Session Fustration

[tweitzel79]

Howdy folks,

I am trying to get sessions to cooperate, but am at a loss. I am trying to copy the variable of userlevel in a session. The array displays correctly on pointerface.php. For some reason, the session doesn't seem to carry over to other pages, and the session ID's are different.

I'd appreciate some input as to where I may be going wrong.

pointerface.php:

 session_start();
  
  
  { 		
  		include('../htconfig/dbConfig.php'); 
  		mysql_connect("$hostname","$username","$password"); 
  mysql_select_db("$database")or die("cannot select DB");
  $tbl_name="members"; 
  
 $sql2="SELECT * FROM members WHERE username='$myusername' and password='$mypassword'";
 $result2=mysql_query($sql2);
 $userlevel=mysql_result($result2,$i,"userlevel");
 $_SESSION["userlevel"] = "$userlevel" ;
 echo session_id();
 echo "<br>";
 Print_r ($_SESSION);

adminnotes.php:

session_start();
 
 print_r ($_SESSION);
 echo session_id();
 
     if($_SESSION['userlevel']=='Admin'){

[.josh]

is session_start(); being called before all other output, including any whitespace that might be at the top of the file?

[tweitzel79]

<?php session_start();  

Yes, Session Start is on the first line immediately following the opening php tag on both pages.

[mac_gyver]

you need to have php's error_reporting set to E_ALL and display_errors set to ON so that php will help you by reporting all the errors it detects.

 

you could have mis-configured session settings that are preventing the session data from being saved or a php file that is saved with a bom (byte order mark) characters that are then being output prior to the session_start() statement. both of these will be reported by the error_reporting/display_errors settings.

 

some other possibilities are the host-name/sub-domain part of the url (www.domain.com vs domain.com) is changing between the two pages (by default the session id cookie only matches the variation of your domain where it was set) or even the path after the domain is changing (by default the session id cookie should match all variations of the path after your domain in the url, but your setting could be different than the default.)

 

are these two files in the same folder and is the usage of the www. or no www. consistent in the urls when you move from the first file to the second one?

[tweitzel79]

Thank you all for your help.

 

When I change the error reporting, I am getting an error: Notice: Undefined index: userlevel on the line where it reads: if($_SESSION['userlevel']=='Admin').

 

Again, the SID numbers are different.

 

Both files are in the same path and in the same folder.

 

Any other thoughts?

[mac_gyver]

after you browse to the first page, look in your browser's 'page info' for that page and check if there is a cookie with the name PHPSESSID (the value in the cookie should match the session_id() value.)

 

have you by any chance disabled cookies in your browser settings?

 

i see a stray { on line 4 of the first posted code. is the code you have posted all your actual code? i.e. you could be doing something that is un-setting the session data somewhere else in your code.

[tweitzel79]

There is a PHPSESSID on both pages. Both ID's are different. Below is the entire code for both pages. I didn't program all this, just taking it over to implement Sessions.

 

pointerface.php (first page):

<?php session_start();


	
		include('../htconfig/dbConfig.php'); 
		mysql_connect("$hostname","$username","$password"); 
mysql_select_db("$database")or die("cannot select DB");
$tbl_name="members"; 

$sql2="SELECT * FROM members WHERE username='$myusername' and password='$mypassword'";
$result2=mysql_query($sql2);
$userlevel=mysql_result($result2,$i,"userlevel");
$_SESSION["userlevel"] = "$userlevel" ;

echo session_id();
echo "<br>";
Print_r ($_SESSION);
// Connect to server and select databse.
mysql_connect("$hostname","$username","$password"); 
mysql_select_db("$database")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM members WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Purchase Order System</title>
</head>
<?php
include('../htconfig/dbConfig.php');
mysql_connect("$hostname","$username","$password"); 
mysql_select_db("$database")or die("cannot select DB");
$query=("SELECT * FROM POs ORDER BY id DESC LIMIT 50");
$result=mysql_query($query);
$num=mysql_numrows($result);
?>

