Unusual Session Behaviour

Make sure all of the files inside the "authenticated" umbrella have
session_start() on it at the top. The only other thing that comes to
mind is if your pages are not all on the same server/domain, that would
cause the browser to have multiple session id's. Also check to be sure
the PHPSESSIONID variable is configured in php.ini to be passed via
cookie instead of url.

Alex
http://prepared-statement.blogspot.com
http://learn2host.blogspot.com

Thanks for your response Alex. I actually have a auth.php file with
session_start() in which is included into the top of each page, before
anything else, so I don't think that is the problem.

Also I've done a full transfer, I'm not trying to go to pages on one or
another server. The two servers have no contact with each other.

How can I be sure that the PHPSESSIONID is being passed via cookie and
not url? The server is commercial and had PHP installed already and I
don't think I can configure it. I have a page with the phpinfo() on it
though, does it say on that page?

Yes, phpinfo() will show you that information.

session.use_cookies - On.

If you don't already, you can also try setting the session cookie
params yourself, e.g.
session_set_cookie_params (0, "/path/to/dir/");

(0 meaning keep cookie for life of browser)

Full doc:
http://us3.php.net/manual/en/functio...kie-params.php

Thanks for your response, cookies are turned on. I'm storing them as
session variables though - I shouldn't need to be setting cookies
should I?

I may try it with cookies storing the values as the password isn't
stored, so there isn't a security risk associated with it.

It's still behaving very unusually though, sometimes a page I should be
able to see will redirect me to the error page which will proudly
display the variables that indicate I should be logged in, and it is
still behaving normally on the other server. Very confused at the
moment.

While the session data is stored on the server, the cookie is used to
store that session name and id, so you can track/utilize the same
session data over multiple different pages. If you don't use session
cookies, you can pass the session id (SID constant) thru the URL (there
may be other ways to use cookie-less sessions also).

In my experience, sessions either work or don't work at all (errors are
generated) so not sure what the problem might be in your case. May be
helpful to post some code or the session settings from your phpinfo?

Thanks for your continued support Joe, I'll include some code and if
you tell me which setting details you need I can get those for you
shortly.

The auth.php file called at the top of each restrictred page:
session_start();

if (!isset($_SESSION['db_is_logged_in'])
|| $_SESSION['db_is_logged_in'] != true) {

// not logged in, move to login page
header('Location: denied.php');
exit;
}

The login mechanism:
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) {
include 'config.php';
include 'opendb.php';

// form variables
$userId = $_POST['txtUserId'];
$password = $_POST['txtPassword'];

// check if the user id and password combination exist in database
$sql = "SELECT username, type FROM agent WHERE username = '$userId'
AND user_password = MD5('$password')";
$result = mysql_query($sql) or die('Query failed. ' . mysql_error());
include 'closedb.php';
if (mysql_num_rows($result) == 1) {
// the user id and password match,
// set the session variables
$_SESSION['db_is_logged_in'] = true;
$_SESSION['user'] = $userId;

// after login we move to the main page
header('Location: welcome.php');
exit;
} else {
$errorMessage = 'Sorry, wrong user id / password';
}

}

It's very hard for me to describe the error. Once logged in, when you
try to view a page, often you get redirected to the error page. Try the
link again from the menu and it may display the page. It's as if
sometimes it can't find the session variable in auth.php so is
redirecting. Then you try again and it works. This behaviour is really
irritating considering it hasn't done this before.

Thanks again.

John Howie wrote:

This worked all well and fine locally, and on one other server.
Recently I moved server and since then the whole authentication process
has been behaving unusually. Sometimes (when logged in) you are taken
to the error page, but your username is still displayed in the menu.
Clicking the link a few more times and eventually the page will display
correctly.

Unusual indeed. There has got to be some problems with the server set
up. One thing to try is to change session.save_path with ini_set() to a
subdir in your user directory (chmod'ed to 0777) before calling
session_start(). That way, your session data is saved in a more
controlled area. As you browse through your site, monitor the session
files either through telnet or FTP. That should give you some insights.

John Howie wrote:

I've found very unusual behavious when using sessions on two different
servers.

I'm using sessions to handle simple log in. When the form submits the
values are checked against a MySQL table. If a match exists two session
variables are created: $_SESSION['db_is_logged_in'] and
$_SESSION['user']. Each page checks if the session variable
'db_is_logged_in' is set and is true, display the page otherwise use
header to redirect to an error page.

This worked all well and fine locally, and on one other server.
Recently I moved server and since then the whole authentication process
has been behaving unusually. Sometimes (when logged in) you are taken
to the error page, but your username is still displayed in the menu.
Clicking the link a few more times and eventually the page will display
correctly.

<snip>

1. Set the error level to the max (if PHP5, use strict too)
2. Post a link, where we can check the source
3. Post a link where we can check the phpinfo

My guess is that there is some caching issue.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

I didn't test it out but your code looks ok...is the new server a
commercial server or one you have full access to?
Either way, you can try what Chung said, or use an .htaccess file to
change it (if the webserver is running apache):

php_value session.save_path /path/to/your/dir/

Sorry for my delay, I was away this weekend. Thanks for your help with
this matter.
1. You can see the php info at
http://www.falicensedplayersagent.com/new.php
2. The other pages there contain the basic login control, which still
isn't working (incase any of the other page content was interfering
I've gutted them to basic log in).
Go to http://www.falicensedplayersagent.com/index.php To try to log in,
user and pass are displayed. There are two pages with restricted
access, with links to them. Earlier I logged in and could go between
the two fine, then again just now I did the same and frequently get the
error page appear.

