Hi!
I have a function in a lot of pages, which redirects to a new page, if
a form has been submitted:
if (!(defined("DEB UG_INSERT") && DEBUG_INSERT) &&
!(defined("DEBU G_UPDATE") && DEBUG_UPDATE) &&
!(defined("DEBU G_SELECT") && DEBUG_SELECT)){
if ($_POST){
$_SESSION["postvalue"] = $_POST;
header("HTTP/1.1 302 Moved Temporarily");
header ("Location: ".BASE_URL.$ses s->assemble(),tru e, 302);
header("Connect ion: close");
exit();
}else{
if (isset($_SESSIO N["postvalue"])){
$_POST = $_SESSION["postvalue"];
}
}
}
In conjunction with a login form and a browser that accepts cookies
for the session handling, this leads to everyone having to enter his
login and pasword twice.
i believe this is, because the cookie do not get sent before the
header ("Location:
Has anyone an idea how to force this or send them by hand?
Cheers, Jochen
--
Jochen Daum - CANS Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces. http://sourceforge.net/projects/phpdbedittk/ 16  8956 
A Martian named "Jochen Daum" <jo*********@ca ns.co.nz> telepathically
imparted message <pn************ *************** *****@4ax.com> to us on
Thu, 04 Sep 2003 23:57:35 -0500: Hi!
I have a function in a lot of pages, which redirects to a new page, if a
form has been submitted:
if (!(defined("DEB UG_INSERT") && DEBUG_INSERT) &&
!(defined("DEBU G_UPDATE") && DEBUG_UPDATE) &&
!(defined("DEBU G_SELECT") && DEBUG_SELECT)){
if ($_POST){
$_SESSION["postvalue"] = $_POST;
header("HTTP/1.1 302 Moved Temporarily");
header ("Location: ".BASE_URL.$ses s->assemble(),tru e, 302);
header("Connect ion: close");
exit();
}else{
if (isset($_SESSIO N["postvalue"])){
$_POST = $_SESSION["postvalue"];
}
}
}
}
In conjunction with a login form and a browser that accepts cookies for
the session handling, this leads to everyone having to enter his login
and pasword twice.
i believe this is, because the cookie do not get sent before the header
("Location:
Has anyone an idea how to force this or send them by hand?
Cheers, Jochen
Keep it simple:
session_start() ;
if (!isset($_SESSI ON['postvalue'])):
header ("HTTP/1.1 302 Moved Temporarily to Singapore");
header ("Location: http://myhost.com/login.php");
exit();
endif;
$_POST = $_SESSION['postvalue'];
// show the page
BTW, is there any reason that you just *have* to
use $_POST for all the pages? $_POST is only needed to
retrieve the variables from the (login?) form. After that,
you are free to do everything in $_SESSION['postvalue'].
The "to Singapore" part is just a jest. Don't include it :D
HI Gary!
On Sun, 07 Sep 2003 09:31:51 GMT, Gary Petersen
<ga*******@REMO VE.MEearthlink. INVALID> wrote: A Martian named "Jochen Daum" <jo*********@ca ns.co.nz> telepathically
imparted message <pn************ *************** *****@4ax.com> to us on
Thu, 04 Sep 2003 23:57:35 -0500:
Hi!
I have a function in a lot of pages, which redirects to a new page, if a
form has been submitted:
if (!(defined("DEB UG_INSERT") && DEBUG_INSERT) &&
!(defined("DEBU G_UPDATE") && DEBUG_UPDATE) &&
!(defined("DEBU G_SELECT") && DEBUG_SELECT)){
if ($_POST){
$_SESSION["postvalue"] = $_POST;
header("HTTP/1.1 302 Moved Temporarily");
header ("Location: ".BASE_URL.$ses s->assemble(),tru e, 302);
header("Connect ion: close");
exit();
}else{
if (isset($_SESSIO N["postvalue"])){
$_POST = $_SESSION["postvalue"];
}
}
}
}
In conjunction with a login form and a browser that accepts cookies for
the session handling, this leads to everyone having to enter his login
and pasword twice.
i believe this is, because the cookie do not get sent before the header
("Location:
Has anyone an idea how to force this or send them by hand?
Cheers, Jochen
Keep it simple:
session_start( );
if (!isset($_SESSI ON['postvalue'])):
header ("HTTP/1.1 302 Moved Temporarily to Singapore");
header ("Location: http://myhost.com/login.php");
exit();
endif;
$_POST = $_SESSION['postvalue'];
// show the page
How does the value of all form fields get into $_SESSION?
BTW, is there any reason that you just *have* to
use $_POST for all the pages? $_POST is only needed to
retrieve the variables from the (login?) form.
No. I have eg. a form on nearly every page to change filters of the
data displayed etc.
Jochen
--
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces. http://sourceforge.net/projects/phpdbedittk/
On Sun, 07 Sep 2003 21:56:31 +1200, Jochen Daum wrote: How does the value of all form fields get into $_SESSION?
you have to put it there, by simple assignment:
$_SESSION['parameter'] = $_POST['parameter'];
or something to that effect.
Hi Gerhard!
