Jump to content

$_SESSION variables not saved.


Janj

Recommended Posts

Hi, I have an issue where my session variables are not saved.  Here's my pages are supposed to do

check.php, included in all pages contains this:

<?php
if(!isset($_SESSION['loggedin']))
{
header("Location:  login.php");
}
?>

 

Which means that if the session variable is not set, it redirects to login.php.

login.php contains a username and password box.  This is the code:

 

if($_GET['status']=="done")
{
if($username=="username" && $password=="password")
{
$_SESSION['loggedin']='true';
$_SESSION['name']="test";
}
}
?>

(header stuff)

<?php
if($_GET['status']!="done")
{
echo"
<form action=\"login.php?status=done\" method=\"post\">
Username: <input name=\"username\" type=\"text\" /><br />
Password: <input name=\"password\" type=\"password\" /><br />
<input name=\"login\" type=\"submit\" id=\"login\" value=\"Log In\" />
</form>";
}
else if($_GET['status']=="done")
{
if($_SESSION['loggedin']==true)
{
	echo "LOGGED IN AS ".$_SESSION['name'];
}
else
{
	echo "INVALID USERNAME OR PASSWORD / TRY AGAIN";
}
}




?>

Of course, it echoes "LOGGED IN AS test" But when I visit newarticle.php, I get redirected back to login.php.  Herés newarticle.php's code (just the top, there's more):

<?php session_start(); include ("check.php"); ?>

 

I'm not sure what I'm doing wrong.  I've tried putting session_start(); in check.php, but that didn't work either.  I'm not sure it's even my fault...

Link to comment
Share on other sites

1) Turn on error reporting (at the beginning of each script) so you can see if there are any warnings or notices causing problems:

error_reporting(E_ALL);
ini_set('display.errors', 1);

 

2)Make sure session_start() is called in each script before trying to reference data in the session

 

3) Current versions of PHP have register_globals OFF, so $username and $password are not going to exist unless you set them in some code you did not show. You have to get those values from the $_POST array:

$username = $_POST['username'];

 

4) Depending on your ini settings, the SESSION may not carry across subdomains (www.mydomain.com/login vs mydomain.com/home) or across subdirectories (mydomain.com/subdir/login vs mydomain.com/otherDir/showArticle

Link to comment
Share on other sites

One of the stupidest mistakes I have ever done :facepalm: For some reason, it still doesn't work!

 

Updated the code:

<?php session_start(); 
if($_GET['status']=="done")
{
if($_POST['username']=="username" && $_POST['password']=="password")
{
$_SESSION['loggedin']='true';
$_SESSION['name']="test";
}
}
?>

 

I then go to login.php, type in the username/password, and I recieve the usual confirmation: LOGGED IN AS test.

But then when I navigate to newarticle.php I get redirected back. Hmm...

Link to comment
Share on other sites

Setting $_SESSION['loggedin']='true'; (with the quotes around true) is setting it to the string made of the the letters - t,r,u,and e. That does equate (a two == sign comparison) to a true value, but is not exactly doing what you think it is. Removed the single-quotes around the 'true'.

 

You need an exit; statement after your header() redirect to prevent the remainder of the code on your 'protected' pages from running. You could have code after that point that is clearing the session variables and without the exit; to stop the remainder of the code on the page from running while the browser is requesting the new page in the redirect header() you are not actually protecting the page.

 

Have you set the error_reporting/display_errors, like DavidAM suggested, as the first thing (immediately after the first <?php tag, before any other php statements), on all the pages involved in setting or testing these session variables? You should actually have those values set in your php.ini on your development system so that you don't need to remember to put them in for debugging purposes and remove them when you put your code onto a live server (you want to log php errors on a live server, not display them.)

 

Is the output_buffering php.ini setting turned off (you can check using a phpinfo statement on page) and you are also not using any of the output buffering statements in your code? Because, output buffering hides any php error messages you output on a page if you are also using a header() redirect on that page.

 

If your code was actually logging you in without using $_POST['username'] and $_POST['password'], then that does indicate that register_globals are on. If you have any php variable named $loggedin, $_GET['loggedin'], $_POST['loggedin'], $_COOKIE['loggedin'], or $_REQUEST['loggedin'] in your code, any value from those variables will also back set $_SESSION['loggedin'] and could be producing the result you are seeing (this also allows a hacker to set your $_SESSION variables because he can set any of those external variables to anything he wants.) If you do have register_globals set to ON (you can check using a phpinfo statement), you need to either turn them off or upgrade to the latest php 5.4+ version where register_globals have been completely removed.

Link to comment
Share on other sites

Hey. Sorry I haven't been on in a while, I was really sick and I couldn't get to this.

Just phpinfo'd it. I get no value for output_buffering and On for register_globals. Turned off register_globals.

 

I think the issue is that it's not reading the $_SESSION variables. I have them in my browser, and every page begins with session_start(); but it's not finding them.

Link to comment
Share on other sites

Yeah, it's not passing the variables on. I altered check.php:


if(!isset($_SESSION['loggedin']))
{
echo "error ";
echo session_id();
exit;
}

When I go to newarticle.php, I get an error (because apparently loggedin isn't set) but I do get the session id. It's strange, I would'nt expect to get one and not the other. Are they (the variables) not being saved?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.