Jump to content

[SOLVED] Session ID conflict

karenn1

By karenn1
in PHP Coding Help

 Share

Recommended Posts

karenn1 Member

karenn1

Posted
Posted

I have a system where the member can log in and edit their profile or download articles relevant to their area. These two links are on the index page. Editing the profile grabs the ID from the logged in session and pulls up the members details from the "MEMBERS" table (username and password also resides there). On the downloads page I have a table containing all the downloadable articles. This page uses a table called "FILES". This table has it's own ID field.

 

My problem comes in when you download an article. Once you've done that (that works fine, by the way), and return to the index page, the "Edit Profile" links adopts the ID of the downloaded file on the downloads. I think it's because on the downloads page there is a "isset" script for the ID. So it brings that ID back to the index page. How do I prevent that? How do I get it that even after a file is downloaded, returning to the index page has the "Edit Profile" link referring to the logged in session and not the ID that was set on the downloads page. I've tried "unset(&_REQUEST['id'])" - excuse the syntax, it's just an example - but that didn't work either.

 

Can anyone help?

 

 

Thanks,

Karen

Link to comment
https://forums.phpfreaks.com/topic/46858-solved-session-id-conflict/
Share on other sites
Wildbug Newbie

Wildbug

Posted
Posted

What version of PHP are you using?  If it's an older one, your problems sounds like it might be one of registering globals.

 

How are articles identified in their link?  Is it something like the following?

http://yoursite/article.php?id=12345

 

If so, that "id" is likely overwriting your $_SESSION['id'].  You should change it to something else, like "aid=12345" (and change the code to reflect, obviously).  On top of that, if I'm right concerning the register globals bit, then you should look into turning that off.

 

If this is completely off the mark, let me know, I'll try to think of something else.

karenn1 Member

karenn1

Posted
  • Author
Posted

Hi WildBug!

 

Thank you so much for your reply. I'm running the latest version of PHP so I don't think it's the Registered Globals thing. I also think it's a question of the Session ID being overwritten. Here's the code for the downloads and the index page. It's quite long but all of it is below. I hope it can help clarify.

 

Karen

 

 

===Downloads Page===

<?php
// includes
include("../includes/conn.inc.php");
include("../includes/user.inc.php");
include("../includes/validate.inc.php");
include("../includes/error_report.inc.php");

// authorizing
$user = new user($db, "members");
$user->authorize("../members_login.php", array("member"));
?>
<?php

	if(isset($_GET['id'])) {

	// if id is set then get the file with the id from database

	$id = $_GET['id'];

	$query = "SELECT name, type, size, content " . "FROM files WHERE id = '$id'";
	$result = mysql_query($query) or die('Error, query failed');

	list($name, $type, $size, $content) = mysql_fetch_array($result);

		header("Content-length: $size");
		header("Content-type: $type");
		header("Content-Disposition: attachment; filename=$name");

	echo $content;


exit;
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Neighbourhood Watch - Administration</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
body {
background-color: #e6ddbd;
margin-left: 0px;
margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
}
-->
</style>

<script>
function rowHighlight(row)	{
	row.style.backgroundColor = (row.style.backgroundColor == '#cc0000') ? '' : '#cc0000';
}

function confirmClick(text)	{
	if (typeof(window.opera) != 'undefined')
		return true;

	var confirmed = confirm('Do you really want to '+text);
	return confirmed;
}
</script>
<link href="../styles/nw-sa.css" rel="stylesheet" type="text/css">
</head>

