Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New to the CF scene
    Join Date
    Jul 2009
    Posts
    8
    Thanks
    2
    Thanked 0 Times in 0 Posts

    PHP login with session variables

    I have a login script that uses session variables across the site to make sure a user is logged in on every page; the script works perfectly in firefox, but I run into problems in IE - it's as if IE doesn't store my session variables at all.

    I think I've traced the issue to a security setting in IE (I can force IE to store session variables, and then it will work) but I don't want my users to have to change a setting in IE security in order to login.

    Does anybody have a solution or a workaround for this? Is there a better way to have a 'members' section than with session variables?

  • #2
    Regular Coder
    Join Date
    Mar 2006
    Posts
    238
    Thanks
    3
    Thanked 37 Times in 37 Posts
    This is very strange ... I often use sessions in log in scripts and never had such a problem. Could you post some of your code ? Probably some simplified version which works for you in FF, but not in IE ?

  • #3
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,027
    Thanks
    2
    Thanked 315 Times in 307 Posts
    If cookies or specifically session cookies were disabled in your IE settings, it is likely the result of something you changed in your settings at some point in the past and would not be the case for the majority of the visitors to your site. Someone that is using FF or any other browser could have just as easily changed their cookie settings so that sessions would not work when they visit your site.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #4
    New to the CF scene
    Join Date
    Jul 2009
    Posts
    8
    Thanks
    2
    Thanked 0 Times in 0 Posts
    it's very simple code - I'll leave out a bunch of the details, and just get to the relevant stuff.

    Login.php:

    Code:
    <?
    session_start();
    if(isset($_SESSION['user'])){
    header('Location: ./index.php');
    }
    if(!empty($_SESSION['info'])){
    $info = $_SESSION['info'];
    $incorrectLogin = "<tr><td colspan='3'><div class='information'>$info</div><p></td></tr>";
    $_SESSION['info'] = "";
    }
    
    ?>
    
    <form method="post" action="loginexec.php">
    <table width="258" border="0" align="center">
      <? echo "$incorrectLogin"; ?>
      <tr>
        <td width="110">Username:</td>
        <td width="144"><input type="text" name="username" /></td>
      </tr>
      <tr>
        <td>Password:</td>
           <td><input type="password" name="password" /></td>
      </tr>
      <tr>
        <td colspan="3"><div align="center">
          <input type="submit" name="Submit" value="Submit" />
    </form>

    loginexec.php:

    Code:
    <?
    session_start();
    $username = $_REQUEST['username'];
    $password = $_REQUEST['password'];
    
    $x = 0;
    $result = mysql_query("SELECT * FROM footballUsers WHERE username='$username'");
    $rows = mysql_num_rows($result);
    if($rows != 0)
    {
    while($row = mysql_fetch_array($result))
    	{
    		if($row['password'] == $password)
    		{
    			session_start();
    			$_SESSION['info'] = "";
    			$_SESSION['user'] = $row['username'];
    		else{
    			session_start();
    			$_SESSION['info'] = "Incorrect Username and/or Password.";
    			header('Location: ./login.php');
    		}
     	}
    
    }
    else{
    		session_start();
    		$_SESSION['info'] = "Incorrect Username and/or Password.";
    		header('Location: ./login.php');
    }
    ?>

  • #5
    New to the CF scene
    Join Date
    Jul 2009
    Posts
    8
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    If cookies or specifically session cookies were disabled in your IE settings, it is likely the result of something you changed in your settings at some point in the past and would not be the case for the majority of the visitors to your site. Someone that is using FF or any other browser could have just as easily changed their cookie settings so that sessions would not work when they visit your site.
    I can't imagine why IE would have them off as default, especially with how useful they are. I've had the problem on several different machines; I think IE may turn them off automatically at a certain security-level. Regardless, I'm able to use those machines on other sites that seem to also use session variables or some other sort of cookie.

    It's weird, and with the security function disabled, everything seems to work just fine - I'm just wondering if I'm doing something simple wrong. I'm 100% google-schooled

  • #6
    Regular Coder
    Join Date
    Mar 2006
    Posts
    238
    Thanks
    3
    Thanked 37 Times in 37 Posts
    I think CFMaBiSmAd is right ... If a browser for some reason does not support session cookies and session trans-sid feature is off (which is considered not safe and in all recent PHP releases is off by default), it would be that the browser with session cookies turned off would not work with sessions. Just in case: using cookies only for a session or enabling trans-sid (transferring session ID via URL which is considered not safe) is controlled by the following options in php.ini:
    session.use_trans_sid
    session.use_cookies
    session.use_only_cookies

    I do not go into detail why turning session trans-sid feature on is considered not safe here ... Probably it would be a slightly off-topic. Still I would provide the explanation if you asked me of course ... I would be glad to answer any your questions about sessions I could ...

    In your case I woujld give the following notes which I think cold be tried by you ...

    1. You are using
    PHP Code:
    header('Location: ./index.php'); 
    for redirects. Please notice that while relative URL's have been considered fine in HTTP 1.0, HTTP 1.1 requires to use absolute URL's in redirects as far as I know. I would advise to use absolute, not relative, URL's in your Location headers.

    2. Please you the function session_write_close() right before sending your location header. Without it session data is sometimes lost on redirect.

    3. This would not affect the functionality greatly, still I would recommend to exit the script after the redirect. Headers like Location are generally a recommendation for the browser to redirect. If you do not exit your script, the page content is normally sent to the web-client (ni our case browser) anyway. Generally the user does not see this, by in some particular cases it could be abused by a hacker ...

    Generally all 3 above look like lies this:
    PHP Code:
    session_write_close();
    header('Location: http://my_full_site_url/index.php');
    exit; 
    ... This is slightly off-topic, but still: I do not see in your script if you redirect after successful login anywhere ... Still after successful login (after you have finished script debugging) I would generally recommend to use session_regenerate_id() as protection against Session Fixation attacks. Please ask more questions if you consider this particular comment unclear - I do not go into detail here now since particularly session_regenerate_id() would not affect the situation with IE - this is only a general security note.
    Last edited by SKDevelopment; 09-06-2009 at 10:04 AM.

  • Users who have thanked SKDevelopment for this post:

    thebigkrumm (09-06-2009)

  • #7
    New to the CF scene
    Join Date
    Nov 2009
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I had a similar problem where I'd switched to a new computer and suddenly the sessions variables were all being lost. Then I read CFMaBiSmAd's post and realised I hadn't bothered looking in the Apache error log.

    Lo and behold, it told me the path for storing the sessions cookies in did not exist. What I'd done was create the folder relative to my website (htdocs) instead of at the root of the drive.

    A great big Homer Simpson moment for me. D'oh!!!!!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •