Passing SESSIONS with trans_sid switched off

Paul

I want to use sessions to cover myself in case the user switches off cookies
so I am passing the session ID manually through a hidden input field. This
is what I have so far.

index.php page contains:

<?php

$_SESSION['entered_username'] = "";
$_SESSION['login'] = "";
$PHPSESSID = session_id();

echo "<form method='POST' action='login.php'>
<b>Username:</b>
<input type='text' name='username'>
<b>Password:</b>
<input type='password' name='password'>
<input type='hidden' name='PHPSESSID' value='$PHPSESSID'>
<input type='submit' value='Login'>
</form>";

?>

Now, viewing the source with this page open in the browser, I can see that
the session ID is in the hidden field. According to the book I'm reading,
"PHP will automatically get $PHPSESSID without anymore programming from you
on the login page"
The part of the next page (login.php) that is processing the login is as
follows:

if(mysql_num_rows($result) == 1)
{
$_SESSION['entered_username'] = $_POST['username'];
$_SESSION['login'] = 'yes';
header('refresh: 3; url=member.php');
echo "<h2><center>You have been validated. Please wait, logging you in. .
..</h2><br>
<center>If your browser doesn't support redirection and you're still here in
3 seconds, <a href='member.php'>click here</a></center>";
}
else
{
header('refresh: 5; url=index.php');
echo "<b><u><center>Login failure </b></u><br>Username/Password mismatch.
Sit tight, we're sending you back to the login page in 5 seconds.<br>
If your browser doesn't support redirection and you're still here in 5
seconds, <a href='index.php'>click here</a></center>";
}

Now we get to the member.php page and the following happens:

Notice: Undefined index: login in C:\Web\member.php on line 10

Line 10 reads:

if ($_SESSION['login'] != 'yes')
{
echo "<b><u><center>You haven't logged on!</b></u><p>
<a href='index.php'>Click Here</a> to return to the login page";
exit();
}

This is where it kicks me out. The code on the member.php page is designed
to stop users doing anything before they log in but unless I can pass the
session data between pages, the result of the if statement will always be
false.

Even more odd is the fact that it works in Internet Explorer and not
Mozilla. Now I trust Mozilla's standards far more than IE so I really want
to make it work in Mozilla.

Sorry this is such a long post, I tried to keep it as short as possible but
give enough information to make it make sense.

So what am I missing? And what is IE doing that Moz isn't?

Thanks for any suggestions.

Jul 16 '05 #1

Subscribe Reply

5923

Peter James

First, rather than manually passing the session id around, just do an
ini_set() at the beginning of each page...

ini_set("session.use_cookies", "off");
ini_set("session.use_trans_sid", "on");

This will automagically append the session id to all relative URL's tha it
can identify, as well as adding it into a hidden form variable for you. You
don't need to do it manually.

Second, you're not passing the session id when you redirect. Writing the
header like that doesn't get rewritten by PHP or your routine. If you are
not using cookies, you won't have access to the session id on the next page
(the one you redirect to). Even with trans_sid, you'll have to manually
include your session id in the header.

HTH.
Pete.

--

--
Peter James
Editor-in-Chief, php|architect Magazine
pe***@phparch.com

php|architect
The Magazine for PHP Professionals
http://www.phparch.com
"Paul" <Pa**@here.com> wrote in message
news:bh**********@titan.btinternet.com...

I want to use sessions to cover myself in case the user switches off cookies so I am passing the session ID manually through a hidden input field. This
is what I have so far.

index.php page contains:

<?php

$_SESSION['entered_username'] = "";
$_SESSION['login'] = "";
$PHPSESSID = session_id();

echo "<form method='POST' action='login.php'>
<b>Username:</b>
<input type='text' name='username'>
<b>Password:</b>
<input type='password' name='password'>
<input type='hidden' name='PHPSESSID' value='$PHPSESSID'>
<input type='submit' value='Login'>
</form>";