<body>
<table width="778" border="0" align="center" cellpadding="0" cellspacing="0" class="admin">
  <!--DWLayoutTable-->
  <tr>
    <td width="15" rowspan="6" valign="top" background="../images/database/sdw_left.jpg"><img src="../images/database/sdw_left.jpg" width="15" height="200"></td>
    <td width="748" height="101" valign="top" background="../images/top_bg.jpg"><img src="../images/database/top.jpg" width="748" height="101"></td>
    <td width="15" rowspan="6" valign="top" background="../images/database/sdw_right.jpg"><img src="../images/database/sdw_right.jpg" width="15" height="200"></td>
  </tr>
  <tr>
    <td height="19" valign="top" bgcolor="#FFFFFF"><!--DWLayoutEmptyCell--> </td>
  </tr>
  <tr>
    <td height="371" valign="top" bgcolor="#FFFFFF">
        <table width="100%"  border="0" cellspacing="0" cellpadding="0">
          <tr>
            <td>   <a href="javascript:history.go(-1)" class="links"><u>Back</u></a> <span class="links">|</span> <a href="../index.php" class="links"><u>Public</u></a><span class="links"> |</span> <a href="index.php" class="links"><u>Members Home</u></a> <span class="links">>> Articles</span></td>
            <td align="right"><span class="links">Logged In As: 
                <?= ucwords($_SESSION["username"]); ?>
-
<?= ucwords($_SESSION["authorization"]); ?>
| </span><a href="logout.php" class="links"><u>Logout</u></a>   </td>
          </tr>
        </table>
        <p><span class="body-text">Here you will find all the articles relevant to your area.</span></p>
        <p> </p>
        <table width="666" border="0" align="center" cellpadding="0" cellspacing="0">
          <tr>
            <td width="666"><table width="664" height="120" cellpadding="0" cellspacing="0">
              <!--DWLayoutTable-->
              <tr>
                <td height="24" colspan="8" align="right" valign="top" class="db_list_text"><!--DWLayoutEmptyCell--> </td>
              </tr>
              <tr align="center">
                <td width="23" class="body-text-np" style="padding-left:5px; padding-right:2px;"></td>
                <td width="196" class="body-text-np" style="padding-left:5px; padding-right:2px;"><div align="left"><strong>File Name </strong></div></td>
                <td width="10" class="body-text-np" style="padding-left:5px; padding-right:2px;"><div align="left"></div></td>
                <td width="228" class="body-text-np" style="padding-left:5px; padding-right:2px;"><div align="left"><strong>Description</strong></div></td>
                <td width="13" class="body-text-np" style="padding-left:5px; padding-right:2px;"><div align="left"></div></td>
                <td width="69" class="body-text-np" style="padding-left:5px; padding-right:2px;"><div align="left"><strong>Download</strong></div></td>
                <td width="10" class="body-text-np" style="padding-left:5px; padding-right:2px;"><!--DWLayoutEmptyCell--> </td>
                <td width="113" class="body-text-np" style="padding-left:5px; padding-right:2px;"><div align="left"><strong>Area</strong></div></td>
              </tr>
              <?php

		//$sql_prop = "SELECT area FROM $db.members WHERE area = ".$_REQUEST["area"];
		//$result_prop = mysql_query($sql_prop);
		//$rs_prop = mysql_fetch_array($result_prop);


		$query = "SELECT id, name, description, area_files FROM files WHERE area_files = '".$_REQUEST['area']. "'";
		$result = mysql_query($query) or die('Error, query failed');
			if(mysql_num_rows($result) == 0)
				{
				echo "Database is empty <br>";
				}
			else
				{

			while(list($id, $name, $description, $area_files) = mysql_fetch_row($result)) {
	?>
              <tr <?php if (is_int($i/2)) print "bgcolor=\"#C6E4FD\""; ?>>
                <td height="27" class="body-text-np" style="padding-left:5px; padding-right:2px;"><img src="../images/icon_update.gif" width="16" height="16"></td>
                <td class="db_list_text" style="padding-left:5px; padding-right:2px;"><?= $name;?>
                   </td>
                <td class="db_list_text" style="padding-left:5px; padding-right:2px;"><!--DWLayoutEmptyCell--> </td>
                <td class="db_list_text" style="padding-left:5px; padding-right:2px;">
                  <?= $description;?></td>
                <td class="db_list_text" style="padding-left:5px; padding-right:2px;"><!--DWLayoutEmptyCell--> </td>
                <td class="db_list_text" style="padding-left:5px; padding-right:2px;"><a href="downloads.php?id=<?= $id; ?>">Click Here</a></td>
                <td class="db_list_text" style="padding-left:5px; padding-right:2px;"><!--DWLayoutEmptyCell--> </td>
                <td class="db_list_text"><span class="db_list_text" style="padding-left:5px; padding-right:2px;">
                  <?= $area_files;?>
                </span></td>
              </tr>
              <?php $i++; } ?>
              <tr align="right">
                <td height="24" colspan="8" valign="top" class="db_list_text"><!--DWLayoutEmptyCell--> </td>
              </tr>
              <tr>
                <td height="24" colspan="8" valign="top">                          </tr>
            </table></td>
          </tr>
    </table>
        </td>
    <?php } ?></td>
  </tr>
  <tr>
    <td height="32" align="center" valign="top" bgcolor="#FFFFFF"><a href="javascript:history.go(-1)"><br>
    </a><a href="javascript:history.go(-1)"><span class="links"><u>Back</u></span></a> <span class="links">|</span> <a href="#top" class="links"><u>Top</u></a></td>
  </tr>
  <tr>
    <td height="19" valign="top" bgcolor="#FFFFFF"><!--DWLayoutEmptyCell--> </td>
  </tr>
  <tr>
    <td height="50" valign="top" bgcolor="#013567"><!--DWLayoutEmptyCell--> </td>
  </tr>
</table>
</body>
</html>
<?php
print "<script>\n";
if (eregi($_SERVER['PHP_SELF'], $_SERVER['HTTP_REFERER']))	{
	if ($_POST['amount'] > 0)	print "document.form.amount.checked = true;\n"; 
	//if ($_POST['tolet'] == "true")	print "document.searchform.tolet.checked = true;\n"; 
	//if ($_POST['ondisplay'] == "true")	print "document.searchform.ondisplay.checked = true;\n";
	//if ($_POST['sold'] == "true")	print "document.searchform.sold'.checked = true;\n";
	//if ($_POST['status'] == "unread")	print "document.searchform.status.checked = true;\n";

