I'm new to PHP, and i'm having troubles with probably one of the easiest things, sessions. I'm trying to create a user login script that reads info from a database and puts it into a session. look at the code for yourself.



<?php

if(!empty($_POST["username"]) && !empty($_POST["password"])){
login_user(login_reformat($username),login_reformat($password));
}

function login_reformat($str){
$str = trim($str);
$str = addslashes($str);
$str = EscapeShellCmd($str);
$str = substr($str,0,20);
return $str;
}

$login_error =false;

function login_user($user,$pass){
global $login_error;
$conn = dbconn(); //database connection function
$query = "..."; //query goes here

if(!($result = mysql_query($query, $conn)))
mysqlerror(); //custom error handling

if(mysql_num_rows($result) !== 1)
$login_error = true;
else{
$login_error = false;
if(!($row = @ mysql_fetch_array($result)))
mysqlerror();
}

if(!($user==$row["username"]) || !($pass==$row["password"]))
$login_error = true;
else{
$row["logins"]++;
$curdate = date("Y") . "-" . date("m") . "-" . date("d");
$query = ".."; //query for updating number of logins

if(!(mysql_query($query,$conn)))
mysqlerror();

session_start();
session_register("user");
$user = array(username=> $row["username"], first_name => $row["first_name"], last_name => $row["last_name"],
email => $row["email"], security_level => $row["security_level"],
options => serialize($row["options"]), logged_in =>true);

header("location: msg.php?txt=" . urlencode("Login successful!
Welcome {$row["first_name"]} {$row["last_name"]}!") . "&r=" . urlencode("index.php?" . SID));
exit;
}

?>



what happens is that the code reads from the database fine, supposedly starts the session, and returns of a message page, the only problem is that the session does NOT start. its true. i ran a script in "index.php" so that it displayed all off the contents of the session, and turned up empty. i've looked at my host's php.ini settings and it allows sessions (I'm at www.freepgs.com). is it possible that i am trying to access the session information incorrectly? i don't think so, but this is what i do...


<?php

$user_logged_in = ($_SESSION["user"]["logged_in"] === true) ? true : false;

$admin_security = (strtolower($_SESSION["user"]["security_level"]) == "secret code here") ? true : false;

?>



what am i doing wrong?

the first line of each of your scripts using sessions must have session_start();
declared
session_start();
echo "hello";

You should always use session_start() at the top of every script you need to access sessions on, due to the fact that if you use cookies, you'll get a headers error if you happen to output something prior to starting the session. In your first script, for example, if the MySQL connection or resultset fails, you call a custom function mysqlerror(). If that outputs anything to the screen, the session will likely fail with a header error. It might be true that your mysqlerror() function kills the script anyway, but it's always good practice to get into. Obviously your second script doesn't start a session, so the session variables aren't available anyway.

You also have a potentially invalid mix of the deprecated function session_register() along with the superglobal $_SESSION. In your first script, rather than use session_register(), do it like this:

$_SESSION['user'] = 'somevalue';


If register_globals is off in your PHP config, the way you set the session variable 'user' won't work. Learn to rely on superglobals.

Please review the PHP manual entry for session_register() (http://us2.php.net/session_register), all the details are there.

thanks. my sessions work now. i guess i misread the session_register() entry. the mysqlerror() function does this, so i don't think i should get any errors...

function mysqlerror(){
die("MySQL error
". mysql_errno() . " : " . mysql_error());
}


by the way kryptech.net, what did you mean by 30 days and we go public with the information

thanks for everyone's help.

Well, again, since the mysqlerror() function actually kills the script, you're ok; at that point starting a session or not starting the session with a cookie is a moot point. If you had simply echo'd something to the screen rather than call die() it would probably fail. Best bet is to put it as the first line of your script anyway. ;-)

thats just my sig(signiture)... mabye I should change it to something about anime... By the way, good luck with the script

Thanks

A quick thing on Sessions dont put anything important e.g. Username, Passwords etc this will only identify the user and allow for session hijacking im pretty sure the link that bdl showed talks about it further.

i wouldn't think of putting somebody's password into the session, but would it be a major security risk if a username is stored?

you make a good point though, that i just thought of. if i leave the security code to get into administrative areas in the session, that could make it all to easy for a hacker.

I have a related security question:

I have php code that sets a flag, basically telling if the user is logged in or not, in the session, and the username.

Is there a safer way to do this? Is this the "best" way to do this?

you minght keep track of their IP in a MySQL database and wether they were logged in or not...

Good idea. I might encrypt there username too.

yeah, be sure to unencrypt it when entering it with md5($username) or whatever varible your using.

Ok, thanks.

What about private IP addresses and NAT?

I had run a script that changes the design of the site based off of IP address of which I stored the information in the database. This was a problem as when someone on the school network changed the site, the site was changed for me also. If you store it only as IP then the whole network will be signed on.



The script will have to check to make sure that the IP address only pertains to the session and nothing else.

and use a pusedo random id algrothim like random numbers and the seconds, days, years, and randomness thrown in everywhere.

Originally posted by kryptech.net
and use a pusedo random id algrothim like random numbers and the seconds, days, years, and randomness thrown in everywhere. My brain just exploded from how complicated this would make the application. I'm just starting to learn how to control the handling of sessions.

Actually, what I did was put the session id in the table of the user information and took the username and other administration information from that table. I would have like to have done this from the session handling functions but that would require Regular Expressions and there was a chance of spending 8 hours trying and then not having it work. Easier to just do it elsewhere.