<table border="1" cell pacing="1" cellpadding="1" align="center">

<tr>
<td>
<font face="Arial, Helvetica, sans-serif">id</font></td>
<td>
<font face="Arial, Helvetica, sans-serif">Agent</font></td>
<td>
<font face="Arial, Helvetica, sans-serif">DateEntered</font></td>
<td>
<font face="Arial, Helvetica, sans-serif">Shop</font></td>
<td>
<font face="Arial, Helvetica, sans-serif">Category</font></td>
<td>
<font face="Arial, Helvetica, sans-serif">Amount</font></td>
<td>
<font face="Arial, Helvetica, sans-serif">Items</font></td>
<td>
<font face="Arial, Helvetica, sans-serif">ApprovedDeclined</font></td>
<td>
<font face="Arial, Helvetica, Sans-serif">AdminNotes</font></td>
<td>
<font face="Arial, Helvetica, sans-serif">PONumber</font></td>
<td>
<font face="Arial, Helvetica, sans-serif">Notes</font></td>
<td>
<font face="Arial, Helvetica, sans-serif">Vendor</font></td>
<td>
<font face="Arial, Helvetica, sans-serif">OrderNumber</font></td>

<?php
$i=0;

while ($i < $num) {
$f1=mysql_result($result,$i,"id");
$f2=mysql_result($result,$i,"Agent");
$f3=mysql_result($result,$i,"DateEntered");
$f4=mysql_result($result,$i,"Shop");
$f5=mysql_result($result,$i,"Category");
$f6=mysql_result($result,$i,"Amount");
$f7=mysql_result($result,$i,"Items");
$f8=mysql_result($result,$i,"ApprovedDeclined");
$f9=mysql_result($result,$i,"PurchaseDate");
$f10=mysql_result($result,$i,"OrderNumber");
$f11=mysql_result($result,$i,"Notes");
$f12=mysql_result($result,$i,"Vendor");
$f13=mysql_result($result,$i,"POdate");
$f14=mysql_result($result,$i,"Approvedate");
$f15=mysql_result($result,$i,"adminnotes");
?>
<tr>
<td>
<font face="Arial, Helvetica, Sans-serif"><?php echo "<a href='purchaseorder.php?id=$f1' target='_blank'>$f1</a>";
?></font></td>
<td>
<font face="Arial, Helvetica, Sans-serif"><?php echo $f2; ?></font></td>
<td>
<font face="Arial, Helvetica, Sans-serif"><?php echo $f3; ?></font></td>
<td>
<font face="Arial, Helvetica, Sans-serif"><?php echo $f4; ?></font></td>
<td>
<font face="Arial, Helvetica, Sans-serif"><?php echo $f5; ?></font></td>
<td>
<font face="Arial, Helvetica, Sans-serif"><?php echo '$'.$english_format_number = number_format($f6); ?></font></td>
<td>
<font face="Arial, Helvetica, Sans-serif"><?php echo $f7; ?></font></td>
<?php if($f8 == 'Approved'){ 
                echo '<td bgcolor="#028021">' . $f8 ; 
            }
			elseif($f8 == 'Declined') {
			echo '<td  bgcolor="ff0000">' . $f8;}
			elseif($f8 == 'Under Review') {
			echo '<td  bgcolor="ffff66">' . $f8;}
			else{ 
                echo '<td bdcolor="#ffffff">' . $f8;} ?> </td>

<td>
<font face="Arial, Helvetica, Sans-serif"><?php echo $f15; ?></font></td>
<td>
<font face="Arial, Helvetica, Sans-serif"> <?php echo "$f13-$f1"; ?></font></td>
<td>
<font face="Arial, Helvetica, Sans-serif"><?php echo "<a href='updatenotes.php?id=$f1' target='_blank'>$f11</a>"; ?></font></td>
<td>
<font face="Arial, Helvetica, Sans-serif"><?php echo $f12; ?></font></td>
<td>
<font face="Arial, Helvetica, Sans-serif"><?php echo $f10; ?></font></td>
<td>
<font face="Arial, Helvetica, Sans-serif"><form action="adminnotes.php?id=<?php echo $f1 ?>" method="post" name="form1" target="_blank" id="form1">
      <input type="submit" name="Admin" id="Admin" value="Admin" />
    </form></font></td>
    