On Sun, 07 Sep 2003 12:16:26 -0700, Gerhard Fiedler
<no****@globo.c om.REMOVE> wrote: On Sun, 07 Sep 2003 21:56:31 +1200, Jochen Daum wrote:
How does the value of all form fields get into $_SESSION?
you have to put it there, by simple assignment:
$_SESSION['parameter'] = $_POST['parameter'];
Well, I understand that. That's why I had it there in the original
post.
Any suggestions for my orginal problem?
Jochen
--
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces. http://sourceforge.net/projects/phpdbedittk/
A horsie named Jochen Daum demonstrated surprising intellligence and
its ability to use morse code on Sun, 07 Sep 2003 04:56:31 -0500 when
it tapped <9u************ *************** *****@4ax.com> with its hoof: HI Gary!
Hi Jochen!
On Sun, 07 Sep 2003 09:31:51 GMT, Gary Petersen
<ga*******@REMO VE.MEearthlink. INVALID> wrote:
[...]
Keep it simple:
session_start ();
if (!isset($_SESSI ON['postvalue'])):
header ("HTTP/1.1 302 Moved Temporarily to Singapore");
header ("Location: http://myhost.com/login.php");
exit();
endif;
$_POST = $_SESSION['postvalue'];
// show the page
How does the value of all form fields get into $_SESSION?
The login.php page should present a username/password form
to the user. When the user submits the form, the form's data
would go to a process_login.p hp page. If the username and
password are correct, process_login.p hp would put all of
the necessary data into $_SESSION['postvalue']. The password
does not need to be stored in the session.
BTW, is there any reason that you just *have* to
use $_POST for all the pages? $_POST is only needed to
retrieve the variables from the (login?) form.
No. I have eg. a form on nearly every page to change filters of the
data displayed etc.
To make my life easier, I would do this:
if (isset($_POST['somevariable'])) {
$_SESSION['displayform'] = $_POST;
$disp = & $_SESSION['displayform'];
}
Then I would use $disp for everything on the page.
"Somevariab le" is just any variable that you can use
to make sure that the form variables are there.
Good luck.
PS.
Unless you are running on a dedicated server, sessions
are not all that secure.
On Mon, 08 Sep 2003 07:41:24 +1200, Jochen Daum wrote: Well, I understand that. That's why I had it there in the original
post.
I only looked at the post I answered to... :-/
Any suggestions for my orginal problem?
It seems Gary answered. But for more, I guess some more code would be
necessary. At first sight (without actually testing it) there seems
nothing wrong with your code.
You say that you do something with cookies -- but there's no cookie
code in what you posted. You can look at the cookie (at the client),
and you can also look at the headers that get exchanged (use something
like Proxomitron) to make sure they do what you want them to do.
You can also dump your postvalue and _POST arrays at various points to
make sure they contain what you expect them to contain. That should
get you closer to the point where things start to diverge from what
you think they should do.
Hi Gary!
.... [...]
Keep it simple:
session_star t();
if (!isset($_SESSI ON['postvalue'])):
header ("HTTP/1.1 302 Moved Temporarily to Singapore");
header ("Location: http://myhost.com/login.php");
exit();
endif;
$_POST = $_SESSION['postvalue'];
// show the page
How does the value of all form fields get into $_SESSION?
The login.php page should present a username/password form
to the user. When the user submits the form, the form's data
would go to a process_login.p hp page. If the username and
password are correct, process_login.p hp would put all of
the necessary data into $_SESSION['postvalue']. The password
does not need to be stored in the session.
Sorry, you misunderstand the problem slighly. The data stored in
postvalue is not the data from the login form, but from another form.
It should actually be all form data, that is sent by post in a whole
application (meaning a set of web pages). The problem is, that if I
run the function above (my original one) everytime there is a post
form (including the login), then the user gets prompted twice for the
password/username. This is IMO, because the cookie with the PHPSESSID
is not sent to the client browser, before the header ("Location" line.
I think it is like that, because
1.) it works fine, if I exclude the login form from the ones handled
by this function
2.) it works with browser denying all cookies.
BTW, is there any reason that you just *have* to
use $_POST for all the pages? $_POST is only needed to
retrieve the variables from the (login?) form.
No. I have eg. a form on nearly every page to change filters of the
data displayed etc.
To make my life easier, I would do this:
if (isset($_POST['somevariable'])) {
$_SESSION['displayform'] = $_POST;
$disp = & $_SESSION['displayform'];
}
Then I would use $disp for everything on the page.
"Somevariabl e" is just any variable that you can use
to make sure that the form variables are there.
I though of marking the login form with a hidden field, so that I can
recognise it, but I actually want the functionality also for the login
form. Its basically about usability against speed. The users don't
understand, what they have to do, if the browser asks them if they
want to resubmit the data. Thats why I redirect them to a GET request
everytime, so that the message doesn't come up.
PS.
Unless you are running on a dedicated server, sessions
are not all that secure.
I do.
Jochen
--
Jochen Daum - CANS Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces. http://sourceforge.net/projects/phpdbedittk/
Hi Gerhard, Any suggestions for my orginal problem?
