Hi there, I have one of my website users complaining that they can not log into the webite. I use sessions to store user login information.

They do manage to log in for a moment as they get redirected to the "you are now logged in" page but this page. However this page scans to check if they are still logged in and gives an error saying that they are not.

It seems that the login page accepts the password and sets the session ok but will not pass it to the next page. I believe that turning cookies off would not stop session variables because of the automatic PHPSESSVARS variable. Has anyone encountered another possible browser setting that is causing these problems?

Thanks a lot.

apart from cookies the only way to pass a session id is throught a query string no? i think PHPSESSIONVARS hasnt got anything to do with the session handeling, more the data contained in it. im prety shakey when it coems to sessions though

Sounds like a problem with your coding. Can't really help you if we don't see any coding.

I thought I read that turning cookies off WILL indeed mess up using sessions.

This is from 'Visual Quickstart Pro: PHP and MySQL':

One of the problems with sessions is that, by default, they rely on the use of a cookie to work properly. When a session is started, it sends a cookie that resides in the user's Web browser. Every subsequent page that calls session_start() makes use of the cookie, which contains the sesion name and ID... The problem is that users may have cookies turned off in their Web browswer or may not accept the cookie because they do not understand its purpose. If this is the case, PHP will create a new session for each page and none of the registered variables will be accessible.

Basically it goes on to say that you must pass the session name from page to page using the SID constant. ie. session_name=session_ID... basically using a query string I believe.

I guess the easier solution is to post that cookies must be turned on if a user wants to log in and register.

Originally posted by loomer
I thought I read that turning cookies off WILL indeed mess up using sessions.

This is from 'Visual Quickstart Pro: PHP and MySQL':

One of the problems with sessions is that, by default, they rely on the use of a cookie to work properly. When a session is started, it sends a cookie that resides in the user's Web browser. Every subsequent page that calls session_start() makes use of the cookie, which contains the sesion name and ID... The problem is that users may have cookies turned off in their Web browswer or may not accept the cookie because they do not understand its purpose. If this is the case, PHP will create a new session for each page and none of the registered variables will be accessible.

Basically it goes on to say that you must pass the session name from page to page using the SID constant. ie. session_name=session_ID... basically using a query string I believe.

I guess the easier solution is to post that cookies must be turned on if a user wants to log in and register.

that is not correct

quote from php.net



Passing the Session ID
There are two methods to propagate a session id:


Cookies

URL parameter


The session module supports both methods. Cookies are optimal, but because they are not always available, we also provide an alternative way. The second method embeds the session id directly into URLs.

PHP is capable of transforming links transparently. Unless you are using PHP 4.2 or later, you need to enable it manually when building PHP. Under UNIX, pass --enable-trans-sid to configure. If this build option and the run-time option session.use_trans_sid are enabled, relative URIs will be changed to contain the session id automatically.

Note: The arg_separator.output php.ini directive allows to customize the argument seperator. For full XHTML conformance, specify & there.


Alternatively, you can use the constant SID which is always defined. If the client did not send an appropriate session cookie, it has the form session_name=session_id. Otherwise, it expands to an empty string. Thus, you can embed it unconditionally into URLs.




always a good idea to consult the php manual before relying on what someone says in a book. books are sometimes outdated or just inaccurate.

Actually I'm glad sessions don't rely on cookies to to work!:)

I was a little shocked when i read this the other day because I hadn't really come across that before. The book is from 2003 and is fairly recent but I guess the author got his facts wrong.

You're right about the PHP manual though.

Thanks for clearing things up Spookster.

does that mean, for example, that id have to put ?SID or PHPSESSID or whatver at the end of my urls to proagate the session name? :s

No, in this case the URLs in HTML links will be slightly altered automatically by PHP, so that they will contain the session id in the query string.
Note however that this behaviour does not replace all possible URLs, for example those which are built dynamically in a client-side script. In this case, you actually need to echo the session_name() + session_id().