Hey guys...The problem is with the
if($_SESSION['authuser']!=1) line in the moviesite.php file as I can see in your code you have a semicolon at the end of the ); which must no be included after an if statement. You also forgot to put a semicolon to close out the "</a>" in the movie1.php file.

Edna,

Experienced everything you described, even the two files per session transaction(with one containing no information)in the \php\sessiondata directory.

In the php.ini file, I changed the session.cookie_path=C:\php\sessiondata to session.cookie_path=/ . Movie1.php & moviesite.php then passed session data as expected. I do not understand why this change in the ini file worked, but it worked! Maybe this will save you some time.

Thanks, folks, for all the help. Here's what I did with it:

1. OOOops! Thank you, LopezAF, for pointing out the semicolon (and lack of). I amended this first because it was easiest. Ran the scripts, sure that this was it, and got the same error as before.

2. Next easiest, Obewan. Thanks for this too. I looked at session.cookie_data and found it was already set to / . So I thought perhaps it ought to match session.save_path so changed it to match. This produced the same result (yes, I did restart Apache every time :-) ). Then I wasn't sure whether it had been originally set to / or ./ , so went back and changed it to / - same message. What do you have session.save_path set to?

3. Richard, I left yours till last because there was so much of it!

(i) yes, I have cookies enabled. I am using Opera by the way.

(ii) I am leaving the hard-coding of the session id for later, as the purpose of this exercise is to get it working just as it says in the book. But I won't forget it!

(iii) (your next message) I am saying that movie1.php writes the variables to the sessiondata file, but moviesite.php instead of reading that file creates a new one, with no data (because it doesn't have any new variables to write).

(iv) There are no messages at all except the Notice mentioned in my first post, engendered by moviesite.php. No error messages.

(v) All the folders and files I mentioned do exist.

(vi) I read your article on permissions and changed those for the SESSIONDATA folder to "full". Note that I am running Windows98SE not XP, so it was not exactly the same as you describe. Anyway it didn't make any difference.

(vii) I'm not sure what you mean when you say " if the user tries to access that page directly without being logged in". The page is only accessed by a link from movie1.php, never directly. I don't understand "logged in" - to what? (I'm not online - apache is running locally.)

(viii) and I do restart apache every time I change php.ini


Now thanks again to everybody. I feel very strongly that the answer lies somewhere in the session part of php.ini, but I won't be able to look at it now for another week. It would help if anybody could give me their version of the session directives - although it won't match mine, it might give a clue. Alternatively, can you point me at the source code for the function session_data() so I can see exactly what it's doing? I don't want to download the whole of the source just yet :-)

Sorry to give you all this trouble! Feel free to give up. I'll find the answer eventually, but am not averse to shortcuts. Don't want to be a nuisance, though.

Best regards

Edna

Sorry - I meant the code for session_start() !

Ok, what I was saying is if someone types in the path to the moviesite.php file directly, without first visiting the movie1.php page they'll see an undefined variable error since the "authuser" variable doesn't exist, nevermind that you only link to this from the one page and that you don't intend for it to be accessed directly, that doesn't mean someone couldn't just type in the path to that page to access it directly or that a search engine wouldn't follow that link and index the page. "Logged in" means that the user has been authenticated and can access your secret pages. From a real world standpoint its better to consider such things, which was the point I was trying to make, but I understand for the purposes of learning it's alright to ignore.

On to your other comments...

This narrows it down a little but there's still a few things to check.

To verify that sessions are working correctly, you need to verify that a session exists.

When you load the first page, does the session id appear in the url to the second page?

echo "<a href='http://localhost/moviesite.php?favmovie=$myfavmovie'>";

The session id looks like this:
sid=2b327030dd80abafcb2fe64e0872e392

or
PHPSESSID=2b327030dd80abafcb2fe64e0872e392

When you load up the page in a browser, this might appear directly in the URL. If the session id appears here, take note of it, If not, then cookies are being used to pass the session id and you'll need to locate the cookie manually and take note of the session id stored there. In Opera look under File -> Preferences -> Privacy -> Manage Cookies Then you should see a cookie entry under your domain for sid or PHPSESSID with the unique number for its value.

Click the link to the second page and compare the session ids. If they are identical then, all is well with sessions.

The next step is to check the session data file itself. Open the file in the sessiondata directory with the same name as the unique session id. Verify that there is a variable named authuser in that file and that it has the right value.

I haven't a clue of how to set permissions in versions of Windows previous to XP, which is why no instructions are included in my article.

My hunch is that a new session is being created when you click through to the second page. If this is the case, then it is probably an ini problem. If this is the case, post the session portion of your ini file here.