	//if ($_SESSION["authorization"] != "agent") $dropdown['agent'] = $_REQUEST['agent'];
	//$dropdown['area'] = $_REQUEST['area'];
	//$dropdown['type'] = $_REQUEST['type'];
	//$dropdown['price'] = $_REQUEST['price'];
	//$validate->dropdown($dropdown, "searchform");
}
print "</script>";
?>

 

 

===Index Page===

<?php
// includes
include("../includes/conn.inc.php");
include("../includes/user.inc.php");
include("../includes/error_report.inc.php");

// authorizing
$user = new user($db, "members");
$user->authorize("../member_login.php", array("member"));
//unset($_SESSION['id']);
?>
<?php
$sql2 = "SELECT * FROM members WHERE id = '". $_SESSION["id"] ."'"; 
    $sql2 = mysql_query($sql2); 
$result2 = mysql_fetch_assoc($sql2); 


?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Neighbourhood Watch - Administration</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
body {
margin-left: 0px;
margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
}
-->
</style>

<style type="text/css">
<!--
.style1 {font-size: 12px; line-height: 18px}
-->
</style>
<link href="../styles/nw-sa.css" rel="stylesheet" type="text/css">
<style type="text/css">
<!--
.style2 {color: #FFFFFF}
-->
</style>
</head>

<body>
<table width="778" border="0" align="center" cellpadding="0" cellspacing="0" class="admin">
  <!--DWLayoutTable-->
  <tr>
    <td width="15" rowspan="6" valign="top" background="../images/database/sdw_left.jpg"><img src="../images/database/sdw_left.jpg" width="15" height="200"></td>
    <td width="748" height="101" valign="top" background="../images/top_bg.jpg"><img src="../images/database/top.jpg" width="748" height="101"></td>
    <td width="15" rowspan="6" valign="top" background="../images/database/sdw_right.jpg"><img src="../images/database/sdw_right.jpg" width="15" height="200"></td>
  </tr>
  <tr>
    <td height="19" valign="top" bgcolor="#FFFFFF"><!--DWLayoutEmptyCell--> </td>
  </tr>
  <tr>
    <td height="335" valign="top" bgcolor="#FFFFFF"><br>
        <table width="100%"  border="0" cellspacing="0" cellpadding="0">
          <tr>
            <td>   <a href="javascript:history.go(-1)" class="links"><u>Back</u></a><span class="links"> | </span><a href="../index.php" class="links"><u>Public</u></a> <span class="links">|</span> <span class="links">Members Home</span></td>
            <td align="right"><span class="links">Logged In As:</span> 
                <span class="links">
  <?= ucwords($_SESSION["username"]); ?>
  -
  <?= ucwords($_SESSION["authorization"]); ?>
            </span>            <span class="links">  | </span><a href="logout.php" class="links"><u>Logout</u></a>   </td>
          </tr>
        </table>
        <br>
        <table border="0" cellpadding="0" cellspacing="0">
          <!--DWLayoutTable-->
        <tr>
          <td width="76" height="236"> </td>
          <td width="567" valign="top"><table width="552" border="0" cellpadding="0" cellspacing="0" background="../images/admin_blocks.jpg" bgcolor="#FFFFFF">
            <!--DWLayoutTable-->
            <tr>
              <td width="6" rowspan="5" valign="top" bgcolor="#FFFFFF"><!--DWLayoutEmptyCell--> </td>
                <td height="19" colspan="2" valign="top" bgcolor="#FFFFFF"><!--DWLayoutEmptyCell--> </td>
              </tr>
            <tr>
              <td height="19" colspan="2" bgcolor="#043762"><span class="body-text-np style2"><strong>  Admin</strong></span></td>
              </tr>
            <tr>
              <td height="12" colspan="2" valign="top" bgcolor="#FFFFFF"><!--DWLayoutEmptyCell--> </td>
              </tr>
            <tr>
              <td width="7" height="58"></td>
              <td width="539" valign="top" bgcolor="#FFFFFF"><p class="style1"><a href="../admin/list.php" class="body-text-np"></a><span class="body-text-np"><a href="profile_update.php?id=<?= $result2['id']; ?>">Edit your profile</a> <a href="profile_update.php?id=<?= $result2['id']; ?>" class="style1"><img src="../images/icon_update.gif" width="16" height="16" border="0"></a></span></p>
                <p class="style1"><br>
                    <br>
                </p></td>
              </tr>
            <tr>
              <td height="12"></td>
              <td></td>
            </tr>
            <tr>
              <td valign="top" bgcolor="#FFFFFF"><!--DWLayoutEmptyCell--> </td>
              <td height="12" colspan="2" bgcolor="#043762" class="body-text-np"><span class="style2"><strong>  Things relevant to your area </strong></span></td>
              </tr>
            <tr>
              <td valign="top" bgcolor="#FFFFFF"><!--DWLayoutEmptyCell--> </td>
              <td height="12" bgcolor="#FFFFFF" class="body-text-np"></td>
              <td height="12" bgcolor="#FFFFFF" class="body-text-np"></td>
            </tr>
            <tr>
              <td valign="top" bgcolor="#FFFFFF"><!--DWLayoutEmptyCell--> </td>
              <td height="12" bgcolor="#FFFFFF" class="body-text-np"></td>
              <td height="12" bgcolor="#FFFFFF" class="body-text-np"><a href="downloads.php?area=<?= $result2['area']; ?>">Articles</a></td>
            </tr>
            
