Losing POST data and session variables

[davidp]

Something odd is happening with my script.  The really weird thing is that sometimes it will work (but only for Firefox), while most of the time it won't....but it's not a 100% failure rate (except for browsers other than Firefox).

 

It's just really weird.

 

Anyways, posted below is my index.php file, which is quite short and easy to understand.  Here is a basic synopsis of it:

 

I load a PHP file containing some global variables.  I load my DBM and Admin classes.  I require require a file which is supposed to do all handling of SSL connections, but for right now all it does is a session_start().  After that I load a file containing some general functions for admin usage.

 

I then create the DBM, make sure the admin account is created, and then display the admin login form or the admin page depending on whether the admin is logged in or not.

 

<?

require_once ( "../../site_support/globals.php" );
require_once ( "../../site_support/classes/dbm.php" );
require_once ( "../../site_support/classes/admin.php" );
require_once ( "secure.php" );
require_once ( "adminfunctions.php" );

//Connect to the database
global $dbm;
$dbm = new DBM();

// Check if the database is available.
if (!$dbm->isConnected()) {
print 'Unable to access the database at this time.<p>Sorry for the inconvenience.';
exit;
}

if ( !isset($_SESSION['admin_account']) )
    $_SESSION['admin_account'] = new Admin();


print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head>
	<title>Exploring Borders Admin</title>
	<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
	<link rel="stylesheet" href="'.BASE_URL.'style/layout_admin.css" type="text/css">
</head>
<body>
	<b><div style="font-size: 16pt;">Admin Access Page</div></b><br>';

if ( !$_SESSION['admin_account']->isLoggedIn() )
{
$_SESSION['admin_account']->displayLoginForm();
}
else {
displayAdminPage();
}

print '</body></html>';

?>

 

Now here is my problem.  When the login form is displayed, and the user types in his/her information, and clicks "Submit", I redirect to "adminlogin.php".  Once that happens, all the session data and the POST data gets lost.  Here is a copy of the login form that gets displayed:

 

function displayLoginForm ( )
{
	print '<form action="'.BASE_URL.'admin/adminlogin.php" method="POST">
		User Name:<br>
		<input type="text" name="username"><br>
		Password:<br>
		<input type="password" name="password"><br>
		<input type="submit" value="Submit"><br>
		</form>';
}

 

And here is the code that handles the POST data in "adminlogin.php":

 

<?

require_once ( "../../site_support/globals.php" );
require_once ( "../../site_support/classes/admin.php" );
require_once ( "../../site_support/classes/dbm.php" );
require_once ( "secure.php" );

$dbm = new DBM ( );
if ( !$dbm->isConnected() )
{
    print 'Unable to access the database.  Try again later.';
    return;
}

$userName = $_POST['username'];
$password = $_POST['password'];

$md5RevPass = strrev ( md5 ( $password ) );

$result = $dbm->CheckAdminLogin ( $userName, $md5RevPass );

if ( sqlite_num_rows($result) == 0 )
{
print 'Invalid name and password!<br>';
}
else
{
$_SESSION['admin_account']->Login( $userName );
header ( "Location: ".ADMIN_BASE_URL );
}

?>

 

Well, that's everything.  I can't understand why my session variables are being lost (session_start() is being called.  I tried removing the require_once('secure.php') lines, and instead I put session_start() inline in the code I posted above, but I just got the same results as I am getting now.  And where is my POST information going?  I am not using SSL...Although I wanted to, I have cut out all SSL code until I can get these errors resolved.

[davidp]

I have found out a few more specifics that might help in finding a response to the problem.  Here is the jist of it all:

 

It looks like I am losing my session data inbetween page changes/redirects.  The PHP error occurs on the line of: $_SESSION['admin_account']->Login( $userName );

Notice that that line is the first time I reference any member of $_SESSION['admin_account'] which should be an "Admin" object.  You might say, "Well before you reference the session variable, use an if statement to check and make sure it exists."  I did this at first, and I tried creating a new "Admin" object at that point if no "Admin" object existed already.....but when that happened, the redirect to "ADMIN_BASE_URL" (index.php) would just take me back to the login form again (because the session data was once again being lost in the redirect).

 

The interesting thing is that as I have monitored my HTTP requests that are being sent back and forth, I am getting a new PHP session ID everytime I get a response back from the server.  Why is it giving me a new session ID every single time???  This same thing is happening on my own personal server and on my school's CS server.  It's weird.  Here is the code in which I do session_start():

 

session_set_cookie_params ( 0, SESSION_ADMIN_PATH, SESSION_DOMAIN );

session_start();

$_SESSION['dumb'] = rand(1, 10);

 

 

Do you see any problems with that?

[redarrow]

every page needs session_start()

[PFMaBiSmAd]

The problem with $_POST variables not being set "sounds" like register_globals are on and your variables are getting overwritten by same name session/cookie/program variables. What is the register_globals setting?

 

You mention PHP errors? Post them.

 

Check your web server log for errors and/or turn on full (use E_ALL) php error reporting to get php to help you.

 

It also sounds like your browser(s) are set to reject cookies or your browser(s) are not sending the session cookie back to the server due to the "path" or "domain" setting.

 

Did you write and debug this code section by section or did you just write it all and then start debugging? Other than what you have written in the posts, what debugging have you done to confirm that sessions are starting and getting the values set in time or that $_POST variables are set at the beginning of the code, but not later...

 

There is a lot of code in your classes that we don't see. Also, since we don't know what constants like SESSION_ADMIN_PATH and SESSION_DOMAIN are, it makes it hard to help you.

 

Either you need to debug the code to the point that you have pinned down the problem to one small section or you will need to post all your code (perhaps as a .zip file) so that someone can see the big picture (such as what variables might be overwriting others) or to be able to recreate the problem.

[davidp]

The post variables are not being lost...that's just what I thought was happening at first.  It turns out the post variables are fine, but the session data is being lost.

 

In terms of cookies:

 

No, my browser accepts cookies.  I always have cookies turned on.  I am also testing this on three different browsers (IE, Safari, Firefox) and the same error happens on all 3 of them.

 

The error is simply:

 

Fatal error: Call to a member function on a non-object in /users/home2/ugrad/d/dpru/public_html/borders/site/admin/adminlogin.php on line 58

 

The reason I am getting this error is obvious to me....the "Admin" object which I created in the session data during the execution of index.php is lost...it's gone.  It doesn't exist anymore.  I am wondering why.  Like I said...it can't be cookies.  I am using 3 browsers and they all accept cookies.  Second, sessions are serverside anyways, not client-side.

[PFMaBiSmAd]

Create two simple pages to debug sessions using your require_once("secure.php"); code to start the session and get sessions working first. As I already wrote, your cookie path/domain setting might be preventing the session cookie from matching the actual path/domain of the page and the session cookie is not getting sent to the server from the browser.

 

Basically, what you are doing with the object in the session works (just verified using a simple class with methods and objects), provided your browser accepts and sends the session ID back to the server in the session cookie so that your code can resume the session on the second page.

 

And as already suggested, check your web server log for errors or turn on full php error reporting to get php to help you.