Hi all, I read this article (http://www.phpbeginner.com/columns/enygma/sessions/1) about using session_id for sending a variable from one page to another page, but it seems that's something wrong with it.

Here's page A

<?PHP
session_start();
$username = $HTTP_POST_VARS["username"];
session_register("username");
$session = session_id();
?>
<a href="pageB.php?"> Page B </a>


and here's page B

session_start();
if ( !isset( "username"))
die("You're not allowed to view this page!");
$session = session_id(); # Is thins necessary in here too?
print ("Hello $username");


But it doesn't show the username, I also tried this in page A

<?PHP
session_start();
$username = $HTTP_POST_VARS["username"];
session_register("username");
$session = session_id();
?>
<a href="pageB.php?<?=$session ?> "> Page B </a>


Can anyone help me in this please, I need to send the username to several pages by means of sessions but still couldn't find out how to send a variable ( username), not just a simple character to verify in the next page.

try flipping the session_register("userName") and userName=$HTTP_POST_VARS['userName'] statements.

Also, you could try
$HTTP_SESSION_VARS['userName']=$HTTP_POST_VARS['userName'];

instead of session_register.

bcarl is correct. You must register the variable before you can assign a value to it. Registering it creates space for the variable.


Also this line is incorrect:

if (!isset( "username"))

should be:

if (!isset($username))

Dear spookster, the script dies if I change "username" to $username, and it means that it doesn't recognize $username.

I'm using php 4.2.3 in my personal web server ( firepages phpdev basically!) and when I used $HTTP_SESSION_VARS["username"] = $HTTP_POST_VARS["username"] it worked, but when I uploaded it in my unix server, that's running php version 4.0.6, it didn't let me go to the next page and said that I'm not allowed to view the page ( my own message to myself! isn't it disgusting?!)
Then I combined them with each other and wrote this in my first page :

$username = $HTTP_POST_VARS["username"];
$HTTP_SESSION_VARS["username"] = $username;
session_register("username");


You see, both the $HTTP_SESSION_VARS and session_register() and now it's working both on my personal webserver and also my unix server. So, may you explain please what's going on behind the scenes?! Is the session_id() totally useless? I'm doing this without using the session_id() that was spoken about in that article ( see my first post in this thread!).
Thanx in advance

I'd check the php_info() on your server. My bet is you've got register_globals set to "on".

This is a potential security hole for just the reason your using php.
When you submit a form, with the an element named "username", php creats a variable called $HTTP_POST_VARS['username'] (or $_POST['username'])

if you request a php page with an url like:
www.mysite.com/mypage.php?username=myusername
php creates a variable named
$HTTP_GET_VARS['username'] (or $_GET['username'])

and when you set a session variable with
session_register('username')
php creates a variable $HTTP_SESSION_VARS['username'] (or $_SESSION['username']

Now, if you've got a security script, as outline below, and have register_globals set to "on", when your referencing the variable $username it could refer to any of the created variables above.

The potential problem comes if your expecting the $username to be from the posted form, but what php thinks you want is the session_register('username') variable. So, it uses the session variable, which was most likely set because it was a good match before, and the user may get in, without supplying a valid username. :eek: See the problem???

So, the solution is to set register_globals to "off" this forces you to assign a value to a variable before you can use it, and php will not make any assumptions.

When you changed the code, you fixed the problem.
when you code as you did below
$username=$HTTP_POST_VARS['username'];
$HTTP_SESSION_VARS['username'] = $username;

you're explicitly telling php, DO THIS, THIS IS WHAT I WANT!
php says, ok. and your good to go.

A step by step woud be...
$username=$HTTP_POST_VARS['username'];
//create a variable names "username" and assign the posted form value from the "username" element.
$HTTP_SESSION_VARS['username']=$username;
//take the username variable and assign the value to the session variable named "username".

As far as why the new code works on both systems, my have something to do with having register_globals set to "on" in the Unix box.

My guess is that with that set to off, you can assign a value to a session using the $HTTP_SESSION_VARS[] array,
but with that on, it requires a variable ($username in this case) to be set.

NOTE: php 4.2.x and above have register_globals set to "off" by default.
php 4.1.x and below have it set to "on" by default.

Hope this helps.

I am using PHPDEV version 5 and globals are set to off by default. I am also currently writing an online program using sessions.

Here is how you do it:



<?php
session_start();
session_register("uid");
$userid = $_POST["userid"];
?>



and then at the top of of all of my protected pages I include a file like so:

include("access_check.php");


It contains:




<?php
session_start();
if(!isset($uid)){
header("Location: index.php");
exit;
}
?>



Make sure you register the variable before you try to assign a value to it as we stated before.

Thanx bcarl314, I'm a little bit scared now! But I have some few questions that I ask.

