$_SESSION not setting?

[tycoonbob]

Hi everyone.

I'm working on a simple app for internal use for a small company.  I am having difficulties getting the account logins working correctly, and I believe it has something to do with $_SESSION not being set like I expected it to.  Now I am fairly new to PHP, and have been learning as I go.

 

index.php contains this:

<?php
session_start();


require_once('includes/config.inc.php');
require_once('includes/functions.inc.php');


// Check login status -- if not logged in, redirect to login screen
if (check_login_status() == false) {
  redirect('login.php');
}

So when I load the app, I'm redirected to login.php:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">


<head>
  <meta http-equiv="Content-type" content="text/html;charset=utf-8" />
  <title>Login Page</title>
  <link rel="stylesheet" type="text/css" href="css/login.css" />
</head>
<body>
  <form id="login-form" method="post" action="includes/login.inc.php">
    <fieldset>
      <legend>Login to Inventory System</legend>
      <p>Please enter your username and password to access the Inventory system</p>
      <label for="username">
        <input type="text" name="username" id="username" />Username:
      </label>
      <label for="password">
        <input type="password" name="password" id="password" />Password:
      </label>
      <label>
        <input type="submit" name="submit" id="submit" value="Login" />
      </label>
    </fieldset>
  </form>
</body>


</html>

When I hit submit on the login page, includes/login.inc.php is called:

<?php
session_start();


require_once('config.inc.php');
require_once('functions.inc.php');


// Escape any unsafe characters before querying database
$username = $con->real_escape_string($_POST['username']);
$password = $con->real_escape_string($_POST['password']);


// Construct SQL statement for query & execute
$query = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . MD5($password) . "'";
$result = mysqli_query($con,$query) or die(mysqli_error($con));


// If one row is returned, username and password are valid
if (is_object($result) && $result->num_rows == 1) {
  $_SESSION['logged_in'] = true;
  redirect('../index.php');
} else {
  redirect('../login.php');
}
?>

Now I've been able to determine that the login is being processed successfully, because if I disable the check_login_status function in index.php, I'm redirected to index.php if I login with a valid account.  Under the same conditions, an incorrect password will reload login.php.  With the function disabled, I've also tried adding "print_r($_SESSION)" at the top of index.php, but nothing ever loads, which makes me think something is wrong with my function.

 

functions.inc.php:

<?php
function redirect($page) {
  header('Location: ' . $page);
  exit();
}


function check_login_status() {
  // IF $_SESSION['logged_in'] is set, return the status
  if (isset($_SESSION['logged_in'])) {
    return $_SESSION['logged_in'];
  }
  return false;
}
?>

config.inc.php:

<?php
$con=mysqli_connect("server_name","user","pass","db_name");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
  ?>

I'm really at a loss, and I don't know where the problem is.  I've checked for syntax errors with "php -l file.php" and found no syntax errors.  I'm not sure how to do any other debugging with this, or what I'm missing.  Help is truly appreciated!

 

EDIT: Yes, I know MD5 passwords are not recommended, and that will be changed to use salt once I can get functionality in my app.  I will also be escaping/preparing all MySQL queries once I get the login piece working.

[requinix]

1. Find your php.ini, open it up, set

error_reporting = -1
display_errors = on

and restart your web server. Any error messages?

 

2. If there aren't any errors, try modifying your redirect() to be

function redirect($page) {
  session_id() && session_write_close();
  header('Location: ' . $page);
  exit();
}

[snoop_rogg]

If this is your webserver make sure the session.save_path is set to a folder with user read/write permissions or sessions will not be created.

session.save_path = "C:\PHP\sessions"

[snoop_rogg]

try putting }else{

return false;

}

 

for the following function

 

function check_login_status(){

if(isset($_SESSION['logged_in'])){

return $_SESSION['logged_in'];

}else{

return false;

}

 

}

[tycoonbob]

Thanks for the replies.

 

The web server is a VM running CentOS 6.x, using Nginx, PHP-fpm, and MySQL.  php.ini had "session.save_path" disabled, so I enabled it (uncommented it), set it = to "/tmp/phpsess", created /tmp/phpsess/, and set the owner to nginx:nginx, which is what my web server is using.

 

I've also added the { } around the check_login_status function, and also added the "session_id() && session_write_close();" line to the redirect function.

 

I also added the two debug lines to my php.ini, restarted Nginx and PHP-fpm, but am seeing no error messages at all.

 

Any other ideas?

[requinix]

Check your cookies (as in within the browser), or add

echo SID;

to your code to output it. Is the session ID ever changing?

[tycoonbob]

Check your cookies (as in within the browser), or add

echo SID;

to your code to output it. Is the session ID ever changing?

 

 

I see a cookie being created called PHPSESSID, which expires when the session ends.  

 

Now what's really bothering me is I've installed WAMP on my local PC, copied over the scripts, imported a copy of the database, and everything works like it's supposed to.  I've compared each setting in php.ini, and I am out of ideas.  I have spent two days trying to figure this out and I feel like I'm getting nowhere.

[requinix]

I see a cookie being created called PHPSESSID, which expires when the session ends.

Right, but does the value change from page to page?

[tycoonbob]

Right, but does the value change from page to page?

 

It does not appear to change.

[tycoonbob]

Figured out my issue.

 

I'm using PHP-fpm instead of just PHP, and the www.conf file (/etc/php-fpm.d/www.conf) has a setting for session.save_path which was set to a non-existent directory.  Once I changed that to the directory that I had set for that variable in php.ini, it started working.