  <td>
<font face="Arial, Helvetica, Sans-serif"><form action="updatepo.php?id=<?php echo $f1 ?>" method="post" name="form1" target="_blank" id="form1">
      <input type="submit" name="Edit PO" id="Edit PO" value="Add Ord Num" />
    </form></font></td>
     <td>
<font face="Arial, Helvetica, Sans-serif"><form action="adminnotestest.php?id=<?php echo $f1 ?>" method="post" name="form1" target="_blank" id="form1">
      <input type="submit" name="adminnotestest" id="adminnotetest" value="Test Button" />
    </form></font></td>




</tr>
<?php
$i++;}
?>
<body>
<div align="center">
  <p><img src="../rxtrans.gif" alt="RX Logo" width="170" height="99" /></p>
<p><strong>Purchase Order System</strong></p>
  <p align="left"<form>
<input type="button" value="New PO"
onclick="window.open('newpo.htm')">
</form><input type="button" value="Download CSV"
onclick="window.open('csvrequest.htm',width=250,height=100)">
</form></p>
<form action="search.php" method="POST" target="_blank">
    <div align="right">Search for
      <input type="text" name="query" />
in 
  <select name="field" id="field">
    <option>id</option>
    <option>adminnotes</option>
    <option>Agent</option>
    <option>DateEntered</option>
    <option>entmonth</option>
    <option>entyear</option>
    <option>Shop</option>
    <option>Category</option>
    <option>Amount</option>
    <option selected="selected">Items</option>
    <option>ApprovedDeclined</option>
    <option>OrderNumber</option>
    <option>Notes</option>
    <option>Vendor</option>
  </select>     
  <input type="submit" value="Search" />
     </div>
</form>
</div>

</body>
</html>
<?php
}
else {
echo "Wrong Username or Password";
}


?>

adminnotes.php (2nd page):

<?php session_start();
error_reporting(E_ALL);

print_r ($_SESSION);
echo session_id();

    if($_SESSION['userlevel']=='Admin'){
		?>



<style type="text/css">
<!--
body {
	background-color: #FFFF99;
}
.style2 {font-weight: bold}
-->
</style>
	  <?php


$host="localhost"; // Host name 
$username="timw79_poadmin"; // Mysql username 
$password="xpress13"; // Mysql password 
$db_name="timw79_po"; // Database name 
$tbl_name="POs"; // Table name 
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB"); 

  if(isset($_GET['id'])) {
  	$id = $_GET['id'];
  }
  else {
  echo Error;
  
  }



  $query=("SELECT * FROM POs WHERE id = $id LIMIT 1");
$result=mysql_query($query);
$num=mysql_numrows($result);
$i=0;

$f1=mysql_result($result,$i,"id");
$f2=mysql_result($result,$i,"Agent");
$f3=mysql_result($result,$i,"DateEntered");
$f4=mysql_result($result,$i,"Shop");
$f5=mysql_result($result,$i,"Category");
$f6=mysql_result($result,$i,"Amount");
$f7=mysql_result($result,$i,"Items");
$f8=mysql_result($result,$i,"ApprovedDeclined");
$f9=mysql_result($result,$i,"PurchaseDate");
$f10=mysql_result($result,$i,"OrderNumber");
$f11=mysql_result($result,$i,"Notes");
$f12=mysql_result($result,$i,"Vendor");
$f13=mysql_result($result,$i,"POdate");
$f14=mysql_result($result,$i,"Approvedate");
$f15=mysql_result($result,$i,"adminnotes");
 ?>