?>

Now, viewing the source with this page open in the browser, I can see that
the session ID is in the hidden field. According to the book I'm reading,
"PHP will automatically get $PHPSESSID without anymore programming from you on the login page"
The part of the next page (login.php) that is processing the login is as
follows:

if(mysql_num_rows($result) == 1)
{
$_SESSION['entered_username'] = $_POST['username'];
$_SESSION['login'] = 'yes';
header('refresh: 3; url=member.php');
echo "<h2><center>You have been validated. Please wait, logging you in. .
.</h2><br>
<center>If your browser doesn't support redirection and you're still here in 3 seconds, <a href='member.php'>click here</a></center>";
}
else
{
header('refresh: 5; url=index.php');
echo "<b><u><center>Login failure </b></u><br>Username/Password mismatch.
Sit tight, we're sending you back to the login page in 5 seconds.<br>
If your browser doesn't support redirection and you're still here in 5
seconds, <a href='index.php'>click here</a></center>";
}

Now we get to the member.php page and the following happens:

Notice: Undefined index: login in C:\Web\member.php on line 10

Line 10 reads:

if ($_SESSION['login'] != 'yes')
{
echo "<b><u><center>You haven't logged on!</b></u><p>
<a href='index.php'>Click Here</a> to return to the login page";
exit();
}

This is where it kicks me out. The code on the member.php page is designed
to stop users doing anything before they log in but unless I can pass the
session data between pages, the result of the if statement will always be
false.

Even more odd is the fact that it works in Internet Explorer and not
Mozilla. Now I trust Mozilla's standards far more than IE so I really want
to make it work in Mozilla.

Sorry this is such a long post, I tried to keep it as short as possible but give enough information to make it make sense.

So what am I missing? And what is IE doing that Moz isn't?

Thanks for any suggestions.

Jul 16 '05 #2

Paul

I know I'm going to sound stupid now, but could you just clarify what
exactly is happening here. At the moment, I am using session.auto_start = 0
in php.ini. Should I now switch this back to 0?
And if I add ini_set("session.use_cookies", "off"); and
ini_set("session.use_trans_sid", "on"); to the start of each page, does it
temporary turn on trans_sid for that browsing session?
Lastly, when you say "This will automagically append the session id to all
relative URL's that it can identify, as well as adding it into a hidden form
variable for you", how is the session ID passed then? Where am I defining a
variable that can be used on the next page? How does it identify "relative
URLs"? I've only been at this a month so I'm a bit green.

Thanks for your help.
"Peter James" <pe***@shaman.ca> wrote in message
news:vj************@corp.supernews.com...

First, rather than manually passing the session id around, just do an
ini_set() at the beginning of each page...

ini_set("session.use_cookies", "off");
ini_set("session.use_trans_sid", "on");

This will automagically append the session id to all relative URL's tha it
can identify, as well as adding it into a hidden form variable for you. You don't need to do it manually.

Second, you're not passing the session id when you redirect. Writing the
header like that doesn't get rewritten by PHP or your routine. If you are
not using cookies, you won't have access to the session id on the next page (the one you redirect to). Even with trans_sid, you'll have to manually
include your session id in the header.

HTH.
Pete.

--

--
Peter James
Editor-in-Chief, php|architect Magazine
pe***@phparch.com

php|architect
The Magazine for PHP Professionals
http://www.phparch.com
"Paul" <Pa**@here.com> wrote in message
news:bh**********@titan.btinternet.com...
I want to use sessions to cover myself in case the user switches off cookies
so I am passing the session ID manually through a hidden input field. This is what I have so far.

index.php page contains:

<?php

$_SESSION['entered_username'] = "";
$_SESSION['login'] = "";
$PHPSESSID = session_id();

echo "<form method='POST' action='login.php'>
<b>Username:</b>
<input type='text' name='username'>
<b>Password:</b>
<input type='password' name='password'>
<input type='hidden' name='PHPSESSID' value='$PHPSESSID'>
<input type='submit' value='Login'>
</form>";

