I started programming in php this week and decided to make a login page. When I finished it correctly logs someone in but then when going to a different page, it doesn't remember your username (the $_session variables are all blank). When I tried debugging I found that the session variable was blank when I opened the new page. I set up a simple example (detailed below) to test the session variables...

An expected response would be:

The content of $_SESSION['sess_var'] is Hello World

next page

The content of $_SESSION['sess_var'] is Hello World

next page



Instead, in the second instance it becomes

The content of $_SESSION['sess_var'] is


I think that it would most probably be a settings in my php.ini file are incorrect, but I'm not sure. Can anyone help?

Yours-in-code
Sameer Parker

Neutron Boy strikes again

This is likely one of our most frequently asked questions. Some day I'll actually get around to making a tutorial on it in the PHP_FAQs forum.

From the looks of your script, it appears that you are using cookies to pass the session id. The session id is a random string of letters and numbers that you pass to the client who in turn passes it back to the server with every new page request. When session_start() is called, it outputs a cookie in the HTTP response headers that contains this id. The cookie is stored on the client's computer, and then passed back to the server with each new page request. Because the cookie is output in the HTTP response headers by session_start(), by default, there can be no output before the call to session_start(). Otherwise, the script should produce an error complaining to the effect of "cannot start session, script output already started at line x".

That said, there a few things that you can do to remedy the problem. The first is avoiding cookies to pass around the session id. Most browsers today have cookies disabled by default, which makes cookies a less user-friendly method of perpetuating the session. If you must use cookies, then you must ensure that they are enabled in your browser, this is done by enabling first-party cookies, or session cookies. Then make sure you have no output, whitespace, HTML, or anything else before the call to session_start()... such as //page1.php
<h1><?php session_start();... the <h1> before the call to session_start() should be causing errors in your script like the one I described.

A second method is to embed the session id directly in the URL using query string arguments.

This method will pass around the session id using the URL, effectively bypassing cookies.

The last method is the same as the last step, but requires a change to the php.ini configuration file, and that is to give the session.use_trans_id directive a value of 1. This directive will automatically put the session_id in all of the URLs, forms, etc. Personally, I prefer to do it manually with the second method.

The most important thing to take away from all of this is that it is imperative that the session id make the journey from server to client and from client to server with each page request requiring sessions.

For further reference, read the PHP manual entry for sessions:
http://www.php.net/session

HTH!

Regards,
Rich

::::::::::::::::::::::::::::::::::::::::::
The Spicy Peanut Project
http://www.spicypeanut.net
::::::::::::::::::::::::::::::::::::::::::

Thanx a million.

It seems that first-party cookies were disabled. I do however, see your point and am changing passing the session id from page to page.

Always-in-Debt
Sameer

Neutron Boy strikes again

Rich said:
A second method is to embed the session id directly in the URL using query string arguments.
************************************************** ******************

First, is there a way to hide or encode the session id when passing it through the URL?

Second, how would you send the session id using "header(location:page)"?

No, no way to hide the session variable, at least no fool proof way.

You can use a hidden input field and the POST method, or you can use a cookie. But anyone looking for a session id would be able to find it.

echo "<input type='hiddden' name='sid' value'".session_id()."'/>\n";

The same way that you would any other URL.
header('location: sompage.php?sid='.session_id());

Regards,
Rich

--
[http://www.smilingsouls.net]
[http://pear.php.net/Mail_IMAP] A PHP/C-Client/PEAR solution for webmail

If the php.ini file is unavailable through my web host, is it possible to manually set the trans sid through:
Once the session id is in the url, bookmarking the page will present yet another problem. yes?

Well bookmarking the page will indeed save the session id, but session ids are timely (set to expire after 15 minutes, by default). So once that session expires it won't matter if the user is still holding on to the id. You can prevent old sessions from being reactivated by upping the garbage collection probability in php.ini.

You can also set ini directives for PHP via a .htaccess file, if you are using the Apache server and PHP as an apache module.

The setup is very simple, in fact here is a snip from mine:
Save this as ".htaccess" if using Windows include the quotes while saving the file. This sets ini directives on a per directory basis, directives are also inherited to child directories. You can see if setting directives via this method was successful by running phpinfo(), new directive values appear under the "local" heading.

In this snip I upped grabage collection probability to 75%, that means there is a 75% chance that garbage collection will be preformed on every page request which leaves a pretty slim margin for outdated sessions perpetuating for very long.

If the information is sensitive and must remain secure. You can do a few things to increase user security. Lower the time limit on sessions, a couple of minutes seems the time on most banking websites. Up garbage collection probability to 100% to gaurantee outdated sessions are being trashed and never revived. Use SSL to transmit session ids to prevent session highjacking.

Any method of transmitting the session id can be compromised if the id is sent out in the open! Not a big deal for most websites, but something you want to make secure if you are doing anything with money or other sensitive information.


Regards,
Rich

--
[http://www.smilingsouls.net]
[http://pear.php.net/Mail_IMAP] A PHP/C-Client/PEAR solution for webmail

A few other techniques that I forgot to tell you about, use a .html extension for your scripts, that's what: AddType application/x-httpd-php .html does.

What you're doing here is hiding the fact that you're using PHP, which makes hacker attacks more difficult, since you are providing less information about your setup. That also involves using a generic 'sid=' for the session id instead of 'PHPSESSID='. Turn off expose PHP. Turn off all error reporting.

(just assuming security was your concern)


Regards,
Rich

--
[http://www.smilingsouls.net]
[http://pear.php.net/Mail_IMAP] A PHP/C-Client/PEAR solution for webmail