<div align="center">
  <p><img src="../rxtrans.gif" alt="RX Logo" width="200" height="115"></p>
  <p><strong>PO Admin Page</strong></p>
  <p><table width="800" border="0" cellpadding="5">
  <tr>
    <td width="174" height="123"><img src="../rxtrans.gif" width="174" height="101" alt="RXlogo" /></td>
    <td colspan="2" valign="top"><div align="right"><span class="style1">PURCHASE ORDER</span></div>
        <p align="right"><strong>Entry Date:</strong>  <?php echo $f3; ?><br />
          <strong>Requestor:</strong> <?php echo $f2; ?><br>
          <strong>PO #: </strong>
          <?php 
		  	echo "$f13-$f1";
		  ?>
          <br />
          <strong>Vendor:</strong>          <?php echo $f12; ?><br />
          <strong>Shop:</strong>	      <?php echo $f4; ?><br />
    </p>        </td>
  </tr>
  <tr>
    <td height="97" rowspan="2" valign="top"> </td>
    <td colspan="2" valign="top"><p><strong>Items:</strong> <?php echo $f7; ?><br />
    </p>      </td>
  </tr>
  <tr>
    <td colspan="2" valign="top"><strong>PO Notes:</strong> <?php echo $f11; ?></td>
  </tr>
  <tr>
    <td height="579" rowspan="5" valign="top">
    <form action="approve.php?id=<?php echo "$id" ?>" method="post" name="form1" target="_blank" id="form1">
      <input type="submit" style="background-color:#00CC00;color:#000000" name="Approve PO" id="Approve PO" value="Approve PO" />
      <br />
    </form>
    <form action="underreview.php?id=<?php echo "$id" ?>" method="post" name="form1" target="_blank" id="form1">
      <input type="submit" style="background-color:#ff9900;color:#000000" name="Mark for Review" id="Mark for Review" value="Mark for Review" />
      <br />
    </form>
    <form action="decline.php?id=<?php echo "$id" ?>" method="post" name="form1" target="_blank" id="form1">
      <p>
        <input type="submit" style="background-color:#FF000D;color:#000000" name="Decline PO" id="Decline PO" value="Decline PO" />
        </p>
      </form>
    </p></td>
    <td colspan="2" valign="top"><p align="right"><strong>Amount: </strong> <?php echo $f6; ?></p>        </td>
  </tr>
  <tr>
    <td colspan="2" valign="top"><p><strong>Admin Notes:</strong></p>
    <table width="593" border="1" align="left" cellpadding="5" bordercolor="#FF0000" bgcolor="#FFFFFF">
      <tr>
     
        </tr>
      <tr>
       <th height="45" align="left" valign="top" scope="col">
          <br />
          <form action="addadminnotes.php?id=<?php echo "$id" ?>" method="POST" target="_blank">
          <textarea name="adminnotes" id="adminnotes" cols="100" rows="5"><?php echo $f15 ?></textarea>
            <input type="submit" name="Submit" id="Submit" value="Submit Notes" />
          </form>
          </th>
      </tr>
      <tr>
       
        </tr>
    </table></td>
  </tr>
  <tr>
    <td width="416" valign="bottom"><p><?php if ($f8==Approved){
	echo "<img src='../buttons/bittsig.jpg'>";}
	
	else{
	echo "Not Yet Approved";
	}
	?></p>        </td>
    <td width="207" valign="bottom"><div align="right"><?php echo $f14; ?></div></td>
  </tr>
  <tr>
    <td colspan="2" valign="top"><hr></td>
  </tr>
  <tr>
    <td valign="top"><strong>Approved By</strong></td>
    <td valign="top"><div align="right"><strong>Approval Date</strong></div></td>
  </tr>
  <tr>
    <td height="59" colspan="3" align="center" valign="bottom"><div align="center" class="style2">Rental Xpress, LLC PO Box 181140 Corpus Christi, TX 78480 Phone (361) 854-1111 Fax (361) 723-2114</div></td>
  </tr>
</table>
  </p>
</div>
	<?php 
	}
    else{
        echo "Acess denied:"; echo "<BR>";
		echo "<A HREF='../index.html'>Login</A>";
    }
	?>

[mac_gyver]

one of the points of setting php's error_reporting/display_errors was to see if there were any errors with the session_start() statement.

 

you need to set error_reporting/display_errors before the session_start() statement and it needs to be on both pages, because it can be one, the other, or both pages with a problem.

Edited February 6, 2014 by mac_gyver

[tweitzel79]

Wow. Thank you for correcting the placement of my error reporting. I am now getting the following error: Notice: A session had already been started - ignoring session_start() in /home3/timw79/public_html/po/htdocs/pointerface.php on line 2

 

I get this same error on both pages, but I haven't started a session on any page prior to pointerface.php. I'm even more confused now.

[tweitzel79]

I just turned off Session Auto Start in my php.ini file. I no longer get the error regarding 'a session already started', but I am still getting two unique SID's and the error "Notice: Undefined index: userlevel" on adminnotes.php.

[mac_gyver]

your current symptom is that of the browser not sending the session id cookie back with each request it makes to the server. two possibilities -

 

1) your browser is configured to not accept cookies (the session id cookie) and even though you see the cookie in your browser, the browser isn't sending it back to the server.