?>

Now, viewing the source with this page open in the browser, I can see that the session ID is in the hidden field. According to the book I'm reading, "PHP will automatically get $PHPSESSID without anymore programming from

you
on the login page"
The part of the next page (login.php) that is processing the login is as
follows:

if(mysql_num_rows($result) == 1)
{
$_SESSION['entered_username'] = $_POST['username'];
$_SESSION['login'] = 'yes';
header('refresh: 3; url=member.php');
echo "<h2><center>You have been validated. Please wait, logging you in. .. .</h2><br>
<center>If your browser doesn't support redirection and you're still here in
3 seconds, <a href='member.php'>click here</a></center>";
}
else
{
header('refresh: 5; url=index.php');
echo "<b><u><center>Login failure </b></u><br>Username/Password

mismatch. Sit tight, we're sending you back to the login page in 5 seconds.<br>
If your browser doesn't support redirection and you're still here in 5
seconds, <a href='index.php'>click here</a></center>";
}

Now we get to the member.php page and the following happens:

Notice: Undefined index: login in C:\Web\member.php on line 10

Line 10 reads:

if ($_SESSION['login'] != 'yes')
{
echo "<b><u><center>You haven't logged on!</b></u><p>
<a href='index.php'>Click Here</a> to return to the login page";
exit();
}

This is where it kicks me out. The code on the member.php page is designed to stop users doing anything before they log in but unless I can pass the session data between pages, the result of the if statement will always be false.

Even more odd is the fact that it works in Internet Explorer and not
Mozilla. Now I trust Mozilla's standards far more than IE so I really want to make it work in Mozilla.

Sorry this is such a long post, I tried to keep it as short as possible

but
give enough information to make it make sense.

So what am I missing? And what is IE doing that Moz isn't?

Thanks for any suggestions.

Jul 16 '05 #3

Peter James

If you have access to the php.ini file, then set these session.use_cookies
and session.use_trans_sid values in the php.ini file.

auto_start means that a session is started every time... it is very common
to leave this off, and just use session_start() when you need sessions. If
you use auto_start, you should also set the use_cookies, etc values in the
php.ini file.

As far as appending the session id, PHP will handle it all for you. If you
start a session (either auto_start or session_start() ) and create a form on
a page that's using trans_sid, and then check your page source in the
browser, you should see a hidden field called PHPSESSID in your form.. One
that you _didn't_ add yourself. It's very cool. Relative URL's are
essentially just URLs that don't have a host in them. http://foo.com is not
a relative url, but /bar/index.php is.

If you have trans_sid on, and you submit the above form and start the
session on the submitted-to page, then all the $_SESSION vars that you set
on the previous page will be available to you on your submitted-to page.

Does that clear anything up, or make it cloudier? :-)

Pete.

--

--
Peter James
Editor-in-Chief, php|architect Magazine
pe***@phparch.com

php|architect
The Magazine for PHP Professionals
http://www.phparch.com
"Paul" <Pa**@here.com> wrote in message
news:bh**********@hercules.btinternet.com...

I know I'm going to sound stupid now, but could you just clarify what
exactly is happening here. At the moment, I am using session.auto_start = 0 in php.ini. Should I now switch this back to 0?
And if I add ini_set("session.use_cookies", "off"); and
ini_set("session.use_trans_sid", "on"); to the start of each page, does it
temporary turn on trans_sid for that browsing session?
Lastly, when you say "This will automagically append the session id to all
relative URL's that it can identify, as well as adding it into a hidden form variable for you", how is the session ID passed then? Where am I defining a variable that can be used on the next page? How does it identify "relative
URLs"? I've only been at this a month so I'm a bit green.

Thanks for your help.
"Peter James" <pe***@shaman.ca> wrote in message
news:vj************@corp.supernews.com...
First, rather than manually passing the session id around, just do an
ini_set() at the beginning of each page...

ini_set("session.use_cookies", "off");
ini_set("session.use_trans_sid", "on");

This will automagically append the session id to all relative URL's tha it
can identify, as well as adding it into a hidden form variable for you. You
don't need to do it manually.

Second, you're not passing the session id when you redirect. Writing the header like that doesn't get rewritten by PHP or your routine. If you are not using cookies, you won't have access to the session id on the next

page
(the one you redirect to). Even with trans_sid, you'll have to manually
include your session id in the header.

