[SOLVED] Session help

[Daleeburg]

I am new to this whole php thing.  More or less i have taught myself everything I know and am trying to make a site with php.

 

I currently have a problem where session data is not recalled.  I veiwed the session files on the server and for some reason every time a page is opened a new session is started rather then having a session for the whole time the user is there.

 

Here is the code for the main page.

<?php 
session_start();

require("config.php");
IF($_GET['log'] == "out"){
session_destroy(); echo'<meta  http-equiv="refresh" content="1; url=/index.php" />';
};

?>

<html>
<head>
<title>Passworded SQL Database Editor</title>
</head>
<body>
<?php
if(isset($_SESSION[user])){ echo 'Welcome '.$_SESSION[user].',<a href=index.php?log=out> [-LOG OUT-]';  }ELSE{ echo '<FORM action="/editor.php?mode=1" Method="POST">User Name: <input type="text" name="user" size=""> Password<input type="password" name="pass" size=""> <input type="submit" name="submit" value="Log In"></form>';};

?>
<br>
  <?php
If (isset($_GET[mode])) { 
If ($_GET[mode] == 1) {require("editor/login.php"); login();};
	}ELSE{
	require("editor/index.php");
	}
?>

</body>
</html>

 

 

And the code for the Login page

<?php 

FUNCTION login(){

$query = "SELECT * FROM _members WHERE user = '".$_POST['user']."' ";
  $result = mysql_query($query) OR DIE("Error In DataBase");
  
  $cuser = @mysql_result($result, 0, user);
  $cpass = @mysql_result($result, 0, pword);
  $num = @mysql_result($result, 0, user_id);

If($_POST['user'] == $cuser AND $_POST['pass'] == $cpass and strlen('user') > 0 AND strlen('pass') > 0){
$_SESSION[user] = $cuser;
$_SESSION[num] = $num;

	Echo 'You are logged on! One Moment for the Redirection. <a href=editor.php"> Click here </a> If the page does not reload in 15 seconds <br>'.$_SESSION[user].' <meta  http-equiv="refresh" content="2; url=editor.php" />	';

}ELSE{ 

Echo 'Incorrect User and/or password. User and Password is case-sensitive.<br>';
};
};

?>

 

I am running a WAMP5 server on my computer.

 

If anybody could help, it would be greatly appreciated.

[Jessica]

session_start() must be on the top of EVERY page.

[Daleeburg]

It is at the top of ever page because of how the php?mode=X is used

 

[Jessica]

$_SESSION[user] needs to be $_SESSION['user'];

 

Put print_r($_SESSION) at the top of the page and you can see what's stored in the session.

Also, sessions do not last between mysite.com and www.mysite.com

[Daleeburg]

i have printed the variables at the top of each page and what i find is that the variable is stored and printed on the login page, but not when it is refreshed to the home page.

 

is there a possibility that there is something wrong with my config file b.c it makes 3 cookies for the visit, login, and refresh to homepage.  which would mean that it is not recognizing that all as one user.

[Daleeburg]

more or less the sessions will not stick.

 

here is my config file

[session]

; Handler used to store/retrieve data.

session.save_handler = files

 

; Argument passed to save_handler.  In the case of files, this is the path

; where data files are stored. Note: Windows users have to change this

; variable in order to use PHP's session functions.

;

; As of PHP 4.0.1, you can define the path as:

;

;    session.save_path = "N;/path"

;

; where N is an integer.  Instead of storing all the session files in

; /path, what this will do is use subdirectories N-levels deep, and

; store the session data in those directories.  This is useful if you

; or your OS have problems with lots of files in one directory, and is

; a more efficient layout for servers that handle lots of sessions.

;

; NOTE 1: PHP will not create this directory structure automatically.

;        You can use the script in the ext/session dir for that purpose.

; NOTE 2: See the section on garbage collection below if you choose to

;        use subdirectories for session storage

;

; The file storage module creates files using mode 600 by default.

; You can change that by using

;

;    session.save_path = "N;MODE;/path"

;

; where MODE is the octal representation of the mode. Note that this

; does not overwrite the process's umask.

session.save_path = "c:/wamp/tmp"

 

; Whether to use cookies.

session.use_cookies = 1

 

; This option enables administrators to make their users invulnerable to

; attacks which involve passing session ids in URLs; defaults to 0.

