473,397 Members | 2,116 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > session problem with login script

Join Bytes to post your question to a community of 473,397 software developers and data experts.

session problem with login script

Tom
I hope someone can help me figure out what's going on here. I've
re-read the section on sessions at php.net and Googled this high and
low but I haven't found anything that quite explains my problem.

The basic problem: session data (e.g. $_SESSION['access_level']) gets
dropped after visitor logs in and reloads the page via a form once or
twice (it seems to vary), requiring the visitor to re-login, whereupon
the problem repeats itself.

An outline of my login script:

1. a function protect_page at the beginning of the protected page's
script checks to see if the visitor is logged in by checking two
session values ($_SESSION['access_level'] and $_SESSION['login_time']).

2. if logged in with sufficient access and session not too old, show
page. if not, require_once an include file that displays a login form
(everything's buffered, so it's not a header problem)

3. post login form, check credentials; if ok, display protected page

I have a log that tracks the behavior but it's a bit too long to
include here. One peculiarity I've noted is that after logging in,
when I post the form on the protected page, it appears to successfully
load the page once with the session data. But then it reloads the page
a second time (according to the log) and the session data is lost --
thus logging me out! There's nothing in the script that should trigger
the page to be reloaded. I use session_regenerate_id to avoid session
fixation. Could this be a factor?

Another complication: this problem occurs on two development servers
(one running XAMPP on Linux, the other WAMP). But on a third running
WAMP, it doesn't happen and everything runs as designed.

Finally, I took note of the following posts describing similar problems
with session data being lost:

Initialize crucial SESSION data
(http://us2.php.net/manual/en/functio...lose.php#63970)

Use session_write_close after assigning crucial SESSION data
(http://us2.php.net/manual/en/ref.session.php#62486)

Turn off ZoneAlarm (http://forum.sydphp.org/index.php?a=topic&t=255#p7)

However, the suggestions offered (e.g. using session_write_close()
liberally, turning off ZA ) did not solve my problem. And my php.ini
file appears to be in order.

I hope this is clear and detailed enough. Does anyone recognize it?
Any help is appreciated.

Tom

Apr 25 '06 #1
2 2008
> The basic problem: session data (e.g. $_SESSION['access_level']) gets
dropped after visitor logs in and reloads the page via a form once or
twice (it seems to vary), requiring the visitor to re-login, whereupon
the problem repeats itself.
The reason this happens is to do with the sessionid being lost. It is
either passed by cookie or by url. The first thing to check is that
session_start() is called before any output to the screen. Place a
die('.'); before the session_start() calls of you script and view
source. White space is considered output and is not allowed.

Assuming that didn't sort things out then the next step is to check
that the sessionid is being passed. First check your cookies, and see
if there's one there. Then turn off cookies to force the sessionid to
be passed by url. There are some circumstances (although I can't of the
top of my head remember what they are) where PHP fails to add the
?PHPSESSID=xxx to a url. If there is nothing really odd about your
script (like running everything through exec()) then this step is
probably a waste of time as it will work.
I use session_regenerate_id to avoid session fixation. Could this be a factor?


Yes. I don't see the need for it for one, and according to the comments
in the manual other people are losing session info because of it.

Apr 25 '06 #2
Tom
Thank you for the response, fletch. It appears session_regenerate_id
was the culprit. (I thought it was one of the factors I had controlled
for, but apparently never got around to it.) I suppose this might
account for the unexplained script reloading (unless I'm misconstruing
normal HTTP interaction.)

I had read some warnings on session fixation that I thought recommended
using session_regenerate_id systematically as a precaution, but I may
have misunderstood the implementation. I'll have to revisit.

In any event, thanks once more. An immense relief.

Tom

Apr 25 '06 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
header() redirection/session variable problem
by: Nick Whitelegg | last post by:
Hello, I'm having an odd problem with combining an authentication session variable with header() redirection. Basically I have an authentication script which checks a username/password. If the...
PHP
1
Session problems with register globals enabled
by: Manu J | last post by:
Hi, i have a login script which makes use of sessions. Login script *********** session_start() ..... ..... ....
PHP
3
session variable inconsistency
by: Geoff Winsor | last post by:
Hi, I am experiencing a problem with recalling a session variable which stores whether a person is logged in to a "members only" section of a website. This area of the site has been working...
ASP / Active Server Pages
14
Session Variables Disappearing
by: Paul Yanzick | last post by:
Hello, I am trying to develop a book tracking application for my capstone in school, and am running into a problem. The application is an ASP.Net application written in C#. The first page you...
C# / C Sharp
3
Session contents lost despite Session.Timeout = 3000; and <sessionState mode="InProc" cookieless="false" timeout="300">
by: Carpe Diem | last post by:
Hello I have an aspx page that loses Session("user") value after a few minutes even after I set <sessionState mode="InProc" cookieless="false" timeout="300"> in web.config and wrote function...
ASP.NET
2
Session variable problem
by: Alex Fimine | last post by:
Hi, Please help me with the following: In login.aspx page: Session("accessGranted") = 1 Response.Write("<script>window.open(""userpage.aspx"", ""User"");</script>")
ASP.NET
12
Go to Login Page when session expires
by: ACaunter | last post by:
Hi all, I was wondering how i could write some code which would automatically open the Login Page once the session has expired? -- AdamPC@hotmail.com
ASP.NET
7
Destroying a Session
by: le0 | last post by:
Hello Guys, I have this problem on my page. Im doing my "Logoff" portion, everytime I click "Logoff" then click the Back button in my browser the previous page still appears. Heres my code...
ASP / Active Server Pages
13
maintain a single session across multiple servers
by: Samir Chouaieb | last post by:
Hello, I am trying to find a solution to a login mechanism for different domains on different servers with PHP5. I have one main domain with the user data and several other domains that need...
PHP
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!