Thanks in advance for the help

SJ

[PFMaBiSmAd]

What does a phpinfo statement show for the register_globals setting?

 

Do you have any code at all (logout) that clears $_SESSION['id_mem']? Where is that code at relative to what you have posted?

[marcelobm]

When you do

                        // Update db for last login
		$id_mem = $_SESSION['id_mem']; // <<< SESSION member id has a value here because it's used in the redirect below
		$ip = $_SERVER['REMOTE_ADDR']; // Get ip address of person logging in
		$q = "UPDATE sn_members SET last_login = Now(), ip = '$ip' WHERE id_mem = '$id_mem' LIMIT 1";
		$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));

 

it updates the database as expected? i mean if when you use $_SESSION['id_mem'] it returns the right value

[floridaflatlander]

My register_globals settings are to on

 

Do you have any code at all (logout) that clears $_SESSION['id_mem']? Where is that code at relative to what you have posted?

 

A user has to click a logout link to logout or close the browser.

 

Here is the logout code on the logout page

<?php
...calls to connect to db
..call header
// If no member id session variable exists, redirect the user:
if (!isset($_SESSION['id_mem'])) {

$url = "$home/index.php"; // Define the URL:
ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.

} else { // Log out the user.

$_SESSION = array(); // Destroy the variables.
session_destroy(); // Destroy the session itself.
setcookie (session_name(), '', time()-300); // Destroy the cookie.

}
?>

 

it updates the database as expected? i mean if when you use $_SESSION['id_mem'] it returns the right value

 

Yes, it updates the db and to play I added

 

// Test to see id_mem value

$id_mem = $_SESSION['id_mem'];

 

header("Location: $home/member/index.php?user=$id_mem");

exit(); // Quit the script.

 

To see if $_SESSION['id_mem'] still had a value after the insert and it did, sending me to the correct user page /member/index.php?user=20

[PFMaBiSmAd]

My register_globals settings are to on

 

Then any $_COOKIE['id_mem'], $_GET['id_mem'], $_POST['id_mem'],  or $id_mem variable will overwrite your $_SESSION['id_mem'], which is why register_globals were turned off by default almost 10 years ago (they allow hackers to set your session variables and program variables to anything they want.)

 

A) Turn register_globals off ASAP.

 

B) If you happen to be on a server configuration where you cannot do that, shame on your web host and you must make sure that you don't use cookie, get, post, or program variables with the same index name/name as your session variables.

[floridaflatlander]

Thanks PFMaBiSmAd, I'll check into that.

 

The file I loaded said register_globals is on, I went to my host control panel and it said register_globals is off. I've contacted my host and they should be in touch with me shortly.

 

I'll mark this closed when I check and see if the main problem is solved.

 

Thanks all for the help

[floridaflatlander]

That was it, my host hasn't got back to me yet but they had been working on my site a few days ago and I'm guessing assigned register_globals on for some reason and didn't assign it to off again  when they were through

 

Thanks again

[PFMaBiSmAd]

When php5.4 is released, this sort of register_globals time wasting nonsense will be finally gone. 

[floridaflatlander]

When php5.4 is released, this sort of register_globals time wasting nonsense will be finally gone. 

 

Thanks again