First off, my first page is called index.php, and it's the page that the username and password asking form lies and the user has to enter his/her username and password. After submitting the form he/she will be taken to the adminpage.php, from there he/she can control the rest of the site. It's the code that I wrote at the begining of adminpage.php :

session_start();


$link = mysql_connect( "localhost", "***", "***");
$db = "weatherforecast";
mysql_select_db( $db)
or die("Error " . mysql_errno() . " : " . mysql_error());


if ( !session_is_registered( "username") )
{
if ( !isset( $HTTP_POST_VARS[ "username"]) || !isset( $HTTP_POST_VARS[ "password"]) )
die("<b style='color : red'>Username</b>/<b style='color : red'>Password</b> not set!");
if ( $HTTP_POST_VARS["username"] == "" || $HTTP_POST_VARS["password"] == "" )
die("<b style='color : red'>Username</b> or <b style='color : red'>Password</b> wasn't entered!");

$query = "select Password from logins where Username = '" . $HTTP_POST_VARS['username'] . "'";
$res = @mysql_query( $query);
if ( !mysql_num_rows( $res) || mysql_result( $res, 0) != $HTTP_POST_VARS[ "password"])
die("<center><h2>You're not allowed to see this page!</h2></center>");

$username = $HTTP_POST_VARS["username"];
$HTTP_SESSION_VARS["username"] = $HTTP_POST_VARS["username"];
session_register("username");
//$session = session_id();
}

As you can see, I never use $username or $password variables, instead I use $HTTP_POST_VARS["username"] or $HTTP_POST_VARS["password"], so, considering what you said, if I used $username or $password, or even $HTTP_GET_VARS["username"] or $HTTP_GET_VARS["password"], then a malicious user could have entered my admin page, right?

Also when I simply wrote $HTTP_SESSION_VARS["username"] = HTTP_POST_VARS["username"], it didn't work, but when I added session_register("username") everything worked the way I expected, I still can't understand when you say you're explicitly telling PHP what you want, am I saying that the "username" in session_register is the same as $HTTP_POST_VARS["username"]? If so can't I simply write $HTTP_SESSION_VARS( $HTTP_POST_VARS["username"])??? :confused:

Sorry for my low IQ, but I can't understand the highlighted part of your note:

The potential problem comes if your expecting the $username to be from the posted form, but what php thinks you want is the session_register('username') variable. So, it uses the session variable, which was most likely set because it was a good match before, and the user may get in, without supplying a valid username. See the problem???


Why should it be a good match when a user can enter ".....adminpage.php?username=root" and "username" as you said become the same as $HTTP_GET_VARS["username"]?

And for that security hole that you said, I heard it b4 but I just didn't know what exactly it means, that I'm trying to understand now! I think I have to ask my host to change it for me ( or do it myself if they provided a shortcut to the php directory for me)

Thanx and sorry that I'm slow

If had this problem in one of my login scripts. I was using globals and for some reason, if I didn't use the $_POST['username'] and assign it to a session variable ($_SESSION['username'], if I went back to the signin page and submitted with an invalid username, it would grab the session username mistakenly, and verify the user. This would be analogos to a user not logging out and the next person at the computer goes to the login screen. He/she enters a user name and password, and because I was using globals, it would grab the session variable over the post variable and validate the user.

It could have been a logic bug, I'm not sure, but my understanding of the _POST and _SERVER variables seemed to fit my problem.

I'd definitly try to code with globals off. Usually, you'll get some type of error (like undef varibale) when php runs and you've coded one of these "issues" by mistake.

Thanx to you all. It's very late now and I'd try it tomorrow. Also thanks Spookster, it seems that you answered while I was typing my new thrtead ( questions! ) and coz of that I couldn't see it. My biggest problem is that my php version and it's permissions is totally different with what I have on my unix server. I always have lots of problems to synchornize my code with the servers expectations. I'll let you know of what happend and thanx for the help, your help is invaluable.

Well, I tried that and it worked! thanx to you all.

Dear bcarl314
I think now I'm understanding what you say about the dangers of having globals in the program. I can remember that a while ago when I typed yahoo.com in one of the computers of our universities site, the mail box of one of my friends came up! He didn't sign out and I had his mail box right in front of me! Of course that day I couldn't understand what's going on! But just a question : Doesn't a sessions gets killed when we close the explorer window? Or shall we close it programatically?

Dear Spookster
What you said worked and even though I can not pass a variable from a page to another by this way ( I just pass a constant, you could call variable too, that doesn't contain anything, of course we can put something in it later!), but I think you have register globals on on your server, coz you wrote


<?php
session_start();
if(!isset($uid)){
header("Location: index.php");
exit;
}
?>


And if didn't have register globals on in your server, you should have written :

<?php
session_start();
if(!isset($_SESSION("uid"))){
header("Location: index.php");
exit;
}
?>


Am I right?

Ok, in the end I just wana say that in my case I had to use session_register("username") first to register my session and then $HTTP_SESSION_VARS["username"] = "my user name" to bind it to a value. And now I could retrieve it in the next page by $HTTP_SESSION_VARS["username"] ( the safest way), or if the register globals were on, by $username. I just thought that it's better be here as a kind of conclusion.

Thanx for your help & support

Originally posted by ConfusedOfLife

Dear Spookster
What you said worked and even though I can not pass a variable from a page to another by this way ( I just pass a constant, you could call variable too, that doesn't contain anything, of course we can put something in it later!), but I think you have register globals on on your server, coz you wrote



You're absolutely right. I'm glad you pointed that out. My host turned them back on after a buch of people complained and I keep forgetting about that. I normally code everything else as if globals were off and forgot about sessions.