469,343 Members | 5,380 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,343 developers. It's quick & easy.

how to pass session id between MULTIPLE pages

Hi, been scratching my head and looking all over but cant get session data to pass to multiple pages.
The scenario is like this.
I present a splash page with an option to login at the bottom via form. Across the top is a menu strip, site access is open to all but if logged in and validatd as a member then selecting "downloads" or "articles" from the menu strip gives access to different content. I need my user to only login / validate once on the splash screen and then hold the session data (string stating member or nonmember retrieved from a db) to be accessable from any page within the site.
my test pages are as follows.

login screen
---------------
Expand|Select|Wrap|Line Numbers
  1. <html>
  2. <head><title>Title here!</title></head>
  3. <body>
  4. <form action = "user.php"  method="post">
  5. <input type="text" name="status">
  6. <input type="submit" >
  7. </form>
  8. <a href="download.php">Downloads</a>
  9. </body>
  10. </html>
  11.  
On submit I call my second page which in reality would check username against database and assign either "member" or "nonmember" to session_id
Expand|Select|Wrap|Line Numbers
  1. <html>
  2. <head><title>Title here!</title></head>
  3. <body>
  4. <?php
  5. session_start();
  6. $x= $_POST['status'];
  7. session_register("status");
  8. $status=$x;
  9. // check session id should be text entered on login screen for test purposes
  10. echo 'session id is '.$status;
  11. // re display login screen 
  12. include('base.htm');
  13. ?>
  14. </body>
  15. </html>
  16.  
Now I may navigate around the site a little but if I choose "downloads" I need to be able to read the session_id member or nonmember ?
Expand|Select|Wrap|Line Numbers
  1. <html>
  2. <head><title>Title here!</title></head>
  3. <body>
  4. <?php
  5. session_start();
  6. global $status;
  7. echo 'session id is '.$status;
  8. ?>
  9. </body>
  10. </html>
  11.  
Problem is that going to "download.php" produces no session_id ?
any help greatly appreciated.
Sep 3 '10 #1

✓ answered by kovik

What you are doing has nothing to do with session IDs. The session ID is a randomly-generated unique string that identifies an individual session. What you are doing is setting session data. The ID stays that same.

As a side note, it's good practice to call session_regenerate_id() whenever a user's permissions change (i.e. when they log in and become a member instead of a guest).

13 9805
Markus
6,050 Expert 4TB
Turn on Error Reporting*, and see this article.

* Use -1 instead of E_ALL.
Sep 3 '10 #2
Thanks for the swift reply but; I can't understand what is going wrong.
I modified the base.htm by placing
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. session_start();
  3. session_id('nonmember');
  4. echo session_id);
  5. ?>
  6.  
at the very top of the doc.
This shows me that session_id has indeed been set to "non member"
When submitting the form I get the session_id changed to whatever I submitted but when clicking download link on base.htm when download.php appears it has a new session_id.
I really dont understand, there must be a simple solution? But I can't see it, help please.
Sep 3 '10 #3
kovik
1,044 Expert 1GB
What, pray tell, is the purpose of allowing your users to select their own session IDs? So that it's easier for them to attempt to hijack another session?
Sep 3 '10 #4
In reality it does not matter what the session id is, as I stated in my original post certain parts of the site have content available only to members. For example you access the articles page, all articles are listed but if you are not a member only some are active links, if you are a member all articles have active links. I require the viewer to log in or not on the splash screen so that as each new page is accessed content can be displayed as to if you are a member or not.
Logging in with your user name / password calls a script to check against a db of members and sets a session id accordingly. It may be that a result of non member sets session_id to "non" whilst a result of "member" sets session_id to a random string (as is I think the default).
The above code is just my test or scratch code to get the principles working and give me known results easier for checking.
Sep 4 '10 #5
Well I got it sorted by using simplified code and by making sure that $_SESSION was in upper case.
test coding is now as follows.

log in / out / downloads
Expand|Select|Wrap|Line Numbers
  1. <html>
  2. <head>
  3.        <title>Title here!</title>
  4. </head>
  5. <body >
  6. <form action = "user.php"  method="post">
  7. <input type="text" name="status" value="">
  8. <input type="submit" >
  9. </form>
  10. <a href="download.php">Downloads</a>
  11. <a href="kill.php">logout</a>
  12. </body>
  13. </html>
  14.  
assign session id (remember in real we don't use the entered name but check against db, if member then generate session id as normal, if not a member set session id to "non member".
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. session_start();
  3. error_reporting(-1);
  4. ini_set('display_errors', true);
  5. $x= $_POST['status'];
  6. if (!isset($_SESSION["user"]))
  7. {
  8. $_SESSION["user"]=$x;
  9. echo 'session id is '.$_SESSION["user"];}
  10. else {echo 'session id is '.$_SESSION["user"];}
  11. include('base.htm');
  12. ?>
  13.  
download page has carried the session id.
In real if session id is "non member" display content x if session id anything else then must be member so display content y.
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. session_start();
  3. error_reporting(-1);
  4. ini_set('display_errors', true);
  5. echo 'session id is '.$_SESSION["user"];
  6. ?>
  7.  
to log out or kill the session then
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. session_start();
  3. session_destroy();
  4. include("base.htm");
  5. ?>
  6.  
Hope this helps someone else, there seems to be a lot of questions about passing session id's on the net and I found out myself it's not all plain sailing.
Sep 4 '10 #6
kovik
1,044 Expert 1GB
What you are doing has nothing to do with session IDs. The session ID is a randomly-generated unique string that identifies an individual session. What you are doing is setting session data. The ID stays that same.

As a side note, it's good practice to call session_regenerate_id() whenever a user's permissions change (i.e. when they log in and become a member instead of a guest).
Sep 4 '10 #7
Well thanks for that, I guess I got my terminologu wrong with session id is $_SESSION["user"] but I tried first off doing it by trying to transfer session_id() between pages and could not get it working so I ended up with this session variable instead($_SESSION["user"]).
Can you tell me why it is good practice to regen the session_id() if I am not actually using that value? are there advantages / disadvantages?
I would like to use good programming practice from the start of my induction into php.
Thanks for your input.
Sep 4 '10 #8
Just read explanation on wiki session fixation attack, I now will use session_regenerate_id() as a matter of course. Good article easy to understand. ;)
Sep 4 '10 #9
kovik
1,044 Expert 1GB
By the way, you are passing the session ID, you just don't realize it. It is set in a cookie on their end.

A session instance is like a locked apartment, and the session ID is the key. Their cookie contains this session ID which allows them to open the locked door and get inside.
Sep 4 '10 #10
So is there a more correct way to do this? To set and retain a value throughout a session for a given user?
Sep 4 '10 #11
kovik
1,044 Expert 1GB
Nope, you are doing it correctly. The $_SESSION superglobal array is our method of updating session information.
Sep 4 '10 #12
Thanks, guidance is much appreciated.
Sep 4 '10 #13
kovik
1,044 Expert 1GB
It's what we're here for. :)
Sep 4 '10 #14

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

1 post views Thread by aperez | last post: by
3 posts views Thread by Aussie Rules | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.