HTH!


Regards,
Rich

::::::::::::::::::::::::::::::::::::::::::
The Spicy Peanut Project
http://www.spicypeanut.net
::::::::::::::::::::::::::::::::::::::::::

Sorry forgot one thing..

To see what the session id is for the moviesite.php file you'll need to add the following after the call to session_start().

Regards,
Rich

::::::::::::::::::::::::::::::::::::::::::
The Spicy Peanut Project
http://www.spicypeanut.net
::::::::::::::::::::::::::::::::::::::::::

Thanks, Richard. I too think that moviesite is creating another session, hence the empty session files interleaved with those that contain data. I'll check that out and post the session part - again it will probably be at the weekend.

Regards

Edna

Hi, Richard, here's the latest. By the way, I do understand what you are saying about best practice, but I am treating this just as an exercise to understand PHP.

The sessionid does not appear in the url of moviesite, which is
http://localhost/moviesite.php?favmovie=Life+of+Brian
favmovie is initialised in movie1.php (the calling script).

I looked in preferences in opera, and there was no cookie associated with these two scripts. By the way, preferences is now in the Tools menu in Opera; I am sure it was under File before.

I put the line you suggested - "echo 'The session id is:'.session_id()."\n";" into moviesite.php, and got the following result:

The session id is:8be88b153c74def38dcd5a408f98b14b

Looking into the sessiondata folder, this file was present with no data in it. The file before it, with timestamp less than a minute before, had all the variables. So I guess moviesite.php is generating a new file instead of picking up the one that's there already.

Lastly, here is the relevant part of php.ini. I removed most of the comments except those that seemed relevant. Should there be a value in session.entropy_file?


[Session]
session.save_handler=files

session.save_path=E:\PHP1\sessiondata

session.use_cookies=1

; session.use_only_cookies=1

session.name=PHPSESSID

session.auto_start=0

session.cookie_lifetime=0

session.cookie_path=/

session.cookie_domain=

session.serialize_handler=php

session.gc_probability=1
session.gc_divisor=100

session.gc_maxlifetime=1440

session.bug_compat_42=1
session.bug_compat_warn=1

session.referer_check=

session.entropy_length=0

; Specified here to create the session id.
session.entropy_file=

;session.entropy_length=16

;session.entropy_file=/dev/urandom

session.cache_limiter=nocache

session.cache_expire=180

session.use_trans_sid=0

url_rewriter.tags="a=href,area=href,frame=src,inpu t=src,form=,fieldset="

Thanks again
Edna

Well, if you say that a cookie isn't present in Opera, then that's the problem. You should see in the cookies panel a reference to the domain, localhost, then within that an entry for the cookie data with the session id.

If you are certain that cookies are enabled in Opera, but the cookie containing the session id doesn't show up, then test the script in another browser, Mozilla, IE, Safari, Konqueror, whatever you are able to test on, ensuring that cookies are enabled in that browser then you'll know if it is PHP or Opera itself. From what you've shown me, I'm 99% sure that your cookie settings in Opera are the problem.

Other than that your ini file looks fine. It has all the values that it's supposed to have, you also say that sessions exist in the sessiondata directory, then all looks good with the PHP side of things.

As an even further test of PHP you can always just go to embedding the session id directly in the URL.

Furthermore this only requires one of two possible modifications, the first:

Modify this ini setting to a value of 1:
session.use_trans_sid = 1

Now the session id is output directly in the URL automatically by PHP.

Or as an alternative to the first method, the second method is to manually code the session id in the URL:
echo "<a href='http://localhost/moviesite.php?favmovie=$myfavmovie&PHPSESSID=".ses sion_id()."'>";

There are some potential security risks with including the session id in the URL manually, as you can see from the comments in the php.ini file for the session.use_trans_id directive, but that's another discussion all together.

Regards,
Rich

::::::::::::::::::::::::::::::::::::::::::
The Spicy Peanut Project
http://www.spicypeanut.net
::::::::::::::::::::::::::::::::::::::::::

Hi, Richard, thanks again.

I don't think we are supposed to be using cookies in this exercise - they come in page 55 :-), but I may be wrong, and I'll check it with other browsers as you suggest.

I'll try outputting the session id in the URL - may give a clue.

If this doesn't work, I am going to ignore it and go on to the cookie exercise, and may pick up some info along the way (eg that may not work either :-( ). I may also try the exercise in linux; but the whole idea of doing this under Windows was so that I didn't have to re-boot into another operating system every time I wanted to spend ten minutes on it.

Many thanks for all your help. I will come back to this sometime soon, when I get a result.

Edna