The server is commercial, so I don't know how I'd go about altering
paths or setting the error level to high.

The server is running apache, so .htaccess is one approach I'm now
considering, my curiousity is high now though, and I really want to
know what is going on.

Your help is greatly appreciated, though my knowledge of the PHP set-up
is poor and I don't know how to do some of the suggestions made. Thanks
again.

joe wrote:

I didn't test it out but your code looks ok...is the new server a
commercial server or one you have full access to?
Either way, you can try what Chung said, or use an .htaccess file to
change it (if the webserver is running apache):

php_value session.save_path /path/to/your/dir/

Problem solved! Or at least a workaround. Instead of using sessions I'm
now using cookies on the client machine, since the data stored isn't
confidential, or passwords.

It seems to be working perfectly fine now, though I don't know what
would happen if a user has disabled cookies. That's a huge relief,
thank you all for your help with this matter, if anyone does work out
what wasn't working with the sessions I'd be very interested to hear
it, as I can include it in my write up.

John

"John Howie" <jo*********@gmail.com> wrote in message
news:11**********************@v46g2000cwv.googlegr oups.com...

Problem solved! Or at least a workaround. Instead of using sessions I'm
now using cookies on the client machine, since the data stored isn't
confidential, or passwords.

It seems to be working perfectly fine now, though I don't know what
would happen if a user has disabled cookies. That's a huge relief,
thank you all for your help with this matter, if anyone does work out
what wasn't working with the sessions I'd be very interested to hear
it, as I can include it in my write up.

John

John,

Just out of curiosity, when you changed servers did you alter any links?
PHP is usually set up to use both cookies and url based session handling.
url based kicks in when cookies are not enabled but only works with fully
qualified links:

1) <a href='http://www.yourserver.com/link.htm'>Link</a> <- will have the
session id appended if cookies are disabled
2) <a href='link.htm'>Link</a> <- will not work as PHP won't add the
session id to a short form link

and make sure that the 'temp' directory is set in php.ini so that PHP knows
where to store the sessions...

Norm

Norm,
thanks for your response, it would be good if that is the problem. I
didn't change the links and they were all relative : <a
href="index.php">Index</a>
I'm very temped to resort to undoing the cookie implementation and
seeing if that solves it. I think the temp is default /tmp but haven't
had a look in there.
If that solves it it will certainly give me something to write about.

"Norman Peelman" <np******@cfl.rr.com> wrote in message
news:JJ*******************@tornado.tampabay.rr.com ...

"John Howie" <jo*********@gmail.com> wrote in message
news:11**********************@v46g2000cwv.googlegr oups.com...

Problem solved! Or at least a workaround. Instead of using sessions I'm
now using cookies on the client machine, since the data stored isn't
confidential, or passwords.

It seems to be working perfectly fine now, though I don't know what
would happen if a user has disabled cookies. That's a huge relief,
thank you all for your help with this matter, if anyone does work out
what wasn't working with the sessions I'd be very interested to hear
it, as I can include it in my write up.

John

John,

Just out of curiosity, when you changed servers did you alter any links?
PHP is usually set up to use both cookies and url based session handling.
url based kicks in when cookies are not enabled but only works with fully
qualified links:

1) <a href='http://www.yourserver.com/link.htm'>Link</a> <- will have the
session id appended if cookies are disabled
2) <a href='link.htm'>Link</a> <- will not work as PHP won't add the
session id to a short form link

funny, it seemed to work in my php file with relative link. or are you
saying the behaviour becomes flaky?

and make sure that the 'temp' directory is set in php.ini so that PHP
knows
where to store the sessions...

Norm

"Jim Michaels" <NO***************@yahoo.com> wrote in message
news:zb********************@comcast.com...

"Norman Peelman" <np******@cfl.rr.com> wrote in message
news:JJ*******************@tornado.tampabay.rr.com ...

"John Howie" <jo*********@gmail.com> wrote in message
news:11**********************@v46g2000cwv.googlegr oups.com...

Problem solved! Or at least a workaround. Instead of using sessions I'm
now using cookies on the client machine, since the data stored isn't
confidential, or passwords.

It seems to be working perfectly fine now, though I don't know what
would happen if a user has disabled cookies. That's a huge relief,
thank you all for your help with this matter, if anyone does work out
what wasn't working with the sessions I'd be very interested to hear
it, as I can include it in my write up.

John

John,

Just out of curiosity, when you changed servers did you alter any links? PHP is usually set up to use both cookies and url based session handling. url based kicks in when cookies are not enabled but only works with fully qualified links:

1) <a href='http://www.yourserver.com/link.htm'>Link</a> <- will have the session id appended if cookies are disabled
2) <a href='link.htm'>Link</a> <- will not work as PHP won't add the
session id to a short form link

funny, it seemed to work in my php file with relative link. or are you
saying the behaviour becomes flaky?

and make sure that the 'temp' directory is set in php.ini so that PHP
knows
where to store the sessions...

Norm

I was basically just stating what is in the online manual and my own
experiences. Not exactly sure how sessions interact with 'header()' - you
may need to add the session id manually...

Norm