Hello.
I'm having an problem with my sessions & PHP sessions setup. I used one example membership code (an online example) as follows:
I have 2 login/procedure files:
1. checkuser.php (checks if user have entered correct username/pw) & other
2. login_success (if login correct, displays members area menu).
Both of this files deal with session_start(), session_register() and $_SESSION variable. Shema code preview (just relevant code lines):
1. checkuser.php:
<?
session_start();
... some code...
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
SESSION['email_address'] = $email_address;
session_register('special_user');
$_SESSION['user_level'] = $user_level;
mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'"
;
header("Location: login_success.php"
...
2. login_success.php (login was correct):
<?
session_start();
echo "Welcome ". $_SESSION['first_name'] ." ". $_SESSION['last_name'] ."! You have made it to the members area!<br /><br />";
echo "Your user level is ". $_SESSION['user_level']." which enables you access to the following areas: <br />";
if($_SESSION['user_level'] == 0){
echo "- Forums<br />- Chat Room<br />";
}
if($_SESSION['user_level'] == 1){
echo "- Forums<br />- Chat Room<br />- Moderator Area<br />";
}
...
What happens:
When I enter username/password and press Submit, checkuser.php is called. After that, if all was OK, login_success.php is called. But my $_SESSION variables are not displayed (in login_success.php) at all. What more, I get 3 sess_* files in my session.save_path, two empty, one have all session variables.
Now, normally I checked what online php manual had to say, and got even more confused. Literaly, quote: ½Caution: If you are using $HTTP_SESSION_VARS/$_SESSION and disable register_globals, do not use session_register(), session_is_registered() and session_unregister(). If you enable register_globals, session_unregister() should be used since session variables are registered as global variables when session data is deserialized. Disabling register_globals is recommended for both security and performance reason½ - end quote.
Never the less, I excluded sesion_register('...') from code, and the same thing happend (3 sess_* files, two empty, one correct, and my session variables are not displayed on login_success.php page). And it become clear to me, that every time session_start() is used, new sess_* file was made.
Finnaly, I asumed that there's some missconfiuguration in my php.ini file. I have compared it with one from online manual and can't see any differences (and evenmore, this is the same php.ini from PHP4.3.3. zip pakage I installed). I only corrected path for sessions and cookies. If needed, I will post it.
Now, I have this configuration: Microsoft IIS 5.0 SP4 server, PHP 4.3.3. (ISAPI), All that on W2000 SP4. (Perhaps I will change this again).
Now that I had finnaly chosen my server configuration, finnaly tuned my mail server, and Almost finished my PHP study, I come to this stupidity. Must be that I really do have problem with (file) sessions (and my biggest enemy yet = php.ini).
Can anyone please suggest what this problem might be?
Concerning that I DO WANT TO HAVE Register_globals=Off, and I don't care too much about url trails or cookies (wether they exist or not), to what I plan to do, http security won't become so much security problem.
Thanks in advance.
I'm having an problem with my sessions & PHP sessions setup. I used one example membership code (an online example) as follows:
I have 2 login/procedure files:
1. checkuser.php (checks if user have entered correct username/pw) & other
2. login_success (if login correct, displays members area menu).
Both of this files deal with session_start(), session_register() and $_SESSION variable. Shema code preview (just relevant code lines):
1. checkuser.php:
<?
session_start();
... some code...
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
SESSION['email_address'] = $email_address;
session_register('special_user');
$_SESSION['user_level'] = $user_level;
mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'"
;header("Location: login_success.php"
;...
2. login_success.php (login was correct):
<?
session_start();
echo "Welcome ". $_SESSION['first_name'] ." ". $_SESSION['last_name'] ."! You have made it to the members area!<br /><br />";
echo "Your user level is ". $_SESSION['user_level']." which enables you access to the following areas: <br />";
if($_SESSION['user_level'] == 0){
echo "- Forums<br />- Chat Room<br />";
}
if($_SESSION['user_level'] == 1){
echo "- Forums<br />- Chat Room<br />- Moderator Area<br />";
}
...
What happens:
When I enter username/password and press Submit, checkuser.php is called. After that, if all was OK, login_success.php is called. But my $_SESSION variables are not displayed (in login_success.php) at all. What more, I get 3 sess_* files in my session.save_path, two empty, one have all session variables.
Now, normally I checked what online php manual had to say, and got even more confused. Literaly, quote: ½Caution: If you are using $HTTP_SESSION_VARS/$_SESSION and disable register_globals, do not use session_register(), session_is_registered() and session_unregister(). If you enable register_globals, session_unregister() should be used since session variables are registered as global variables when session data is deserialized. Disabling register_globals is recommended for both security and performance reason½ - end quote.
Never the less, I excluded sesion_register('...') from code, and the same thing happend (3 sess_* files, two empty, one correct, and my session variables are not displayed on login_success.php page). And it become clear to me, that every time session_start() is used, new sess_* file was made.
Finnaly, I asumed that there's some missconfiuguration in my php.ini file. I have compared it with one from online manual and can't see any differences (and evenmore, this is the same php.ini from PHP4.3.3. zip pakage I installed). I only corrected path for sessions and cookies. If needed, I will post it.
Now, I have this configuration: Microsoft IIS 5.0 SP4 server, PHP 4.3.3. (ISAPI), All that on W2000 SP4. (Perhaps I will change this again).
Now that I had finnaly chosen my server configuration, finnaly tuned my mail server, and Almost finished my PHP study, I come to this stupidity. Must be that I really do have problem with (file) sessions (and my biggest enemy yet = php.ini).
Can anyone please suggest what this problem might be?
Concerning that I DO WANT TO HAVE Register_globals=Off, and I don't care too much about url trails or cookies (wether they exist or not), to what I plan to do, http security won't become so much security problem.
Thanks in advance.
: Must say that Your aswers are usually very theoreticaly and practicaly suported, and also, I noticed (one cannot) that You're having a grat deal of will to help people arround. Perhaps You work here?