p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

beginning_php thread: Problem maintaining session state


Message #1 by "Bob Leitner" <bleitner@c...> on Mon, 3 Feb 2003 19:34:01
I posted this in php_windows too, but haven't received an answer so I'm 
trying here.

Here are the facts:
Using PHP 4.3 / IIS 5.1 / WinXP Pro
php.ini is set to globals off, 
session.save_path = c:\php\sessiondata
session.use_trans_sid = 1 (which I would like to change back to '0' if 
possible)
I beleive everything else related to session I left at their default.

The site has protected pages which I check for a session var in the 
begining of each page - if it isn't set then I include a login.php 
script. The login script has a form to ask for a password if you haven't 
already logged in, then after submitting registers using $_SESSION
['Password']; checks a Mysql db to compare logged in password to the 
password in the db. If all is good it continues on to the protected page. 
No problem there as after I log in it seems to work. The problem comes 
when I leave the protected page and go to another page and then try to 
return to the protected page - it sends me through the login routine 
again instead of allowing me into the page. I included some of the code 
below.

--- protected page.php ---
<?php
session_start();
if (!isset($_SESSION['Password'])) {
	include ("../login.php");
}
blah, blah, blah...
--- end ---

--- login.php ---
<?php
include ("inc/common_db.php");

if (!isset($_POST['LoginPW'])) {
$EmployeeNum = $_COOKIE['EmployeeNum'];
?>
<html>...the form that submits back to itself...</html>
}

$LoginPW = $_POST['LoginPW'];

$_SESSION['Password'];
$_SESSION['UserName'];

$query = "SELECT Password FROM preferences WHERE UserName = '$UserName';";
$link_id = db_connect($default_dbname);
if (!$link_id) error_message(sql_error());
$result = mysql_query($query);
if (!$result) error_message(sql_error());
$query_data = mysql_fetch_array($result);
$Password = $query_data['Password'];

if ($LoginPW != $Password) {
	unset($_SESSION['Password']);
        unset($_SESSION['UserName']);
	?>
	<script type="text/javascript">
		alert("Your Password is incorrect, Please try again.")
		location.href = "Edit_Preferences.php";
	</script>
	<?php
	exit;
}
?>

Any help please?
Thanx-
Bob
Message #2 by "Nikolai Devereaux" <yomama@U...> on Mon, 3 Feb 2003 13:24:37 -0800
Strange.  I wonder if it has to do with creating a variable an not storing any
values in it.

I'd change your $_SESSION['Password'] scheme to a $_SESSION['LoggedIn']
scheme.

On successful login, set $_SESSION['LoggedIn'] to true.  When checking to see
if a user is logged in, perform this test:

<?php // protected page.php

if(!isset($_SESSION['LoggedIn']) || !$_SESSION['LoggedIn'])
{
  // redirect to login page
}

blah blah blah


?>


Also, you should call session_start() on all your pages, protected or not.
This might be another reason your session is being destroyed in non-protected
pages.  I noticed you don't start the session in your login page.  You should.
I think PHP calls it implicitly when you attempt to create
$_SESSION['Password'], but it's better to be explicit.


hth,

nik

Message #3 by "Gellings, C.O." <gellingsco@p...> on Mon, 03 Feb 2003 23:38:37 +0100
How do you have your form submit to itself or to other forms???

You might use <form method="POST/GET" action="file_name.php?<?=SID;?>">

Carl

>I posted this in php_windows too, but haven't received an answer so I'm
>trying here.
>
>Here are the facts:
>Using PHP 4.3 / IIS 5.1 / WinXP Pro
>php.ini is set to globals off,
>session.save_path = c:\php\sessiondata
>session.use_trans_sid = 1 (which I would like to change back to '0' if
>possible)
>I beleive everything else related to session I left at their default.
>
>The site has protected pages which I check for a session var in the
>begining of each page - if it isn't set then I include a login.php
>script. The login script has a form to ask for a password if you haven't
>already logged in, then after submitting registers using $_SESSION
>['Password']; checks a Mysql db to compare logged in password to the
>password in the db. If all is good it continues on to the protected page.
>No problem there as after I log in it seems to work. The problem comes
>when I leave the protected page and go to another page and then try to
>return to the protected page - it sends me through the login routine
>again instead of allowing me into the page. I included some of the code
>below.
>
>--- protected page.php ---
><?php
>session_start();
>if (!isset($_SESSION['Password'])) {
>         include ("../login.php");
>}
>blah, blah, blah...
>--- end ---
>
>--- login.php ---
><?php
>include ("inc/common_db.php");
>
>if (!isset($_POST['LoginPW'])) {
>$EmployeeNum = $_COOKIE['EmployeeNum'];
>?>
>...the form that submits back to itself...
>}
>
>$LoginPW = $_POST['LoginPW'];
>
>$_SESSION['Password'];
>$_SESSION['UserName'];
>
>$query = "SELECT Password FROM preferences WHERE UserName = '$UserName';";
>$link_id = db_connect($default_dbname);
>if (!$link_id) error_message(sql_error());
>$result = mysql_query($query);
>if (!$result) error_message(sql_error());
>$query_data = mysql_fetch_array($result);
>$Password = $query_data['Password'];
>
>if ($LoginPW != $Password) {
>         unset($_SESSION['Password']);
>         unset($_SESSION['UserName']);
>         ?>
>         <script type="text/javascript">
>                 alert("Your Password is incorrect, Please try again.")
>                 location.href = "Edit_Preferences.php";
>         </script>
>         <?php
>         exit;
>}
>?>
>
>Any help please?
>Thanx-
>Bob

Message #4 by "Bob Leitner" <bleitner@c...> on Wed, 5 Feb 2003 14:21:44
> Thanx for your input, and yes it did have to do with not storing a 
value in the variable. Thanx also for your other post about sessions, it 
gave me a much better understanding of how sessions work and a better way 
to solve my login problem. 


Strange.  I wonder if it has to do with creating a variable an not 
storing any
values in it.

I'd change your $_SESSION['Password'] scheme to a $_SESSION['LoggedIn']
scheme.

On successful login, set $_SESSION['LoggedIn'] to true.  When checking to 
see
if a user is logged in, perform this test:

<?php // protected page.php

if(!isset($_SESSION['LoggedIn']) || !$_SESSION['LoggedIn'])
{
  // redirect to login page
}

blah blah blah


?>


Also, you should call session_start() on all your pages, protected or not.
This might be another reason your session is being destroyed in non-
protected
pages.  I noticed you don't start the session in your login page.  You 
should.
I think PHP calls it implicitly when you attempt to create
$_SESSION['Password'], but it's better to be explicit.


hth,

nik


  Return to Index