; session.use_only_cookies = 1

 

; Name of the session (used as cookie name).

session.name = PHPSESSID

 

; Initialize session on request startup.

session.auto_start = 0

 

; Lifetime in seconds of cookie or, if 0, until browser is restarted.

session.cookie_lifetime = 0

 

; The path for which the cookie is valid.

session.cookie_path = /tmp

 

; The domain for which the cookie is valid.

session.cookie_domain = localhost

 

; Handler used to serialize data.  php is the standard serializer of PHP.

session.serialize_handler = php

 

; Define the probability that the 'garbage collection' process is started

; on every session initialization.

; The probability is calculated by using gc_probability/gc_divisor,

; e.g. 1/100 means there is a 1% chance that the GC process starts

; on each request.

 

session.gc_probability = 1

session.gc_divisor    = 100

 

; After this number of seconds, stored data will be seen as 'garbage' and

; cleaned up by the garbage collection process.

session.gc_maxlifetime = 1440

 

; NOTE: If you are using the subdirectory option for storing session files

;      (see session.save_path above), then garbage collection does *not*

;      happen automatically.  You will need to do your own garbage

;      collection through a shell script, cron entry, or some other method.

;      For example, the following script would is the equivalent of

;      setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):

;          cd /path/to/sessions; find -cmin +24 | xargs rm

 

; PHP 4.2 and less have an undocumented feature/bug that allows you to

; to initialize a session variable in the global scope, albeit register_globals

; is disabled.  PHP 4.3 and later will warn you, if this feature is used.

; You can disable the feature and the warning seperately. At this time,

; the warning is only displayed, if bug_compat_42 is enabled.

 

session.bug_compat_42 = 1

session.bug_compat_warn = 1

 

; Check HTTP Referer to invalidate externally stored URLs containing ids.

; HTTP_REFERER has to contain this substring for the session to be

; considered as valid.

session.referer_check =

 

; How many bytes to read from the file.

session.entropy_length = 0

 

; Specified here to create the session id.

session.entropy_file =

 

;session.entropy_length = 16

 

;session.entropy_file = /dev/urandom

 

; Set to {nocache,private,public,} to determine HTTP caching aspects

; or leave this empty to avoid sending anti-caching headers.

session.cache_limiter = nocache

 

; Document expires after n minutes.

session.cache_expire = 180

 

; trans sid support is disabled by default.

; Use of trans sid may risk your users security.

; Use this option with caution.

; - User may send URL contains active session ID

;  to other person via. email/irc/etc.

; - URL that contains active session ID may be stored

;  in publically accessible computer.

; - User may access your site with the same session ID

;  always using URL stored in browser's history or bookmarks.

session.use_trans_sid = 0

 

; Select a hash function

; 0: MD5  (128 bits)

; 1: SHA-1 (160 bits)

session.hash_function = 0

 

; Define how many bits are stored in each character when converting

; the binary hash data to something readable.

;

; 4 bits: 0-9, a-f

; 5 bits: 0-9, a-v

; 6 bits: 0-9, a-z, A-Z, "-", ","

session.hash_bits_per_character = 4

 

; The URL rewriter will look for URLs in a defined set of HTML tags.

; form/fieldset are special; if you include them here, the rewriter will

; add a hidden <input> field with the info which is otherwise appended

; to URLs.  If you want XHTML conformity, remove the form entry.

; Note that all valid entries require a "=", even if no value follows.

url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

[Jessica]

I had a similar problem last night and it was because I was going from www.mysite.com to mysite.com - make sure that's not it.

[Daleeburg]

I checked that and it is all fine.

 

the whole site right now is at http://localhost/editor.php

 

[Daleeburg]

Found / made a cure.

 

inserted

session_start()
setcookie(session_name(), session_id(), 0, "/", "");

 

works like a charm, does anybody know what type of security concerns this would make?

 

[redarrow]

no concern good luck.

 

So session_start() was the problam then.

[Daleeburg]

not exactly sure what the problem was, i think it is something in my config file, but after searching the web for 7 hours i came upon an obscure post with that in it, so i tried it and it worked.