            
            
            
          </table></td>
          <td width="10"> </td>
          <td width="9" valign="top"><!--DWLayoutEmptyCell--> </td>
          <td width="92"> </td>
        </tr>
        </table>      <p> </p></td>
  </tr>
  <tr>
    <td height="38" align="center" valign="top" bgcolor="#FFFFFF"><a href="javascript:history.go(-1)"><br>
      <span class="links"><u>Back</u></span></a> <span class="links">|</span> <a href="#top" class="links"><u>Top</u></a></td>
  </tr>
  <tr>
    <td height="19" valign="top" bgcolor="#FFFFFF"><!--DWLayoutEmptyCell--> </td>
  </tr>
  <tr>
    <td height="50" valign="top" bgcolor="#013567"><!--DWLayoutEmptyCell--> </td>
  </tr>
</table>
</body>
</html>

Wildbug Newbie

Wildbug

Posted
Posted

From the PHP manual on sessions:

 

"The session support allows you to register arbitrary numbers of variables to be preserved across requests. When a visitor accesses your site, PHP will check automatically (if session.auto_start  is set to 1) or on your request (explicitly through session_start() or implicitly through session_register()) whether a specific session id has been sent with the request. If this is the case, the prior saved environment is recreated.  All registered variables are serialized after the request finishes."

 

On your download page, when you assign the GET['id'] value to $id, you reassign the value to your session variable of the same name.  There's no need to assign it to another variable, so you could just do:

 


$query = 'SELECT name, type, size, content FROM files WHERE id = ' . mysql_real_escape_string($_GET['id']);

// ... or ...

$query = "SELECT name, type, size, content FROM files WHERE id = '$_GET[id]'";

karenn1 Member

karenn1

Posted
  • Author
Posted

I understand what you mean by the GET ID bit. I used the code you supplied and it now looks like this:

 

$query = "SELECT name, type, size, content FROM files WHERE id = ".$_GET['id'];
$result = mysql_query($query) or die('Error, query failed');

 

At the moment, it returns the error message "Error, query failed". The whole page it blank except for that message. Any idea why?

Wildbug Newbie

Wildbug

Posted
Posted

At the moment, it returns the error message "Error, query failed". The whole page it blank except for that message. Any idea why?

 

Yeah, it's because you've told it to die when it doesn't successfully complete the query.  You'll need to provide yourself with at least a modicum of information in order to troubleshoot your progress.  Print the query, the error message, and maybe even the contents of the variables involved on an error.

 

$result = mysql_query($query)
if (!$result) {
echo "Query failed!<br>\n$query<br>\n",mysql_error(),"<br>\n";
echo "<pre>",print_r($_GET),"</pre>";
exit;
}

karenn1 Member

karenn1

Posted
  • Author
Posted

Thanks so much for your help thus far. I actually figured this one out. Both pages (index.php and downloads.php) refer to the field called ID. I thought that it might be clashing because they both refer to the same field name. So on the downloads page I changed all the references of ID to ID2 and in phpMyAdmin I also changed the field name of the FILES table to ID2. It works 100%. ID now keeps the session ID stored while ID2 doesn't interfere and re-assign the variable.

 

Thanks again for the replies.

 

Karen

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.