 

2) the session id cookie's domain or path is set to something that doesn't match the url or path for the page(s) and the browser isn't sending it back to the server due to the mis-match. given that the session auto start was set, does your php.ini also have any other session._______ values set in it, particularly the session.cookie_domain and session.cookie_path settings?

Edited February 6, 2014 by mac_gyver

[tweitzel79]

Here is my session portion of php.ini.

 

 

My  browser allows cookies. Do you see any settings that may need attention? My apologies if I'm asking very basic questions.

[mac_gyver]

the session.cookie_path should be just /

 

the current setting will only cause the session id cookie to match urls like - your_domain.com/tmp

[tweitzel79]

Updated php.ini. Still getting the same errors.

 

pointerface.php:  f6b1f1f6538defd4bf2939867ef91bbe

Array ( [userlevel] => Admin )

 

adminnotes.php:  Array ( ) 58cdbfaadddbd35cff166e1b38cd7208

Notice: Undefined index: userlevel in /home3/timw79/public_html/po/htdocs/adminnotestest.php on line 9

 

[mac_gyver]

if this is the master php.ini, you will need to restart your web server to get the change to take effect. if this is a local php.ini (in your document root folder) the change should have taken effect on the next page request.

 

also, since you currently have a cookie with a setting in it that doesn't work, you should delete that cookie and/or completely close your browser.

[tweitzel79]

I'm updating the php.ini in Cpanel on my HostGator account. I completely closed the browser and tried this in a different browser. This didn't work in Chrome, but now works in IE. I'm going to check my Chrome settings and try again.

[mac_gyver]

when you look at the cookie's parameters in your browser, it should show path: /

[tweitzel79]

It shows path: /

 

Just as you described. Not sure why this isn't working in Chrome.

[tweitzel79]

Now what is odd is even in IE one can only make a transition to one page. If the user closes the adminnotes.php, he / she must refresh pointerface.php in order to reopen adminnotes.php.

 

How can we keep ones session active while he / she is on the site?

[mac_gyver]

if your last post means you have closed the browser and the session is not present when you open the browser again, that is the normal operation of sessions (by default, a session lasts for just the current browser session.)

 

if you mean that, with the browser continuously open, you cannot refresh adminnotes.php or navigate to any other page and then back again without loosing the session, that's not normal and something is still going on with your session id cookie/session data on the server.

 

here's one possibility, if the sessions sometimes last and sometimes don't, based on your session.save_path setting, assuming you are on a shared web server (there could be dozens of other accounts using that same /tmp folder.) all the other accounts could be deleting the session data files due to the session garbage collection they are triggering. if you are on a shared web server, you need to create your own folder for the session data files and set your session.save_path setting to point to that folder.

 

beyond that, this appears to be a problem with the session id cookie and that the browser is not sending it back to the web server with the page requests because the browser doesn't think the cookie matches the sub-domain/host-name and/or path of the url being requested.

 

when you look at the session id cookie in your browser, does the host: parameter match exactly the url you are browsing to or does it have a different sub-domain/host-name, i.e. www. or no www from the url you are browsing to? does the host: parameter in the browser start with a dot (.), which causes it to match all variations of the domain name or is it just the domain.com, without the leading dot. also, are you using an actual domain name that you own, or are you using a temporary url based on your web host's main domain name, i.e. some_temporary_name.your_web_host's_domain.com?

[tweitzel79]

My inquiry was that with the browser open, one cannot move throughout the site without logging off, then back on.

 

After reading your helpful post, I tried various folders for the session.save_path with no luck. In fact, I was completely unable to get a session to initiate at all when I changed from either '/' or '/tmp'. I had a lingering feeling that my problems were related to HostGator so I backed up my MySql database and imported it to a server sitting in my office. Dedicated.

 

The problem has been resolved. Users can use the site as desired, and sessions work properly. Thank you all for your help. Although now, I seem to have an issue with HostGator. Might just have to upgrade my service... or cry in a corner.

 

Thank you all again for your help.

[mac_gyver]

if there is a problem with the session.save_path setting/folder, the php error_reporting/display_errors settings should report things like permission problems, non-existent folder...

[tweitzel79]

Yes, I was getting the non-existent folder error. I tried a variety of folder names and locations.