It seems Gary answered. But for more, I guess some more code would be
necessary. At first sight (without actually testing it) there seems
nothing wrong with your code.
You say that you do something with cookies -- but there's no cookie
code in what you posted. You can look at the cookie (at the client),
and you can also look at the headers that get exchanged (use something
like Proxomitron) to make sure they do what you want them to do.
When you use PHP sessions, a unique ID is transported to the browser
by a cookie, if the browser accepts it. AFAIK on the first request
there is always a cookie sent, and if it wasn't there and a session
has been started with the SID parameter in the URL none gets sent.
This is the cookie I'm talking about. My original problem is, that if
I run the original function on all pages, the user gets prompted twice
for username/password. This is IMO, because this cookie (for
successful login) is not sent through before the header command.
You can also dump your postvalue and _POST arrays at various points to
make sure they contain what you expect them to contain. That should
get you closer to the point where things start to diverge from what
you think they should do.
They seem to look fine. I'll have a closer look soon.
Jochen
--
Jochen Daum - CANS Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces. http://sourceforge.net/projects/phpdbedittk/
A horsie named Jochen Daum demonstrated surprising intellligence and its
ability to use morse code on Sun, 07 Sep 2003 23:35:14 -0500 when it
tapped <o1************ *************** *****@4ax.com> with its hoof: Hi Gary!
Hi Jochen!
[...] everytime there is a post form
(including the login), then the user gets prompted twice for the
password/username. This is IMO, because the cookie with the PHPSESSID is
not sent to the client browser, before the header ("Location" line. I
think it is like that, because
1.) it works fine, if I exclude the login form from the ones handled by
this function
2.) it works with browser denying all cookies.
[...]
Maybe you are not starting the session early enough on one
of your pages.
The session has to exist *before* the login process starts,
so if you have a login.php page that presents a login form to
the user, make sure that it starts the
session with session_start() -- right at the top of the page--
before the user gets to do anything (even log in). And then each
page in the system does the same, starting the session as
the first thing.
Separate the concept of a session from the concept of an
authenticated user. It's possible to have a session where
the user is un-authenticated, and it's possible to have a
session where the user is authenticated. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: mrbog |
last post by:
Tell me if my assertion is wrong here:
The only way to prevent session hijacking is to NEVER store
authentication information (such as name/password) in the session.
Well, to never authenticate a user from information you got from the
session. Each secure app on a site must challenge the user for name
and password, each and every time the user accesses it (not just once
and then store it in the session). If a secure app is multi-page,...
|
by: farooqazeem |
last post by:
Hi guys,
I’m facing some problem can u solve it.
Problem is:
I’m giving user Id and password in (Login_sess.asp) and submit it to page
(sess_test.asp). I am setting session variable (session(“Sin”)=”Yes”) just
before redirecting to the same page, but in first time I do not received the
value of session variable when I redirect it, when I execute this process
second time or redirect it only with the page name...
|
by: Karsten Grombach |
last post by:
Hi,
I'm trying the following:
- Imitate a Logon using a Post with HttpWebRequest on remote Webserver (asp
3.0 page using https)
- On success redirect to the page (encapsuled in an iframe) supplied by the
remote Webserver
I can successfuly logon but when I redirect to the supplied url, the
webserver does not know me anymore an redirects me back to login page.. I
|
by: Seth |
last post by:
I have noticed that the id of my session object changes
when I switch from a non-secure to a secure connection.
What I'm trying to do:
I have a cookie that is built on the non-secure side of
things. What I need to do is to switch to a secure
connection and then later on while still in that secure
connection delete the cookie that was created on the non-
secure side. I need to do this because I can not
reference the non-secure cookie...
|
by: William |
last post by:
Hi
I have an ASP.NET application that connects to an Access database.
Everything works fine except for the Session object. Data in the session
object is lost after I've made a call to the database.
To test, I've created two test aspx pages. Test1.aspx contains two buttons.
The first button sets values in the session object and then navigates to
Test2.aspx. Test2.aspx only displays the values in the session object.
The second button...
| | |
by: Bill Borg |
last post by:
Hello all,
Not sure I can describe this adequately, but I am creating an endless loop
when an authenticated user signs out.
When the user signs out, I want to remove authentication, abandon session,
and redirect to default page. I need to use a custom cookie (I track separate
logins to multiple "companies"), so afaik can't use the standard
formsauthenication routines to create/delete the default ticket/cookie.
|
by: briand |
last post by:
I have the following code in my base page to redirect to a session timeout
page.
override protected void OnInit(EventArgs e)
{
base.OnInit(e);
//It appears from testing that the Request and Response both share the
|
by: mike.biang |
last post by:
I have an ASP page that is using an XMLHTTP object to request various
pages from my server. I keep a single session throughout the XMLHTTP
requests by bassing the ASPSESSIONID cookie through the XMLHTTP object.
However, when the page requested through the XML object makes a
<%Response.Redirect()%>
call, a new session is created each time.
Is this a flaw in the XMLHTTP Object? How can I force the session to
remain the same after a...
|
by: Josh |
last post by:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.
Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?
Right now, when users...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing, and deploymentwithout human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupr who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