HTH.
Pete.

--

--
Peter James
Editor-in-Chief, php|architect Magazine
pe***@phparch.com

php|architect
The Magazine for PHP Professionals
http://www.phparch.com
"Paul" <Pa**@here.com> wrote in message
news:bh**********@titan.btinternet.com...
I want to use sessions to cover myself in case the user switches off

cookies
so I am passing the session ID manually through a hidden input field. This is what I have so far.

index.php page contains:

<?php

$_SESSION['entered_username'] = "";
$_SESSION['login'] = "";
$PHPSESSID = session_id();

echo "<form method='POST' action='login.php'>
<b>Username:</b>
<input type='text' name='username'>
<b>Password:</b>
<input type='password' name='password'>
<input type='hidden' name='PHPSESSID' value='$PHPSESSID'>
<input type='submit' value='Login'>
</form>";

?>

Now, viewing the source with this page open in the browser, I can see that the session ID is in the hidden field. According to the book I'm reading, "PHP will automatically get $PHPSESSID without anymore programming from you
on the login page"
The part of the next page (login.php) that is processing the login is
as follows:

if(mysql_num_rows($result) == 1)
{
$_SESSION['entered_username'] = $_POST['username'];
$_SESSION['login'] = 'yes';
header('refresh: 3; url=member.php');
echo "<h2><center>You have been validated. Please wait, logging you
in. . .</h2><br>
<center>If your browser doesn't support redirection and you're still here
in
3 seconds, <a href='member.php'>click here</a></center>";
}
else
{
header('refresh: 5; url=index.php');
echo "<b><u><center>Login failure </b></u><br>Username/Password

mismatch. Sit tight, we're sending you back to the login page in 5 seconds.<br>
If your browser doesn't support redirection and you're still here in 5
seconds, <a href='index.php'>click here</a></center>";
}

Now we get to the member.php page and the following happens:

Notice: Undefined index: login in C:\Web\member.php on line 10

Line 10 reads:

if ($_SESSION['login'] != 'yes')
{
echo "<b><u><center>You haven't logged on!</b></u><p>
<a href='index.php'>Click Here</a> to return to the login page";
exit();
}

This is where it kicks me out. The code on the member.php page is designed to stop users doing anything before they log in but unless I can pass the session data between pages, the result of the if statement will always be false.

Even more odd is the fact that it works in Internet Explorer and not
Mozilla. Now I trust Mozilla's standards far more than IE so I really want to make it work in Mozilla.

Sorry this is such a long post, I tried to keep it as short as

possible but
give enough information to make it make sense.

So what am I missing? And what is IE doing that Moz isn't?

Thanks for any suggestions.

Jul 16 '05 #4

Peter James

Shouldn't, unless your host has session.auto_start on.

--

--
Peter James
Editor-in-Chief, php|architect Magazine
pe***@phparch.com

php|architect
The Magazine for PHP Professionals
http://www.phparch.com
"Paul" <Pa**@here.com> wrote in message
news:bh**********@hercules.btinternet.com...

1 last question (promise!!) I've just been looking up ini_set at php.net.
Thats pretty cool how you can temporarily change php settings. At present I am writing my webpage on my local machine but in time will upload it to my
host. My question is, if session.use_cookies and session.use_trans_sid are
enabled on the server and I enter ini_set("session.use_cookies", "off"); and ini_set("session.use_trans_sid", "on"); on the top of each of my web pages, will it have any unexpected effects?

Thanks again.
"Paul" <Pa**@here.com> wrote in message
news:bh**********@titan.btinternet.com...
Thats slightly overcast with a strong chance of some sunshine later :-)
That kinda cleared things up. Time, error and play will help me figure out
exactly whats happening but I get the jist of it now.

Thanks for your help.

"Peter James" <pe***@shaman.ca> wrote in message
news:vj***********@corp.supernews.com...
If you have access to the php.ini file, then set these session.use_cookies and session.use_trans_sid values in the php.ini file.

auto_start means that a session is started every time... it is very common to leave this off, and just use session_start() when you need sessions. If
you use auto_start, you should also set the use_cookies, etc values in the php.ini file.

