PHP login with session variables

thebigkrumm · 09-05-2009, 09:54 PM

I have a login script that uses session variables across the site to make sure a user is logged in on every page; the script works perfectly in firefox, but I run into problems in IE - it's as if IE doesn't store my session variables at all.

I think I've traced the issue to a security setting in IE (I can force IE to store session variables, and then it will work) but I don't want my users to have to change a setting in IE security in order to login.

Does anybody have a solution or a workaround for this? Is there a better way to have a 'members' section than with session variables?

SKDevelopment · 09-05-2009, 10:17 PM

This is very strange ... I often use sessions in log in scripts and never had such a problem. Could you post some of your code ? Probably some simplified version which works for you in FF, but not in IE ?

CFMaBiSmAd · 09-05-2009, 10:28 PM

If cookies or specifically session cookies were disabled in your IE settings, it is likely the result of something you changed in your settings at some point in the past and would not be the case for the majority of the visitors to your site. Someone that is using FF or any other browser could have just as easily changed their cookie settings so that sessions would not work when they visit your site.

thebigkrumm · 09-06-2009, 04:31 AM

it's very simple code - I'll leave out a bunch of the details, and just get to the relevant stuff.

Login.php:

Code:

<?
session_start();
if(isset($_SESSION['user'])){
header('Location: ./index.php');
}
if(!empty($_SESSION['info'])){
$info = $_SESSION['info'];
$incorrectLogin = "<tr><td colspan='3'><div class='information'>$info</div><p></td></tr>";
$_SESSION['info'] = "";
}

?>

<form method="post" action="loginexec.php">
<table width="258" border="0" align="center">
  <? echo "$incorrectLogin"; ?>
  <tr>
    <td width="110">Username:</td>
    <td width="144"><input type="text" name="username" /></td>
  </tr>
  <tr>
    <td>Password:</td>
       <td><input type="password" name="password" /></td>
  </tr>
  <tr>
    <td colspan="3"><div align="center">
      <input type="submit" name="Submit" value="Submit" />
</form>

loginexec.php:

Code:

<?
session_start();
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];

$x = 0;
$result = mysql_query("SELECT * FROM footballUsers WHERE username='$username'");
$rows = mysql_num_rows($result);
if($rows != 0)
{
while($row = mysql_fetch_array($result))
	{
		if($row['password'] == $password)
		{
			session_start();
			$_SESSION['info'] = "";
			$_SESSION['user'] = $row['username'];
		else{
			session_start();
			$_SESSION['info'] = "Incorrect Username and/or Password.";
			header('Location: ./login.php');
		}
 	}

}
else{
		session_start();
		$_SESSION['info'] = "Incorrect Username and/or Password.";
		header('Location: ./login.php');
}
?>

thebigkrumm · 09-06-2009, 04:34 AM

Quote:

Originally Posted by CFMaBiSmAd

If cookies or specifically session cookies were disabled in your IE settings, it is likely the result of something you changed in your settings at some point in the past and would not be the case for the majority of the visitors to your site. Someone that is using FF or any other browser could have just as easily changed their cookie settings so that sessions would not work when they visit your site.

I can't imagine why IE would have them off as default, especially with how useful they are. I've had the problem on several different machines; I think IE may turn them off automatically at a certain security-level. Regardless, I'm able to use those machines on other sites that seem to also use session variables or some other sort of cookie.

It's weird, and with the security function disabled, everything seems to work just fine - I'm just wondering if I'm doing something simple wrong. I'm 100% google-schooled

SKDevelopment · 09-06-2009, 09:56 AM

I think CFMaBiSmAd is right ... If a browser for some reason does not support session cookies and session trans-sid feature is off (which is considered not safe and in all recent PHP releases is off by default), it would be that the browser with session cookies turned off would not work with sessions. Just in case: using cookies only for a session or enabling trans-sid (transferring session ID via URL which is considered not safe) is controlled by the following options in php.ini:
session.use_trans_sid
session.use_cookies
session.use_only_cookies

I do not go into detail why turning session trans-sid feature on is considered not safe here ... Probably it would be a slightly off-topic. Still I would provide the explanation if you asked me of course ... I would be glad to answer any your questions about sessions I could ...

In your case I woujld give the following notes which I think cold be tried by you ...

1. You are using

PHP Code:


			
header('Location: ./index.php');

for redirects. Please notice that while relative URL's have been considered fine in HTTP 1.0, HTTP 1.1 requires to use absolute URL's in redirects as far as I know. I would advise to use absolute, not relative, URL's in your Location headers.

2. Please you the function session_write_close() right before sending your location header. Without it session data is sometimes lost on redirect.

3. This would not affect the functionality greatly, still I would recommend to exit the script after the redirect. Headers like Location are generally a recommendation for the browser to redirect. If you do not exit your script, the page content is normally sent to the web-client (ni our case browser) anyway. Generally the user does not see this, by in some particular cases it could be abused by a hacker ...

Generally all 3 above look like lies this:

PHP Code:


			
session_write_close();
header('Location: http://my_full_site_url/index.php');
exit;

... This is slightly off-topic, but still: I do not see in your script if you redirect after successful login anywhere ... Still after successful login (after you have finished script debugging) I would generally recommend to use session_regenerate_id() as protection against Session Fixation attacks. Please ask more questions if you consider this particular comment unclear - I do not go into detail here now since particularly session_regenerate_id() would not affect the situation with IE - this is only a general security note.

millsy001 · 11-12-2009, 11:24 PM

I had a similar problem where I'd switched to a new computer and suddenly the sessions variables were all being lost. Then I read CFMaBiSmAd's post and realised I hadn't bothered looking in the Apache error log.

Lo and behold, it told me the path for storing the sessions cookies in did not exist. What I'd done was create the folder relative to my website (htdocs) instead of at the root of the drive.

A great big Homer Simpson moment for me. D'oh!!!!!