Re: session problem - login screen continually reloads after pressing the login button

From: Matthias Esken (muelleimer2003nospam_at_usenetverwaltung.org)
Date: 11/24/03


Date: Mon, 24 Nov 2003 21:24:08 +0100

Chip <carvin5string@yahoo.com> schrieb:

> I am trying to get sessions to work on a log in screen to give certain
> users access to certain pages/directories. The problem is that when
> the login button is pushed (or the enter key pressed) the login screen
> redraws, never loading the next page. I don't get any error messages.
> I am using FreeBSD-5.1/Apache-2.0.46/MySQL-4.1.0.1/PHP-4.4.3.4

And you're using code from the times of PHP 4.0.x.

> <?

Don't use short tags. The are not portable. Use <?php.

> session_start();

Seems OK. :-)

> session_register("userid","password");

That's not good. In fact it is bad style. Read the documentation at
http://www.php.net/manual/en/function.session-register.php.

> if ($submit)

You rely on register_globals=on. Since PHP 4.2.0, the default value for
register_globals is off.

> This is at the top of all pages, before any html tags -
> -------------
> <?
> session_start();
> if(!isset($userid)) {
> header('Location: http://xxx.xxx.xxx.xx/auth_dealers/login2.php');
> exit;
> }
> ?>

Ouch. What is $userid? You might believe that it contains a variable
from your session. If register_globals is off, then it doesn't and PHP
will always send you back to login2.php. You'll find the value in
$_SESSION['userid'] instead. If register_globals is on, then it _might_
contain the id from the session. On the other hand it could be a clever
intruder who just calls your page with page.php?userid=42. So, don't
work with activated register_globals.

This leaves you with some work to do. Check the setting of
register_globals in the php.ini. If it's on, then switch it off. With
activated register_globals you have to work hard to make your code
secure. With deactivated register_globals you have to work to make it
insecure.

To find errors from uninitialized variables set the error_reporting to
E_ALL, so that you get all notices and warnings during the development
of your code.

Write data to a session with:
  $_SESSION['example'] = $value;

Access data in a session with:
  echo ($_SESSION['example']);

Access data from a form with:
  $_POST['username']
or
  $_GET['username']
according to your posting method.

Check http://www.php.net/manual/en/language.variables.predefined.php for
details about these "superglobals".

Regards,
    Matthias



Relevant Pages

  • Re: To allow access only from the designated site.
    ... I want to allow access to it only from site "B" login user. ... what capabilities do both servers have, do they have php, does only ... one, which one, does one/both have a database, session support? ... and to a script on siteB, and uses RSA for the form, with B's public ...
    (comp.lang.php)
  • RE: [PHP] Trigger an action on session timeout - feature request?
    ... [PHP] Trigger an action on session timeout - feature request? ... I need to log users' login and logout, and so I need to know ... unlike many common bug reporting systems, ...
    (php.general)
  • Session restarts on page refresh
    ... I recompiled PHP today to use a certain module and now my sessions are ... surf through every section without losing the session (and the sess_* ... refresh button in IE or Firefox, it sends me back to the login page. ... googled this and there is a wealth of information out there on session ...
    (php.general)
  • Re: Losing Sessions.
    ... Well, what i can think of is session timeouts, how ... Just a note, in newer php versions, session_register is not required, all ... section you have if (isset($_SESSION[$xebitsession])), ... > get them it assumes you should login first and sends you to a login page. ...
    (php.general)
  • ~~~~~~~~~~~~~~ LOGIN PHP ~~~~~~~~~~~~~~
    ... adding login php script on website ... complete login password system php mysql ... flash php login script ...
    (rec.audio.tech)