As far as appending the session id, PHP will handle it all for you.
If
you
start a session (either auto_start or session_start() ) and create a form
on
a page that's using trans_sid, and then check your page source in the
browser, you should see a hidden field called PHPSESSID in your form.. One
that you _didn't_ add yourself. It's very cool. Relative URL's are
essentially just URLs that don't have a host in them. http://foo.com

is not
a relative url, but /bar/index.php is.

If you have trans_sid on, and you submit the above form and start the
session on the submitted-to page, then all the $_SESSION vars that
you set
on the previous page will be available to you on your submitted-to
page.
Does that clear anything up, or make it cloudier? :-)

Pete.

--

--
Peter James
Editor-in-Chief, php|architect Magazine
pe***@phparch.com

php|architect
The Magazine for PHP Professionals
http://www.phparch.com
"Paul" <Pa**@here.com> wrote in message
news:bh**********@hercules.btinternet.com...
> I know I'm going to sound stupid now, but could you just clarify what > exactly is happening here. At the moment, I am using

session.auto_start
=
0
> in php.ini. Should I now switch this back to 0?
> And if I add ini_set("session.use_cookies", "off"); and
> ini_set("session.use_trans_sid", "on"); to the start of each page,

does
it
> temporary turn on trans_sid for that browsing session?
> Lastly, when you say "This will automagically append the session id to all
> relative URL's that it can identify, as well as adding it into a hidden form
> variable for you", how is the session ID passed then? Where am I

defining
a
> variable that can be used on the next page? How does it identify

"relative
> URLs"? I've only been at this a month so I'm a bit green.
>
> Thanks for your help.
>
>
> "Peter James" <pe***@shaman.ca> wrote in message
> news:vj************@corp.supernews.com...
> > First, rather than manually passing the session id around, just do an > > ini_set() at the beginning of each page...
> >
> > ini_set("session.use_cookies", "off");
> > ini_set("session.use_trans_sid", "on");
> >
> > This will automagically append the session id to all relative
URL's tha
it
> > can identify, as well as adding it into a hidden form variable for

you.
> You
> > don't need to do it manually.
> >
> > Second, you're not passing the session id when you redirect. Writing the
> > header like that doesn't get rewritten by PHP or your routine. If you are
> > not using cookies, you won't have access to the session id on the next > page
> > (the one you redirect to). Even with trans_sid, you'll have to

manually
> > include your session id in the header.
> >
> > HTH.
> > Pete.
> >
> > --
> >
> > --
> > Peter James
> > Editor-in-Chief, php|architect Magazine
> > pe***@phparch.com
> >
> > php|architect
> > The Magazine for PHP Professionals
> > http://www.phparch.com
> >
> >
> > "Paul" <Pa**@here.com> wrote in message
> > news:bh**********@titan.btinternet.com...
> > > I want to use sessions to cover myself in case the user switches off > > cookies
> > > so I am passing the session ID manually through a hidden input

field.
> This
> > > is what I have so far.
> > >
> > > index.php page contains:
> > >
> > > <?php
> > >
> > > $_SESSION['entered_username'] = "";
> > > $_SESSION['login'] = "";
> > > $PHPSESSID = session_id();
> > >
> > > echo "<form method='POST' action='login.php'>
> > > <b>Username:</b>
> > > <input type='text' name='username'>
> > > <b>Password:</b>
> > > <input type='password' name='password'>
> > > <input type='hidden' name='PHPSESSID' value='$PHPSESSID'>
> > > <input type='submit' value='Login'>
> > > </form>";
> > >
> > > ?>
> > >
> > > Now, viewing the source with this page open in the browser, I
can see
> that
> > > the session ID is in the hidden field. According to the book I'm
> reading,
> > > "PHP will automatically get $PHPSESSID without anymore
programming from
> > you
> > > on the login page"
> > > The part of the next page (login.php) that is processing the login is
as
> > > follows:
> > >
> > > if(mysql_num_rows($result) == 1)
> > > {
> > > $_SESSION['entered_username'] = $_POST['username'];
> > > $_SESSION['login'] = 'yes';
> > > header('refresh: 3; url=member.php');
> > > echo "<h2><center>You have been validated. Please wait, logging

