...

View Full Version : Resolved problem with sessions



mike182uk
02-27-2010, 02:31 PM
hi there i have a problem with php sessions. I am coming from an asp background, and i was understanding that sessions worked the same.



<?php
if($_GET["action"] == "login"){

if($_POST["username"] == $username && $_POST["password"] == $password){
$_SESSION["loggedin"] = 1;
}
else {
$_SESSION["formError"] = 1;
}

header("location: login.php");
}

?>
<form name="login" action="?action=login" method="post">
<label for="username">Username:</label>
<input type="text" name="username" id="username"/>
<label for="password">Password:</label>
<input type="password" name="password" id="password"/>
<input type="submit" value="Login" id="submit" />
</form>
<?php
if($_SESSION["formError"] == 1){
echo "<p id='login-error'>ERROR.</p>";
unset($_SESSION['formError']);
}
?>



so on the intial run of the page $_SESSION["formError"] is not set at all.

when the user submits the login form, and the details are incorrect, $_SESSION["formError"] should be set to 1

if $_SESSION["formError"] is set to 1 the error should show.

if $_SESSION["formError"] is set to 1 then $_SESSION["formError"] is unset, so if the page is refreshed, $_SESSION["formError"] should not be set.

but for some reason the session does not get set at all even if there is an error. is there a reason for this? this is how i would of done it in asp.

masterofollies
02-27-2010, 02:57 PM
Here is one version of using a session.


$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'" or die(mysql_error());
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$user = mysql_fetch_assoc($result);
$_SESSION['user_id'] = $user['id'];
header("location:admin.php");
}
else {
echo "Wrong Username or Password<br><br>Return to <a href=\"login.html\">login</a>";
}

MattF
02-27-2010, 02:59 PM
Are you calling session_start()?

mike182uk
02-27-2010, 03:05 PM
hi there thanks for the quick reply.

yes i am using session_start().

i am posting to the same page to check login credentials. the user posts to login.php?action=login, if there is a problem they are redirected back to login.php where the session var should now be set and the error message should show. immediately after ,the session var should be cleared, so if the user refreshes the page they dont get the error again.

MattF
02-27-2010, 03:11 PM
You're setting error, and not formError.



$_SESSION["error"] = 1;


should be:



$_SESSION["formError"] = 1;


if I've understood you correctly?

mike182uk
02-27-2010, 03:14 PM
<?php
if($_SESSION["formError"] == 1){
echo "<p id='login-error'>ERROR.</p>";
unset($_SESSION['formError']);
}
?>


it is formError i am trying to set and clear

sorry it was a mistake in my original post, i have amended it now

MattF
02-27-2010, 03:25 PM
This version should check the username and password when submitted and redirect to the index page if successful, and if unsuccessful continue onto the form and display the error message.



<?php

if ($_GET["action"] == "login")
{
if ((isset($_POST["username"]) && trim($_POST["username"]) == $username) && (isset($_POST["password"]) && trim($_POST["password"]) == $password))
{
if (isset($_SESSION['formError']))
{
unset($_SESSION['formError']);
}
$_SESSION["loggedin"] = 1;
header("location: index.php");
exit(0);
}
else
{
$_SESSION["formError"] = 1;
}
}

?>
<form name="login" action="?action=login" method="post">
<label for="username">Username:</label>
<input type="text" name="username" id="username"/>
<label for="password">Password:</label>
<input type="password" name="password" id="password"/>
<input type="submit" value="Login" id="submit" />
</form>
<?php

if ($_SESSION["formError"] == 1)
{
echo "<p id='login-error'>ERROR.</p>";
unset($_SESSION['formError']);
}

?>

mike182uk
02-27-2010, 03:38 PM
i see what you have done there, but what i am trying to achieve is keeping the page url: login.php and not login.php?action=login.

so on first run

login.php

user submits form

login.php?action=login

if users data is incorrect

$_SESSION['formError'] = 1
redirect back to login.php

user redirected

login.php
because $_SESSION['formError'] == 1, show error
unset($_SESSION['formError'])

if user refreshes page now (login.php)

because we unset($_SESSION['formError']) error should not show.



the problem im getting is if i put the unset in, i never get the error to show (this is the part i dont get).

if i take the unset out, once i get the error, if i refresh i still get the error (which is what i would expect as it is in the session).



i no theres no point in me doing this or what not, i just want to understand why i cant do this. i thought scripts where read from top to bottom. in this case the show error comes before the clear error. so why is the error not showing at all?

MattF
02-27-2010, 03:41 PM
Mind's running a bit slow today. Can't quite seem to grasp your method. When you're using the header to redirect in your original incarnation, the script continues to execute even though the user has been redirected. Add an exit() call after the header() and see if that sorts it.

mike182uk
02-27-2010, 03:49 PM
thats the kiddy right there.

i didnt realise even though i had said redirect the page that it still executed the rest of the page. in asp, when you do a redirect, it stops execution of the rest of the page. I was under the impression php did the same.

so yeh exit(0); worked a treat!

thanks for your help

MattF
02-27-2010, 05:21 PM
thats the kiddy right there.

i didnt realise even though i had said redirect the page that it still executed the rest of the page. in asp, when you do a redirect, it stops execution of the rest of the page. I was under the impression php did the same.

so yeh exit(0); worked a treat!

thanks for your help

You're welcome. :) You're not the first to get caught out by the fact that a header redirect doesn't kill further script processing.

It's worthwhile just making a little redirect function which incorporates header and exit and then call that to redirect instead of a bare header call. It'll save you grief from forgetting to include an exit call at some point in the future. Something like the following is all that's needed:



function redirect($uri)
{
header('Location: '.$uri);
exit(0);
}



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum