[Resolved] Session Variables Help

[skrap1r0n]

I am an ASP developer, recently switched over to a LAMP environment. For the most part, switching from ASP to PHP has been fairly simple.

One thing I am curious about is how session variables are handled. In ASP, if I wanted to set a session state, say an administrator priviledge, I could do it as a session variable. Then at the top of each page that needed to be secure, I could check for that session variable and if it didn't exist, I could redirect them to a login page.

Now I am trying to do this in php and I seem to be running into some issues. First, here is the code that I am calling on a secure page to test if the session variable exists:
[quote]if ($_SESSION['user'] !== 'admin')
{
header('Location:./utils/admin_login.php?pg='.$_SERVER['PHP_SELF']);
}[/quote]

This will direct the visitor to a login page, that requires them to log in, validates it against values returned from a database then kick them back to the originating page (hence passing the originating page in the redirect). Next it the code that sets the session variable:
[quote]if ($bitUnErrFlag + $bitPwErrFlag == 0)
    {
          session_start();
          $_SESSION['user']='admin';
          header('Location:..'.$pg);
    }[/quote]

Now, I am not clear if the [b]header('Location:..'.$pg);[/b] is the right way to do it, or whether it is properly concactnated, however when I echo that string, I get [b]Location:../test.php[/b], which is where I want to go.

Now here is the rub... When it redirects me back to test.php. it encountered the initial check:
[quote]if ($_SESSION['user'] !== 'admin')
{
header('Location:./utils/admin_login.php?pg='.$_SERVER['PHP_SELF']);
}[/quote]
When I change the value of $pg so that it will take me to a page without the admin check, it works. When I try to echo $_SESSION['user'] on that page, it is empty. So my question is, why is my session variable not persisting? The code that initiates the session variable is above the doctype in the page, so I am starting the session before the <xhtml> tag.

So I gotta ask, what the heck is going on here? Is there some configuration i need to make in either the php.conf file or the apache2.conf file to allow session variables.

[corbin]

Ummm just double checking you - on the page with the $_SESSION['user'] !=== 'admin' thing, you did include a session_start(); tag, correct?

[Philip]

Make sure to have session_start(); on [b]every[/b] page you use your sessions. This should fix the problem.

and as for [code]header('Location:..'.$pg);[/code] -- if you have $pg = $_GET['pg'];. then yes it is correct

[skrap1r0n]

[quote author=KingPhilip link=topic=116328.msg473905#msg473905 date=1164524508]
Make sure to have session_start(); on [b]every[/b] page you use your sessions. This should fix the problem.
[/quote]

Thanks, That resolved the problem. I only used [b]session_start()[/b] on the page where I was setting the session variable. One final question, since this variable is going ot be used across the site, is there any reason not to place [b]session_start()[/b] inside a global utilities include?

Also, what is the timeout on that variable?

[Philip]

Timeout is set in your PHP settings - I'm not too familiar with how to get to them - but I will look it up

If you are using sessions on all the pages, then yes, put session_start(); on all of the pages :D

[skrap1r0n]

OK great thanks. I looked into the default session settings and it said that it should be until the browser closes, which is fine for now. I appreciate the help. I'm sure i'll have more questions in the future.

[Philip]

Glad to help :D