you in.
> .
> > > .</h2><br>
> > > <center>If your browser doesn't support redirection and you're still > here
> > in
> > > 3 seconds, <a href='member.php'>click here</a></center>";
> > > }
> > > else
> > > {
> > > header('refresh: 5; url=index.php');
> > > echo "<b><u><center>Login failure </b></u><br>Username/Password
> mismatch.
> > > Sit tight, we're sending you back to the login page in 5

seconds.<br>
> > > If your browser doesn't support redirection and you're still
here in
5
> > > seconds, <a href='index.php'>click here</a></center>";
> > > }
> > >
> > > Now we get to the member.php page and the following happens:
> > >
> > > Notice: Undefined index: login in C:\Web\member.php on line 10
> > >
> > > Line 10 reads:
> > >
> > > if ($_SESSION['login'] != 'yes')
> > > {
> > > echo "<b><u><center>You haven't logged on!</b></u><p>
> > > <a href='index.php'>Click Here</a> to return to the login page";
> > > exit();
> > > }
> > >
> > > This is where it kicks me out. The code on the member.php page

is > designed
> > > to stop users doing anything before they log in but unless I can

pass
> the
> > > session data between pages, the result of the if statement will

always
> be
> > > false.
> > >
> > > Even more odd is the fact that it works in Internet Explorer and

not > > > Mozilla. Now I trust Mozilla's standards far more than IE so I

really
> want
> > > to make it work in Mozilla.
> > >
> > > Sorry this is such a long post, I tried to keep it as short as
possible
> > but
> > > give enough information to make it make sense.
> > >
> > > So what am I missing? And what is IE doing that Moz isn't?
> > >
> > > Thanks for any suggestions.
> > >
> > >
> >
>
>

Jul 16 '05 #5

Paul

I have set session.use_trans_sid = 1 and session.use_cookies = 1 as
suggested. My index.php now looks like this:

<html>
<head>
<title>Welcome</title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1"></head>
<?php
session_start();
$_SESSION['entered_username'] = "";
$_SESSION['login'] = "";

echo "<form method='POST' action='login.php'>
<p
align='center'>   <b>  &n bsp;   &nbs
p;       &nbsp ;
<font size='2'>
Username: </font></b>
<font size='2'>
<input type='text' name='username' size='13' style='height: 20'>
  <b>Password:  </b>
<input type='password' name='password' size='13' style='height: 20'>
 
<input type='submit' value='Login'></font>
 
<font size='2'><b>Not a member?</b> Sign up <a
href='register.html'>here</a></font>
<p align='center'><font size='2'><b>Forgotten your password?</b> <a
href='password_reminder.php'>Click
here</a> to have it e-mailed to you. </font>
</form>";

?>
<H1>Header 1</H1>
<H2>Text about something</H2>

Viewing the source of the page I don't see a hidden field with the SID in it
(see below). What am I doing wrong?

<html>
<head>
<title>Welcome</title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1"></head>
<form method='POST' action='login.php'>
<p
align='center'>   <b>  &n bsp;   &nbs
p;       &nbsp ;
<font size='2'>
Username: </font></b>
<font size='2'>
<input type='text' name='username' size='13' style='height: 20'>
  <b>Password:  </b>
<input type='password' name='password' size='13' style='height: 20'>
 
<input type='submit' value='Login'></font>
 
<font size='2'><b>Not a member?</b> Sign up <a
href='register.html'>here</a></font>
<p align='center'><font size='2'><b>Forgotten your password?</b> <a
href='password_reminder.php'>Click
here</a> to have it e-mailed to you. </font>
</form>/n<H1>Header 1</H1>
<H2>Text about something</H2>
</body>
</html>

Jul 16 '05 #6

Passing SESSIONS with trans_sid switched off

Similar topics