Re: session problem - login screen continually reloads after pressing the login button

From: Matthias Esken (muelleimer2003nospam_at_usenetverwaltung.org)
Date: 11/24/03


Date: Mon, 24 Nov 2003 21:24:08 +0100

Chip <carvin5string@yahoo.com> schrieb:

> I am trying to get sessions to work on a log in screen to give certain
> users access to certain pages/directories. The problem is that when
> the login button is pushed (or the enter key pressed) the login screen
> redraws, never loading the next page. I don't get any error messages.
> I am using FreeBSD-5.1/Apache-2.0.46/MySQL-4.1.0.1/PHP-4.4.3.4

And you're using code from the times of PHP 4.0.x.

> <?

Don't use short tags. The are not portable. Use <?php.

> session_start();

Seems OK. :-)

> session_register("userid","password");

That's not good. In fact it is bad style. Read the documentation at
http://www.php.net/manual/en/function.session-register.php.

> if ($submit)

You rely on register_globals=on. Since PHP 4.2.0, the default value for
register_globals is off.

> This is at the top of all pages, before any html tags -
> -------------
> <?
> session_start();
> if(!isset($userid)) {
> header('Location: http://xxx.xxx.xxx.xx/auth_dealers/login2.php');
> exit;
> }
> ?>

Ouch. What is $userid? You might believe that it contains a variable
from your session. If register_globals is off, then it doesn't and PHP
will always send you back to login2.php. You'll find the value in
$_SESSION['userid'] instead. If register_globals is on, then it _might_
contain the id from the session. On the other hand it could be a clever
intruder who just calls your page with page.php?userid=42. So, don't
work with activated register_globals.

This leaves you with some work to do. Check the setting of
register_globals in the php.ini. If it's on, then switch it off. With
activated register_globals you have to work hard to make your code
secure. With deactivated register_globals you have to work to make it
insecure.

To find errors from uninitialized variables set the error_reporting to
E_ALL, so that you get all notices and warnings during the development
of your code.

Write data to a session with:
  $_SESSION['example'] = $value;

Access data in a session with:
  echo ($_SESSION['example']);

Access data from a form with:
  $_POST['username']
or
  $_GET['username']
according to your posting method.

Check http://www.php.net/manual/en/language.variables.predefined.php for
details about these "superglobals".

Regards,
    Matthias